undefined | Better HN

0 pointsthiagoharry2y ago0 comments

As far as I know, there are no known quantum attacks that break the security of AES. It is unknown if they are able to turn AES insecure, like they do to RSA and discrete logarithm problems. And there are several post-quantum candidate alternatives to replace RSA and crypto algorithms that would break under quantum attacks.

Quantum computers break several security assumptions. But not all of them and we usually can replace the broken assumptions. Discovering that P=NP, or that one-way functions do not exist, on the other hand, would imply that several secure cryptographic constructions that we want to use are in fact impossible and would be a much scarier discovery.

0 comments

9 comments · 2 top-level

js82y ago· 6 in thread

Practical P=NP is a very real possibility (I am just testing a new algorithm) and (IMHO) not that scary. I am of the opinion that the advantages of P=NP far outweigh the disadvantages. People tend to focus on the latter, because that's the world we currently live in.

Even if we focus on crypto only, from the perspective of people being oppressed around the world, it would be far better for them to be able to see what is being done by the powerful publicly rather than not. This is essential for transparency, which is essential for democracy.

I don't reject the ideals of e.g. https://en.wikipedia.org/wiki/A_Declaration_of_the_Independe..., but I believe that the technological solution through cryptography is not tenable, and if we got rid of cryptography, it would actually level the playing field.

eru2y ago

Sorry, this sounds like serious crackpot territory.

Btw, if your polynomial algorithm for NP is any good, you should be able to break any encryption at all. The problem of breaking cryptographic systems is typically inside of both NP and co-NP. That intersection is suspected to be substantial smaller than NP by itself. (Of course, if it all collapses to P, that wouldn't make a difference.)

js82y ago

If everybody considers P=NP a crackpot territory, then it will never happen, by definition. On the contrary, I think to believe that the sets described by NP-complete instances are somehow inherently "undescribable" (as is implied by naturalization) is crackpottery also.

But regardless, it's important to realize that modern cryptography relies on a hypothesis. It might be effectively true for now, but it might not in the future.

> Btw, if your polynomial algorithm for NP is any good, you should be able to break any encryption at all.

In theory, yes, in practice, there is a pretty big difference between "I think I just discovered how to do Gaussian elimination to solve linear equations" and "I can routinely solve sparse linear systems with millions of variables". Historically, it wasn't done by a single individual in a span of couple years.

1 more reply

GTP2y ago

I'm not sure whether I agree or not, as without cryptography the only way to have a private discussion with someone, which I think is equally important to transparency, as people usually are "transparent" about personal stuff with close friends/family members only under the condition that other people don't have access to the information, would be to have such conversation in person behind closed doors. Which it isn't always easy, think people living far apart. Consider also that having no cryptography isn't by itself enough to have a transparent government: they can still lock important documents in a physically secure place and have a long jail sentence as a deterrent for people thinking about leaking them.

js82y ago

> Consider also that having no cryptography isn't by itself enough to have a transparent government: they can still lock important documents in a physically secure place and have a long jail sentence as a deterrent for people thinking about leaking them.

But here you say that: Security can depend on social contract and not technology. But the same argument can be applied to your original objection. We can mandate (in the social contract) that people have the right to privacy. (And there are some analogs where we do that, for example, we could have Gattaca-like dystopia where people's access to health care is based on genetics, yet all developed countries have a ban on such discrimination.)

I think it's far more dangerous that the government or adversary is technologically capable of being non-transparent than if ordinary people don't have capability to be non-transparent. It's because I believe power ultimately thrives on information asymetry, and the encryption only amplifies this asymetry.

2 more replies

noitpmeder2y ago

This is an insane take. If encryption is broken I _guarantee_ that the public will still be as in-the-dark as they are now. The government (and telcos) are the only ones who control the infrastructure needed to inspect this kind of traffic.

js82y ago

I am not suggesting that, in an encryption-free world, the advantage for the public is in being able to inspect all government traffic. Rather, it makes it easier for whistleblowers to bypass the government protections and get relevant documents that cover some atrocities.

I really like Assange's essay on the topic, where he describes that every big operation requires a sort of paper or document trail (which is used to coordinate many people), and this fact makes whistleblowing always an option.

However, I believe, encryption (and related things like trusted computing) helps to minimize the exposure of this trail even to internal actors, and in doing so, it makes whistleblowing more difficult.

tialaramex2y ago· 1 in thread

Grover's Algorithm gets you effectively a square root difficulty improvement. So, AES 256 is "only" as strong as a 128-bit symmetric encryption if you have equivalently cheap quantum computers.

Even ignoring that we don't currently have any usable quantum computers and there's no reason to believe they would be affordable, let alone cheap, this mean AES-256 is fine.

less_less2y ago

Grover's algorithm is not quite as powerful as popularly described. In particular, it (roughly) divides the number of times you need to run AES by the number of times you run it sequentially. So it effectively square-roots the time requirement rather than the difficulty, and those are very different if the attack is parallel.

Eg if you were planning on breaking AES-128 by running 2^30 cores for 2^98 AES calls, it now only takes about 2^49 calls per core (2^79 total effort) plus the overhead of Grover's algorithm itself. There are also huge overheads from running everything on a quantum computer, some of which are theoretically avoidable (100x cost for error correction; gates take one clock cycle) and some of which are probably not (you must rewrite AES so that all computations are reversible). So breaking AES-128 might eventually be feasible, but AES-192 probably would not be.

There is a theoretical barrier against efficiently parallelizing Grover: all generic quantum brute-force algorithms (the kind that would work against a random function in a black box) require Omega(searchspace / depth) queries, at least for some model that may not quite match reality. (Edit: Omega and not O, since it's a lower bound)

Of course, AES isn't a random function in a black box, so there may be better attacks against it, but I'm not aware of any.

j / k navigate · click thread line to collapse

0 comments

9 comments · 2 top-level

js82y ago· 6 in thread

eru2y ago

Sorry, this sounds like serious crackpot territory.

js82y ago

But regardless, it's important to realize that modern cryptography relies on a hypothesis. It might be effectively true for now, but it might not in the future.

> Btw, if your polynomial algorithm for NP is any good, you should be able to break any encryption at all.

1 more reply

GTP2y ago

js82y ago

2 more replies

noitpmeder2y ago

js82y ago

tialaramex2y ago· 1 in thread

Grover's Algorithm gets you effectively a square root difficulty improvement. So, AES 256 is "only" as strong as a 128-bit symmetric encryption if you have equivalently cheap quantum computers.

Even ignoring that we don't currently have any usable quantum computers and there's no reason to believe they would be affordable, let alone cheap, this mean AES-256 is fine.

less_less2y ago

Of course, AES isn't a random function in a black box, so there may be better attacks against it, but I'm not aware of any.

j / k navigate · click thread line to collapse