“Quantum-Safe” Crypto Hacked by 10-Year-Old PC (opens in new tab)

(spectrum.ieee.org)

370 pointsoipoloi3y ago176 comments

176 comments

If you'd like to hear someone who can barely do long division† discuss this vulnerability with one of the leading isogeny cryptographer researchers and the world's most isogeny-enthusiastic cryptography engineer, have I got a podcast for you:

https://securitycryptographywhatever.buzzsprout.com/1822302/...

There's even a transcript, if you want to read things like:

So I watched the, uh, I watched Costello's tutorial, like the, the broadcast he did for, um, for Microsoft. And I kind of worked my way through the, the tutorial paper. So like, is it, is it true that like, in sort of the same sense we're...

† Looks back and forth around the room furtively

thadt3y ago

Just listened to that episode yesterday - it was great thanks! Listening to Deirdre's description of how it got ported to Sage and accelerated in short order - so she could break it in a few minutes on her laptop - in Python, totally reminded me of the line from Iron Man.

"Tony Stark Was Able To Build This In A Cave! With A Box Of Scraps!"

KenoFischer3y ago

Just FYI, your 1038.pdf hyperlink at the bottom goes to the 975.pdf paper ;).

googlryas3y ago

Huh? Long division is easy. I just type the numbers into google

staticassertion3y ago

Can anyone do long division other than children and those who pursue math academically? Seems impossible to imagine.

scatters3y ago

You need to be able to perform long division to take quotients in algebraic structures, e.g. polynomials. Yes, Wolfram Alpha can probably do it, but not always.

3 more replies

taejo3y ago

As a kid who chronically forgot to bring her calculator to school for about 12 years straight, I can now do long division well enough that I sometimes do it rather than get up to fetch my phone from the other room. It's also how I do division in my head.

I did pursue mathematics academically but I don't know if it ever came up in university math; more so in physics and computer science.

EDIT: apparently what I do is "short division", which is just long division but you don't write down all the steps.

zwirbl3y ago

After looking it up on Wikipedia and seeing the various notations used (most of which are awful IMO) I get the hate on long division, though I never felt anything like that. It may be because it is familiar to me, but the notation I learned in school in Austria feels superior or at least less irritating. I guess German schools use the same. Why the heck write the divisor first?

incompatible3y ago

I guess a few advanced software developers may also be able to apply such a complex algorithm to a couple of integers.

1 more reply

hodgesrm3y ago

This is news to me that people can't/don't do long division. It's simple. I use it regularly to estimate quotients--just run the process to a couple places in your head.

daniel-cussen3y ago

It's much easier in base 2 than in base 10. Similar to the multiplication tables, the table for base 2 is just the 2x2 matrix at the top left corner of the 10x10 times tables.

Ygg23y ago

Do people that purse math use long division that much?

1 more reply

denton-scratch3y ago

Schneier had a less breathless account a few days ago:

https://www.schneier.com/blog/archives/2022/08/nists-post-qu...

nottorp3y ago

Also, Schneier's site doesn't have me agree to tracking without any possibility of rejection ;)

tptacek3y ago

He's wrong about the "cryptographic agility" stuff, at least the way he's framed it. But then, another place where I'd part company with him is about the urgency for getting PQC slotted into real-world systems.

emn133y ago

Why do you think he's wrong? He's essentially saying IT systems need to be designed with the expectation that cryptographic algorithms will be attacked and may need to be replaced, as I understand it.

3 more replies

Zamicol3y ago

I think this is the link: https://www.schneier.com/blog/archives/2022/08/sike-broken.h...

NewEntryHN3y ago

> Remember, this is a demolition derby. The goal is to surface these cryptanalytic results before standardization, which is exactly what happened

https://www.schneier.com/blog/archives/2022/08/nists-post-qu...

rich_sasha3y ago

True to its name, i think no quantum computer in existence can crack this cipher.

mirekrusin3y ago

Good point, using 10 year old classical computer doesn't seem fair!

nimbius3y ago

sort of offtopic but it reminds me of the first auto shop I worked in. I just got certified on a new laser alignment tool and had a chip on my shoulder for almost a week, until an old timer manually dialed in an alignment that checked out perfect on my shiny new gizmo. I'd never felt so humbled in my life and spent that whole summer practicing manual alignments.

robocat3y ago

Your seem to be using “chip on the shoulder” to mean “being overly proud”: is your usage common in your circles or is it a mistake? https://grammarist.com/idiom/chip-on-your-shoulder/

demopathos3y ago

My anecdotal usage is a combination of these two. Until I saw your provided definition I would have described chip on my shoulder to mean a sense of superiority that leads to me be rude or difficult to interact with.

CoastalCoder3y ago

Yeah, pretty off-topic, but I'm glad you shared the story. It reminded me of a story my dad told about a similarly skillful shop owner he'd run into. My dad passed away a few years ago, so I'm grateful for you reminding me of a nice thing.

kQq9oHeAz6wLLS3y ago

Never underestimate the old eyecrometer

oipoloiOP3y ago

"To me what is most surprising is that the attack seemingly came out of nowhere,” says cryptographer Jonathan Katz at the University of Maryland at College Park, who did not take part in this new work. “There were very few prior results showing any weaknesses in SIKE, and then suddenly this result appeared with a completely devastating attack—namely, it finds the entire secret key, and does so relatively quickly without any quantum computation."

tptacek3y ago

The funny bit about this is that the principles that broke SIDH were in the literature --- they owe to a late-1990's theorem† by Ernst Kani, a mathematician in Ontario. We spoke to Steven Galbraith about this (I wouldn't know who Kani was if I hadn't read Galbraith, just to be clear) and he'd even talked to Kani long before any of this came out. But Kani isn't a cryptographer and apparently isn't even especially interested in cryptography, so the dots didn't get connected until much later.

† That's the "25-year-old theorem" from the article.

ShroudedNight3y ago

For those curious, here's the full publication from Kani's website (The one linked to in the article is behind a paywall):

https://mast.queensu.ca/~kani/papers/numgenl.pdf

moffkalast3y ago

Well they for sure have picked a very ironic name for it.

"The vault is completely unhackable."

"SIKE"

chrisweekly3y ago

+1, funny -- but for the sake of non-native English speakers, FTR, it's pronounced the same as "psych" and is colloquial for a sarcastic "ha-ha, just kidding"

6 more replies

bem943y ago

> To me what is most surprising is that the attack seemingly came out of nowhere,

This wasn't my understanding at all. The specific issue in isogeny based cryptography which the attack exploits has been a source of worry in the cryptographic community for a while, and is exactly why NIST put SIKE in the "for further consideration & crypt-analysis" category when making their standardization decisions.

czbond3y ago

You KNOW they first had to do this in the normal way (large scale, distributed servers)..... and cracked it in like a second. Then for grins, the engineer HAD to say "I wonder if I could do this on my old Mac mini". And it worked.

And for embarrassment of the original design, the story, and clickbait... they did it on that old machine

undersuit3y ago

Why would you know that?

They used an Intel Xeon CPU E5-2630v2, it's in the paper. What if in the process of crafting the attack on their old workstation PC they found that it was seemingly possible to do low key sizes very quickly and scaled up from there to a practical attack. Or maybe they have quite the competency in Mathematics and realized their attack was not that computationally expensive.

>Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges $IKEp182 and $IKEp217 in about 4 minutes and 6 minutes, respectively. A run on the SIKEp434 parameters, previously believed to meet NIST’s quantum security level 1, took about 62 minutes, again on a single core. We also ran the code on random instances of SIKEp503 (level 2), SIKEp610 (level 3) and SIKEp751 (level 5), which took about 2h19m, 8h15m and 20h37m, respectively.

tashbarg3y ago

Mathematicians do not have funding for „large scale“. A 10-year old mid-range server is exactly the kind of system I would expect Magma to run on in the average case. Perhaps even just a desktop pc.

Source: worked with algebra researchers using Magma.

czbond3y ago

I was being a bit facetious, but not by much. Maybe because they're mathematicians and had found a theorem - but a pen tester wouldn't have.

It costs less than a few hundred bucks to do numerous, multi compute AWS server spot instances for cracks on large dictionaries with large hash rates, on random seed password lists (where each password has it's own seed).

If it was trying to crack a quantum-safe where by design the classical computer shouldn't be able to even solve it (except for potentially with a theorem hole) - you'd think they'd start higher.

Retr0id3y ago

Almost certainly not. They'd have started prototyping the attack with small numbers, and once it started working, slowly scaling it up.

Ar-Curunir3y ago

The authors of the the attack are primarily theoreticians. The only implementation they provided was a Sagemath one. I don’t think there was ever any distributed impl for this algorithm.

er4hn3y ago

if anyone would have a sense of the number of operations required, you'd hope it was a mathematician.

Dwedit3y ago

For reference, 10 years ago, the newest Intel processor family was Ivy Bridge (the Die Shrink of Sandy Bridge)

teaearlgraycold3y ago

Good times. That was one of Intel’s biggest moves towards making integrated graphics not suck.

jupp0r3y ago

If the algorithm is weak then the difference between a supercomputer and a 10 year old phone is negligible when compared to algorithms that are solid.

mixedbit3y ago

I wonder if someday we will see someone generating all the bitcoins on a laptop. How the article says, the math behind most cryptosystems were never proven to be unbreakable, it is just believed to be so, because no one managed to show otherwise.

jabbany3y ago

Probably both yes and no.

As of right now bitcoin depends pretty heavily on SHA256 and with hash functions being quite important cryptography primitives, there's always ongoing work on breaking them (tremendous upside to anyone who can manage to break common ones), so it's pretty feasible that eventually it will be broken. (We've already seen the fall of MD5 and SHA-1 in recent-ish years)

However, cryptocurrencies are a human system as much as they are a computing technology. If weaknesses start being discovered SHA256 or the EC signing of bitcoin, then in all likelihood they'd just fork the chain and upgrade the hash or signing mechanism.

RL_Quine3y ago

It’s pretty unlikely that sha2 will ever broken in a way which actually has a meaningful security impact to bitcoin, especially considering that almost every value in the system is sha2(sha2()) which nullifies a lot of attacks against hashes which need careful control of the input. Some newer tools in the system use a single hash (it’s unclear why a double one was used in the first place), but all the same it remains highly unlikely.

Complete breaks of ECDSA are likely to be devastating as many keys in the data are re-used hundreds of thousands of times, but a weakening of it can be mitigated by moving to a new signature standard, which isn’t even consensus incompatible due to the upgradability built into the script language.

5 more replies

Beldin3y ago

That's the one actual value of bitcoin / cryptocurrencies: we can be fairly sure that no one broke the used hashing algorithms (1). The valuation of these coins is such that not just any individual, but even a state actor would just go for it.

(1) to such a degree that it would allow the attacker to create new blocks at will.

Assume 1 bitcoin is $50k; break it only once a day and make over 15 million × block reward a year. I doubt many governments could resist.

jabbany3y ago

Not at all...

I mean if you break either the hash or the signature, then there are bigger fish to fry than just Bitcoin. You'd essentially be on your way to breaking much of the crypto used to secure significantly more valuable information -- the kind of information you measure with human lives rather than dollars.

Actually, if you (or more likely a nation state actor) did break either the hash or signature, you'd be crazy to reveal that fact on something as trivial as Bitcoin. That'd be like breaking ENIGMA and just using it to publish the German weather reports lol.

1 more reply

ayende3y ago

That amount of money is not even a rounding error.

And it is likely to be very obvious and public.

You will crash the market, so can't really do that multiple times.

And if you can Crack this there are better targets

dogeprotocol3y ago

Thats true, its a critical risk to Bitcoin, Ethereum etc. The digital signature scheme protecting Bitcoin accounts use elliptic curves which can also be broken using quantum computers.Transactions can be forged using broken accounts.

It's fairly easy to underestimate the time required to change a non quantum resistant to a quantum resistant one.

To protect Bitcoin from quantum computers, the blockchain has to be forked as early as possible, with all blocks re-signed with quantum resistant digital signature schemes. Devil is in the details though.

The Doge Protocol project will fork Bitcoin and move it to a quantum resistant hybrid scheme.

zaroth3y ago

This is inevitable for all coins with published public keys, which all the early coins are. So, e.g. all of Satoshi's coins. For coins where the public key is hashed, perhaps not inevitable.

Depending on how you look at it, it's either the built-in doomsday for Bitcoin, or it's a built-in multi-billion dollar bounty for exposing the existence of a quantum computer capable of cracking the private key given a Secp256k1 public key (that's the EC curve bitcoin uses).

jongjong3y ago

That's why I like simple hash-based cryptographic algorithms such as Lamport OTP for digital signatures. Hash-based algorithms are broadly believed to be quantum-resistant and this makes sense intuitively because hashing destroys information.

The statefulness of Lamport OTP adds some implementation and usability hurdles but IMO, the simplicity and intuitiveness of the algorithm makes it worthwhile.

Source: I worked on a quantum-resistant blockchain which is based on Lamport OTP and Merkle Signature Trees (for key reuse) - https://capitalisk.com/

tptacek3y ago

We're discussing key exchange mechanisms, not signatures. The distinction is important: KEMs are what we need now if QC is a real threat, because they're what enable us to protect traffic from retroactive decryption.

jongjong3y ago

The encryption side of things does appear to be a lot more challenging. I like solutions which allow complexity to be side-stepped somehow but I'm not aware of anything like that for encryption.

wikitopian3y ago

It was designed by engineers to be quantum resistant without enough deference to mathematicians who could see that it was not resistant to more conventional approaches.

tptacek3y ago

That is true only in the banal sense that any number-theoretic crypto break can be attributed to paying insufficient attention to mathematical research, but isn't true in any useful sense, since a small army of mathematicians worked on isogeny Diffie-Hellman.

jacksnipe3y ago

It was designed by a mathematician and broken by the mathematical community.

formerkrogemp3y ago

> It was designed by engineers to be quantum resistant without enough deference to mathematicians who could see that it was not resistant to more conventional approaches.

Ie, they didn't take enough time and money to consult with every cryptography and mathematics expert.

dtrizzle3y ago

The idea that encryption algorithms need to be well tested over time is why many security experts do not trust Telegram's encryption algorithm (MTProto).

bartimus3y ago

10-year-old PC makes it sound dramatic. Yet single core speed hasn't increased that dramatically over the last 10 years.

xt003y ago

so the cynical view here would be that the backdoor was discovered before the algorithm could get widely deployed?

DarkmSparks3y ago

My super cynical view is that the whole genre of "quantum safe" cryptography is being promoted to try and encourage adoption of weak encryption...

Its felt like FUD based on FUD for a while.

Not that I really trust traditional encryption that much either.

There wouldn't be so much effort going into bridging air gapped systems if even traditional encryption could be trusted...

Hate making cynical comments tho, they always seem to get down voted :( like being cynical when it comes to encryption is a bad thing.....

jabbany3y ago

> Its felt like FUD based on FUD for a while.

Not really...? Quantum stuff is real, there are real quantum computers that have been demonstrated to really do quantum operations. They're not close to being usable to break crypto yet, but it certainly makes sense to get ahead of it.

> There wouldn't be so much effort going into bridging air gapped systems if even traditional encryption could be trusted...

These are completely different problems. Encryption just keeps information confidential. By itself, it offers no _security_ guarantees. Even the strongest encryption would be moot against a keylogger. Crypto can be (and is being) used to provide some security, like via signed code, secure processors, and the such, but security is a multi-tiered thing -- you want all the protection you can get, and like keeping data encrypted at rest, air-gapping is just yet another layer of protection.

2 more replies

kibwen3y ago

> My super cynical view is that the whole genre of "quantum safe" cryptography is being promoted to try and encourage adoption of weak encryption

Not a cryptographer, but surely if you're worried about this then you could first encrypt your data using classical algorithms and then encrypt the output of that via the PQC algorithms, to produce a ciphertext that is at least no less safe than the classical encryption alone.

olliej3y ago

Quantum safe crypto isn’t FUD, NIST’s steadfast refusal to specify a dual system, especially given their historical laundering of NSA back doors is super questionable, but there exist (at least one that I know of) crypto systems that have no exploitable bias. The problem is the impractically large key sizes. Afaict a lot of pqc work is trying to reduce the key sizes to something reasonable.

2 more replies

stjohnswarts3y ago

This is a place where Hanlon's razor applies much better than assuming they want weak encryption.

1 more reply

cookiengineer3y ago

> paper: https://eprint.iacr.org/2022/975.pdf

Does this mean that probably all SIDH key exchanges are affected?

What about TOR? Do we have to assume that key exchanges can be intercepted and recovered?

A RUSTSEC advisory was already published and they removed all SIDH algorithms there [1]

[1] https://rustsec.org/advisories/RUSTSEC-2022-0045.html

tptacek3y ago

Does Tor use SIKE/SIDH? The proposals I've seen for PQC Tor all seem to run a PQC construction alongside a conventional one (the only sane way to do this right now), and so, no, a break in the PQC wouldn't let you recover sessions.

Yes, this impacts all of SIDH.

UncleOxidant3y ago

That 10-year-old PC is quite precocious.

RcouF1uZ4gsC3y ago

> One reason SIKE’s vulnerability was not detected until now was because the new attack “applies very advanced mathematics—I can’t think of another situation where an attack has used such deep mathematics compared with the system being broken,” says Galbraith. Katz agrees, saying, “I suspect that fewer than 50 people in the world understand both the underlying mathematics and the necessary cryptography.”

And I bet 48 of those people work for the NSA.

zmgsabst3y ago

That’s not fair — at least ten work for Chinese intelligence.

RcouF1uZ4gsC3y ago

And some may actually work for both!

1 more reply

lizardactivist3y ago

The smartest people in the world are always Americans. No wonder the rest of the world can't make things on their own, and always steal American technology!

eterm3y ago

I look forward to this being in the next set of cryptopals.

tptacek3y ago

It's a little unlikely. It's a code-able exploit with a big payoff, which is right in the wheelhouse, but then there's this that Steven Galbraith had to say about how the exploit works:

    *What is this magic ingredient?*
    It is a theorem by Ernst Kani about reducible subgroups of abelian surfaces.

    *Is there a simple way to explain the magic ingredient?*
    Nope. Go learn about Richelot isogenies and abelian surfaces.

As I understand it, even by number-theoretic cryptographic standards, the math here is abstruse. The challenges I think have done pretty well sticking to things where writing the exploit pays off with good intuitions. I guess "don't reveal auxiliary torsion points when exchanging details of an isogeny graph walk" is a useful intuition, maybe.

amirhirsch3y ago

Even before being broken, the abstruse mathematics is one of the reasons to not go with SIKE or Rainbow. It’s not surprising they are broken.

NTRU is the easiest of the NIST PQC finalists to understand, and will probably beat Kyber because even a relatively new-to-cryptography programmer will be able to understand it and implement it.

2 more replies

cat_plus_plus3y ago

Well, it's Quantum-Safe, not Turing-Safe

karl_gluck3y ago

Can someone remind me why Merkle trees of Lamport signatures aren’t the solution for postquantum asymmetric signing? Sure the signatures are huge, but they’re secure unless you can trivially invert the hash function.

tptacek3y ago

SIDH/SIKE is a key exchange mechanism, not a signature scheme.

perfecthjrjth3y ago

Any NSA and NIST shenanigans here wrt isogeny PQC? Is this "quantum-safe" crypt is in the current round of PQC selection by NIST?

trentnix3y ago

This headline, “Quantum-Safe” Crypto Hacked by 10-Year-Old PC, was pretty awesome until I got to the "PC" part.

Blackthorn3y ago

Is there a description of how the proof applies to the cryptosystem? IEEE is a bit light on the essential details.

elevaet3y ago

So, do there exist other "quantum-safe" crypto algorithms still considered to be reliable?

tptacek3y ago

Yes, many, including the lattice algorithm NIST chose in the first round of the PQC competition.

born-jre3y ago

It was not in NIST final competition, right ? Just alternate candidate.

aidenn03y ago

IIUC, NIST did not select a winner for post-quantum public-key-encryption, but rather winnowed the field to 4 potential candidates, and this is one of them.

tptacek3y ago

No, it selected the CRYSTALS-Kyber KEM and then proceeded for an additional round to consider alternatives/understudy KEMs, of which SIKE was one potential one.

andai3y ago

Can a quantum computer crack your encryption if it doesn't know the algorithm (ie. if you created it yourself and it is unknown to the outside world)?

DoctorOetker3y ago

no, but an insider can leak your security through obscurity, at which point any publically known rammifications that were overseen are easily exploited.

tptacek3y ago

No.

ChrisMarshallNY3y ago

Well, back to the old drawing board...

https://youtu.be/UaR6aqL-L3Y?t=10

aidenn03y ago

Being cryptoanalyzed makes me very angry, very angry indeed!

cdelsolar3y ago

SIKE... that's the wrong number!

Sohcahtoa823y ago

OOOOHHHH!!!!

https://youtu.be/9UAC2qkcrDY?t=66

snapetom3y ago

SIKE. This was reported weeks ago, right? There are still three more candidates.

DjlbrilH3y ago

Where the FG-2$?

userbinator3y ago

I think the beginning of the title lead me to believe it would say "10-Year-Old Kid" as I was hoping for some sort of "emperor has no clothes" situation, or brilliant amateur insight.

Yet I still think there's a good "look beyond your strengths" lesson here.

avodonosov3y ago

I initially read "Hacked by 10-Year-Old", as if a child hacked it.

jasonkimberson3y ago

Me too, lol

avodonosov3y ago

Probably it's because of the word "hacked". I mostly saw it used in meaning the [human] activity of designing an approach, rather than executing code. Computers do not hack. (Unless we speack of AI, maybe)

nashashmi3y ago

What is the possibility that cryptowallets can succumb to these kinds of attacks? How is it possible that Satoshi's wallet has still, after so many years, not been hacked using a brute force mechanism?

lizardactivist3y ago

It's because the search space (number of possible keys to guess) is astronomic; 2^256.

If you had a billion people, each person owning one billion computers, each computer capable of guessing a billion keys per second, then a billion years would still not have exhausted one-billionth of all the possible keys.

nashashmi3y ago

That makes sense. So his wallet will be broken in about 10 years plus 10 years marking the time for advancement of CPU and time for brute force to spend calculating with the advanced CPU.

infinityio3y ago

I'm sure many people are trying. On a slightly related note - I wonder what the market effect would be on bitcoin (and possibly crypto as a whole) if anyone managed to transfer money out of the wallet, would it crash the currency?

tptacek3y ago

You're sure many people are trying to deploy attacks on supersingular isogeny Diffie-Hellman against Bitcoin?

j / k navigate · click thread line to collapse

176 comments

tptacek3y ago

https://securitycryptographywhatever.buzzsprout.com/1822302/...

There's even a transcript, if you want to read things like:

† Looks back and forth around the room furtively

thadt3y ago

"Tony Stark Was Able To Build This In A Cave! With A Box Of Scraps!"

KenoFischer3y ago

Just FYI, your 1038.pdf hyperlink at the bottom goes to the 975.pdf paper ;).

googlryas3y ago

Huh? Long division is easy. I just type the numbers into google

staticassertion3y ago

Can anyone do long division other than children and those who pursue math academically? Seems impossible to imagine.

scatters3y ago

You need to be able to perform long division to take quotients in algebraic structures, e.g. polynomials. Yes, Wolfram Alpha can probably do it, but not always.

3 more replies

taejo3y ago

I did pursue mathematics academically but I don't know if it ever came up in university math; more so in physics and computer science.

EDIT: apparently what I do is "short division", which is just long division but you don't write down all the steps.

zwirbl3y ago

incompatible3y ago

I guess a few advanced software developers may also be able to apply such a complex algorithm to a couple of integers.

1 more reply

hodgesrm3y ago

This is news to me that people can't/don't do long division. It's simple. I use it regularly to estimate quotients--just run the process to a couple places in your head.

daniel-cussen3y ago

It's much easier in base 2 than in base 10. Similar to the multiplication tables, the table for base 2 is just the 2x2 matrix at the top left corner of the 10x10 times tables.

Ygg23y ago

Do people that purse math use long division that much?

1 more reply

denton-scratch3y ago

Schneier had a less breathless account a few days ago:

https://www.schneier.com/blog/archives/2022/08/nists-post-qu...

nottorp3y ago

Also, Schneier's site doesn't have me agree to tracking without any possibility of rejection ;)

tptacek3y ago

emn133y ago

3 more replies

Zamicol3y ago

I think this is the link: https://www.schneier.com/blog/archives/2022/08/sike-broken.h...

NewEntryHN3y ago

> Remember, this is a demolition derby. The goal is to surface these cryptanalytic results before standardization, which is exactly what happened

https://www.schneier.com/blog/archives/2022/08/nists-post-qu...

rich_sasha3y ago

True to its name, i think no quantum computer in existence can crack this cipher.

mirekrusin3y ago

Good point, using 10 year old classical computer doesn't seem fair!

nimbius3y ago

robocat3y ago

Your seem to be using “chip on the shoulder” to mean “being overly proud”: is your usage common in your circles or is it a mistake? https://grammarist.com/idiom/chip-on-your-shoulder/

demopathos3y ago

CoastalCoder3y ago

kQq9oHeAz6wLLS3y ago

Never underestimate the old eyecrometer

oipoloiOP3y ago

tptacek3y ago

† That's the "25-year-old theorem" from the article.

ShroudedNight3y ago

For those curious, here's the full publication from Kani's website (The one linked to in the article is behind a paywall):

https://mast.queensu.ca/~kani/papers/numgenl.pdf

moffkalast3y ago

Well they for sure have picked a very ironic name for it.

"The vault is completely unhackable."

"SIKE"

chrisweekly3y ago

+1, funny -- but for the sake of non-native English speakers, FTR, it's pronounced the same as "psych" and is colloquial for a sarcastic "ha-ha, just kidding"

6 more replies

bem943y ago

> To me what is most surprising is that the attack seemingly came out of nowhere,

czbond3y ago

And for embarrassment of the original design, the story, and clickbait... they did it on that old machine

undersuit3y ago

Why would you know that?

tashbarg3y ago

Source: worked with algebra researchers using Magma.

czbond3y ago

I was being a bit facetious, but not by much. Maybe because they're mathematicians and had found a theorem - but a pen tester wouldn't have.

If it was trying to crack a quantum-safe where by design the classical computer shouldn't be able to even solve it (except for potentially with a theorem hole) - you'd think they'd start higher.

Retr0id3y ago

Almost certainly not. They'd have started prototyping the attack with small numbers, and once it started working, slowly scaling it up.

Ar-Curunir3y ago

The authors of the the attack are primarily theoreticians. The only implementation they provided was a Sagemath one. I don’t think there was ever any distributed impl for this algorithm.

er4hn3y ago

if anyone would have a sense of the number of operations required, you'd hope it was a mathematician.

Dwedit3y ago

For reference, 10 years ago, the newest Intel processor family was Ivy Bridge (the Die Shrink of Sandy Bridge)

teaearlgraycold3y ago

Good times. That was one of Intel’s biggest moves towards making integrated graphics not suck.

jupp0r3y ago

If the algorithm is weak then the difference between a supercomputer and a 10 year old phone is negligible when compared to algorithms that are solid.

mixedbit3y ago

jabbany3y ago

Probably both yes and no.

RL_Quine3y ago

5 more replies

Beldin3y ago

(1) to such a degree that it would allow the attacker to create new blocks at will.

Assume 1 bitcoin is $50k; break it only once a day and make over 15 million × block reward a year. I doubt many governments could resist.

jabbany3y ago

Not at all...

1 more reply

ayende3y ago

That amount of money is not even a rounding error.

And it is likely to be very obvious and public.

You will crash the market, so can't really do that multiple times.

And if you can Crack this there are better targets

dogeprotocol3y ago

It's fairly easy to underestimate the time required to change a non quantum resistant to a quantum resistant one.

The Doge Protocol project will fork Bitcoin and move it to a quantum resistant hybrid scheme.

zaroth3y ago

This is inevitable for all coins with published public keys, which all the early coins are. So, e.g. all of Satoshi's coins. For coins where the public key is hashed, perhaps not inevitable.

jongjong3y ago

The statefulness of Lamport OTP adds some implementation and usability hurdles but IMO, the simplicity and intuitiveness of the algorithm makes it worthwhile.

Source: I worked on a quantum-resistant blockchain which is based on Lamport OTP and Merkle Signature Trees (for key reuse) - https://capitalisk.com/

tptacek3y ago

jongjong3y ago

The encryption side of things does appear to be a lot more challenging. I like solutions which allow complexity to be side-stepped somehow but I'm not aware of anything like that for encryption.

wikitopian3y ago

It was designed by engineers to be quantum resistant without enough deference to mathematicians who could see that it was not resistant to more conventional approaches.

tptacek3y ago

jacksnipe3y ago

It was designed by a mathematician and broken by the mathematical community.

formerkrogemp3y ago

> It was designed by engineers to be quantum resistant without enough deference to mathematicians who could see that it was not resistant to more conventional approaches.

Ie, they didn't take enough time and money to consult with every cryptography and mathematics expert.

dtrizzle3y ago

The idea that encryption algorithms need to be well tested over time is why many security experts do not trust Telegram's encryption algorithm (MTProto).

bartimus3y ago

10-year-old PC makes it sound dramatic. Yet single core speed hasn't increased that dramatically over the last 10 years.

xt003y ago

so the cynical view here would be that the backdoor was discovered before the algorithm could get widely deployed?

DarkmSparks3y ago

My super cynical view is that the whole genre of "quantum safe" cryptography is being promoted to try and encourage adoption of weak encryption...

Its felt like FUD based on FUD for a while.

Not that I really trust traditional encryption that much either.

There wouldn't be so much effort going into bridging air gapped systems if even traditional encryption could be trusted...

Hate making cynical comments tho, they always seem to get down voted :( like being cynical when it comes to encryption is a bad thing.....

jabbany3y ago

> Its felt like FUD based on FUD for a while.

> There wouldn't be so much effort going into bridging air gapped systems if even traditional encryption could be trusted...

2 more replies

kibwen3y ago

> My super cynical view is that the whole genre of "quantum safe" cryptography is being promoted to try and encourage adoption of weak encryption

olliej3y ago

2 more replies

stjohnswarts3y ago

This is a place where Hanlon's razor applies much better than assuming they want weak encryption.

1 more reply

cookiengineer3y ago

> paper: https://eprint.iacr.org/2022/975.pdf

Does this mean that probably all SIDH key exchanges are affected?

What about TOR? Do we have to assume that key exchanges can be intercepted and recovered?

A RUSTSEC advisory was already published and they removed all SIDH algorithms there [1]

[1] https://rustsec.org/advisories/RUSTSEC-2022-0045.html

tptacek3y ago

Yes, this impacts all of SIDH.

UncleOxidant3y ago

That 10-year-old PC is quite precocious.

RcouF1uZ4gsC3y ago

And I bet 48 of those people work for the NSA.

zmgsabst3y ago

That’s not fair — at least ten work for Chinese intelligence.

RcouF1uZ4gsC3y ago

And some may actually work for both!

1 more reply

lizardactivist3y ago

The smartest people in the world are always Americans. No wonder the rest of the world can't make things on their own, and always steal American technology!

eterm3y ago

I look forward to this being in the next set of cryptopals.

tptacek3y ago

It's a little unlikely. It's a code-able exploit with a big payoff, which is right in the wheelhouse, but then there's this that Steven Galbraith had to say about how the exploit works:

    *What is this magic ingredient?*
    It is a theorem by Ernst Kani about reducible subgroups of abelian surfaces.

    *Is there a simple way to explain the magic ingredient?*
    Nope. Go learn about Richelot isogenies and abelian surfaces.

amirhirsch3y ago

Even before being broken, the abstruse mathematics is one of the reasons to not go with SIKE or Rainbow. It’s not surprising they are broken.

NTRU is the easiest of the NIST PQC finalists to understand, and will probably beat Kyber because even a relatively new-to-cryptography programmer will be able to understand it and implement it.

2 more replies

cat_plus_plus3y ago

Well, it's Quantum-Safe, not Turing-Safe

karl_gluck3y ago

tptacek3y ago

SIDH/SIKE is a key exchange mechanism, not a signature scheme.

perfecthjrjth3y ago

Any NSA and NIST shenanigans here wrt isogeny PQC? Is this "quantum-safe" crypt is in the current round of PQC selection by NIST?

trentnix3y ago

This headline, “Quantum-Safe” Crypto Hacked by 10-Year-Old PC, was pretty awesome until I got to the "PC" part.

Blackthorn3y ago

Is there a description of how the proof applies to the cryptosystem? IEEE is a bit light on the essential details.

elevaet3y ago

So, do there exist other "quantum-safe" crypto algorithms still considered to be reliable?

tptacek3y ago

Yes, many, including the lattice algorithm NIST chose in the first round of the PQC competition.

born-jre3y ago

It was not in NIST final competition, right ? Just alternate candidate.

aidenn03y ago

IIUC, NIST did not select a winner for post-quantum public-key-encryption, but rather winnowed the field to 4 potential candidates, and this is one of them.

tptacek3y ago

No, it selected the CRYSTALS-Kyber KEM and then proceeded for an additional round to consider alternatives/understudy KEMs, of which SIKE was one potential one.

andai3y ago

Can a quantum computer crack your encryption if it doesn't know the algorithm (ie. if you created it yourself and it is unknown to the outside world)?

DoctorOetker3y ago

no, but an insider can leak your security through obscurity, at which point any publically known rammifications that were overseen are easily exploited.

tptacek3y ago

No.

ChrisMarshallNY3y ago

Well, back to the old drawing board...

https://youtu.be/UaR6aqL-L3Y?t=10

aidenn03y ago

Being cryptoanalyzed makes me very angry, very angry indeed!

cdelsolar3y ago

SIKE... that's the wrong number!

Sohcahtoa823y ago

OOOOHHHH!!!!

https://youtu.be/9UAC2qkcrDY?t=66

snapetom3y ago

SIKE. This was reported weeks ago, right? There are still three more candidates.

DjlbrilH3y ago

Where the FG-2$?

userbinator3y ago

I think the beginning of the title lead me to believe it would say "10-Year-Old Kid" as I was hoping for some sort of "emperor has no clothes" situation, or brilliant amateur insight.

Yet I still think there's a good "look beyond your strengths" lesson here.

avodonosov3y ago

I initially read "Hacked by 10-Year-Old", as if a child hacked it.

jasonkimberson3y ago

Me too, lol

avodonosov3y ago

nashashmi3y ago

lizardactivist3y ago

It's because the search space (number of possible keys to guess) is astronomic; 2^256.

nashashmi3y ago

That makes sense. So his wallet will be broken in about 10 years plus 10 years marking the time for advancement of CPU and time for brute force to spend calculating with the advanced CPU.

infinityio3y ago

tptacek3y ago

You're sure many people are trying to deploy attacks on supersingular isogeny Diffie-Hellman against Bitcoin?

j / k navigate · click thread line to collapse