undefined | Better HN

0 pointskortilla1y ago0 comments

> quantum computers would be able to retroactively break any public keys that were stored

Use a key exchange that offers perfect forward secrecy (e.g. diffie Hellman) and you don’t need to worry about your RSA private key eventually being discovered.

0 comments

dathery1y ago

Diffie-Hellman isn't considered to be post-quantum safe: https://en.wikipedia.org/wiki/Shor%27s_algorithm#Feasibility...

ramchip1y ago

> Forward secrecy is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations. However, forward secrecy cannot defend against a successful cryptanalysis of the underlying ciphers being used, since a cryptanalysis consists of finding a way to decrypt an encrypted message without the key, and forward secrecy only protects keys, not the ciphers themselves.[8] A patient attacker can capture a conversation whose confidentiality is protected through the use of public-key cryptography and wait until the underlying cipher is broken (e.g. large quantum computers could be created which allow the discrete logarithm problem to be computed quickly). This would allow the recovery of old plaintexts even in a system employing forward secrecy.

https://en.wikipedia.org/wiki/Forward_secrecy#Attacks

kortillaOP1y ago

I’m talking specifically about RSA being eventually broken. If just RSA is broken and you were using ECDHE for symmetric keying, then you’re fine.

The point is that you can build stuff on top of RSA today even if you expect it to be broken eventually if RSA is only for identity verification.

minitech1y ago

The relevant RSA break is sufficiently powerful quantum computers, which also break ECDH (actually, ECDH is easier than classically equivalent-strength RSA for quantum computers[1]), so no, you’re not fine.

[1] https://security.stackexchange.com/questions/33069/why-is-ec...

coppsilgold1y ago

I would actually expect RSA to see a resurgence due to this. Especially because you can technically scale RSA to very high levels potentially pushing the crack date to decades later than any ECC construction. With the potential that such a large quantum computer may never even arrive.

There are several choices with scaling RSA too, you can push the primes which slows generation time considerably. Or the more reasonable approach is to settle on a prime size but use multiple of them (MP-RSA). The second approach scales indefinitely. Though it would only serve a purpose if you are determined to hedge against the accepted PQC algorithms (Kyber/MLKEM, McEliece) being broken at some point.

1 more reply

ReptileMan1y ago

Perfect forward secrecy doesn't work that well when NSA motto is - store everything now decrypt later. If they intercept the ephemeral key exchange now they can decrypt the message 10 or 50 years later.

kortillaOP1y ago

Diffie Hellman doesn’t ever send the key over the wire, that’s the point. There is nothing to decrypt in the packets that tells you the key both sides derived.

Unless they break ECDHE, it doesn’t matter if RSA gets popped.

ReptileMan1y ago

Diffie Hellman to the best of my understanding also relies on the same hard problems that make the public key cryptography possible. If you trivialize factoring of big numbers, you break both RSA and the original DHE. Not sure how it will work for elliptic curves, but my instinct tells me that if you make the fundamental ECC problem easy, the exchange will also go down.

Thorrez1y ago

According to the top image on the Wikipedia page, Diffie Hellman does send the public key over the wire.

https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc...

bsaul1y ago

wouldn't be surprised if ecdhe isn't quantum resistant.

JKCalhoun1y ago

Something tells me that by the end of the century only the one-time pads will still be holding their secrets.

FredPret1y ago

Even for that to work you need a good random number generator

adgjlsfhk11y ago

That's pretty trivial. xor a video camera with AES and no one is decrypting that ever.

1 more reply

JKCalhoun1y ago

Honestly not sure how they created one-time pads 100 years ago.

1 more reply

lxgr1y ago

Forward secrecy is orthogonal to post-quantum safety.

coppsilgold1y ago

Perfect forward secrecy requires the exchange of ephemeral keys. If you use either ECC or RSA for this and the traffic is captured a quantum computer will break it.

All perfect forward secrecy means is that you delete your own ephemeral private keys, the public keys stay in the record. And a quantum computer will recover the deleted private keys.

Also, none of the currently accepted post-quantum cryptographic algorithms offer a Diffie-Hellman construction. They use KEM (Key Encapsulation Mechanism).

HeatrayEnjoyer1y ago

Not exactly, they can just reverse the entire chain.

kortillaOP1y ago

What chain are you talking about?

j / k navigate · click thread line to collapse

0 comments

dathery1y ago

Diffie-Hellman isn't considered to be post-quantum safe: https://en.wikipedia.org/wiki/Shor%27s_algorithm#Feasibility...

ramchip1y ago

https://en.wikipedia.org/wiki/Forward_secrecy#Attacks

kortillaOP1y ago

I’m talking specifically about RSA being eventually broken. If just RSA is broken and you were using ECDHE for symmetric keying, then you’re fine.

The point is that you can build stuff on top of RSA today even if you expect it to be broken eventually if RSA is only for identity verification.

minitech1y ago

[1] https://security.stackexchange.com/questions/33069/why-is-ec...

coppsilgold1y ago

1 more reply

ReptileMan1y ago

kortillaOP1y ago

Diffie Hellman doesn’t ever send the key over the wire, that’s the point. There is nothing to decrypt in the packets that tells you the key both sides derived.

Unless they break ECDHE, it doesn’t matter if RSA gets popped.

ReptileMan1y ago

Thorrez1y ago

According to the top image on the Wikipedia page, Diffie Hellman does send the public key over the wire.

https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc...

bsaul1y ago

wouldn't be surprised if ecdhe isn't quantum resistant.

JKCalhoun1y ago

Something tells me that by the end of the century only the one-time pads will still be holding their secrets.

FredPret1y ago

Even for that to work you need a good random number generator

adgjlsfhk11y ago

That's pretty trivial. xor a video camera with AES and no one is decrypting that ever.

1 more reply

JKCalhoun1y ago

Honestly not sure how they created one-time pads 100 years ago.

1 more reply

lxgr1y ago

Forward secrecy is orthogonal to post-quantum safety.

coppsilgold1y ago

Perfect forward secrecy requires the exchange of ephemeral keys. If you use either ECC or RSA for this and the traffic is captured a quantum computer will break it.

All perfect forward secrecy means is that you delete your own ephemeral private keys, the public keys stay in the record. And a quantum computer will recover the deleted private keys.

Also, none of the currently accepted post-quantum cryptographic algorithms offer a Diffie-Hellman construction. They use KEM (Key Encapsulation Mechanism).

HeatrayEnjoyer1y ago

Not exactly, they can just reverse the entire chain.

kortillaOP1y ago

What chain are you talking about?

j / k navigate · click thread line to collapse