Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Key size
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Effect of quantum computing attacks on key strength == The two best known quantum computing attacks are based on [[Shor's algorithm]] and [[Grover's algorithm]]. Of the two, Shor's offers the greater risk to current security systems. Derivatives of Shor's algorithm are widely conjectured to be effective against all mainstream public-key algorithms including [[RSA (algorithm)|RSA]], [[Diffie-Hellman]] and [[elliptic curve cryptography]]. According to Professor Gilles [[Gilles Brassard|Brassard]], an expert in quantum computing: "The time needed to factor an RSA integer is the same order as the time needed to use that same integer as modulus for a single RSA encryption. In other words, it takes no more time to break RSA on a quantum computer (up to a multiplicative constant) than to use it legitimately on a classical computer." The general consensus is that these public key algorithms are insecure at any key size if sufficiently large quantum computers capable of running Shor's algorithm become available. The implication of this attack is that all data encrypted using current standards based security systems such as the ubiquitous [[Transport Layer Security|SSL]] used to protect e-commerce and Internet banking and [[Secure Shell|SSH]] used to protect access to sensitive computing systems is at risk. Encrypted data protected using public-key algorithms can be archived and may be broken at a later time, commonly known as retroactive/retrospective decryption or "[[harvest now, decrypt later]]". Mainstream symmetric ciphers (such as [[Advanced Encryption Standard|AES]] or [[Twofish]]) and collision resistant hash functions (such as [[Secure Hash Algorithm|SHA]]) are widely conjectured to offer greater security against known quantum computing attacks. They are widely thought most vulnerable to [[Grover's algorithm]]. Bennett, Bernstein, Brassard, and Vazirani proved in 1996 that a brute-force key search on a quantum computer cannot be faster than roughly 2<sup>''n''/2</sup> invocations of the underlying cryptographic algorithm, compared with roughly 2<sup>''n''</sup> in the classical case.<ref name=bennett_1997>Bennett C.H., Bernstein E., Brassard G., Vazirani U., ''[http://www.cs.berkeley.edu/~vazirani/pubs/bbbv.ps The strengths and weaknesses of quantum computation]''. [[SIAM Journal on Computing]] 26(5): 1510-1523 (1997).</ref> Thus in the presence of large quantum computers an ''n''-bit key can provide at least ''n''/2 bits of security. Quantum brute force is easily defeated by doubling the key length, which has little extra computational cost in ordinary use. This implies that at least a 256-bit symmetric key is required to achieve 128-bit security rating against a quantum computer. As mentioned above, the NSA announced in 2015 that it plans to transition to quantum-resistant algorithms.<ref name=NSASuiteBphaseout /> In a 2016 Quantum Computing FAQ, the NSA affirmed: {{blockquote|"A sufficiently large quantum computer, if built, would be capable of undermining all widely-deployed public key algorithms used for key establishment and digital signatures. [...] It is generally accepted that quantum computing techniques are much less effective against symmetric algorithms than against current widely used public key algorithms. While public key cryptography requires changes in the fundamental design to protect against a potential future quantum computer, symmetric key algorithms are believed to be secure provided a sufficiently large key size is used. [...] The public-key algorithms ([[RSA (cryptosystem)|RSA]], [[Diffie-Hellman]], [[ECDH|[Elliptic-curve Diffie–Hellman] ECDH]], and [[Elliptic Curve Digital Signature Algorithm|[Elliptic Curve Digital Signature Algorithm] ECDSA]]) are all vulnerable to attack by a sufficiently large quantum computer. [...] While a number of interesting quantum resistant public key algorithms have been proposed external to NSA, nothing has been standardized by [[National Institute of Standards and Technology|NIST]], and NSA is not specifying any commercial quantum resistant standards at this time. NSA expects that NIST will play a leading role in the effort to develop a widely accepted, standardized set of quantum resistant algorithms. [...] Given the level of interest in the cryptographic community, we hope that there will be quantum resistant algorithms widely available in the next decade. [...] The AES-256 and SHA-384 algorithms are symmetric, and believed to be safe from attack by a large quantum computer."<ref name=cnsaquantum>{{cite web|url=https://ia801409.us.archive.org/26/items/cnsa-suite-and-quantum-computing-faq/CNSA-Suite-and-Quantum-Computing-FAQ.pdf |title=Commercial National Security Algorithm Suite and Quantum Computing FAQ |pages=6–8 |date=2016-01-01 |publisher=[[National Security Agency]] |access-date=2024-04-21}}</ref>}} In a 2022 press release, the NSA notified: {{blockquote|"A cryptanalytically-relevant quantum computer (CRQC) would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used today. Given foreign pursuits in quantum computing, now is the time to plan, prepare and budget for a transition to [quantum-resistant] QR algorithms to assure sustained protection of [National Security Systems] NSS and related assets in the event a CRQC becomes an achievable reality."<ref name=cnsasuite>{{cite web|url=https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/ |title=NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems |date=2022-09-07 |publisher=[[National Security Agency]] |access-date=2024-04-14}}</ref>}} Since September 2022, the NSA has been transitioning from the [[Commercial National Security Algorithm Suite]] (now referred to as CNSA 1.0), originally launched in January 2016, to the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), both summarized below:<ref name=nsaCNSA>{{cite web|url=https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |archive-url=https://archive.today/20221121213740/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |url-status=dead |archive-date=November 21, 2022 |title=Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0 |date=September 2022 |publisher=[[National Security Agency]]|website=media.defense.gov|access-date=2024-04-14|at=Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10.}}</ref>{{efn|See the complete tables and the transition timeline at [[Commercial National Security Algorithm Suite]] article.}} '''CNSA 2.0''' {| class="wikitable" |- ! Algorithm ! Function ! Parameters |- | Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | 256-bit keys |- | CRYSTALS-Kyber | Asymmetric algorithm for key establishment | Level V |- | CRYSTALS-Dilithium | Asymmetric algorithm for digital signatures | Level V |- | Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | SHA-384 or SHA-512 |- | Leighton-Micali Signature (LMS) | Asymmetric algorithm for digitally signing firmware and software | All parameters approved. SHA256/192 recommended. |- | Xtended Merkle Signature Scheme (XMSS) | Asymmetric algorithm for digitally signing firmware and software | All parameters approved |} '''CNSA 1.0''' {| class="wikitable" |- ! Algorithm ! Function ! Parameters |- | Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | 256-bit keys |- | Elliptic Curve Diffie-Hellman (ECDH) Key Exchange | Asymmetric algorithm for key establishment | Curve P-384 |- | Elliptic Curve Digital Signature Algorithm (ECDSA) | Asymmetric algorithm for digital signatures | Curve P-384 |- | Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | SHA-384 |- | Diffie-Hellman (DH) Key Exchange | Asymmetric algorithm for key establishment | Minimum 3072-bit modulus |- | [Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for key establishment | Minimum 3072-bit modulus |- | [Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for digital signatures | Minimum 3072-bit modulus |}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)