Episode: 2860 Title: HPR2860: Encryption and Quantum Computing Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2860/hpr2860.mp3 Transcribed: 2025-10-24 12:22:27 --- This is HBR episode 2008 160 entitled Encryption and Quantum Computing and is part of the series Privacy and Security. It is hosted by a huker and is about 13 minutes long and carries a clean flag. The summary is how will Quantum Computing affect the security of Encryption? This episode of HBR is brought to you by an honesthost.com. Get 15% discount on all shared hosting with the offer code HBR15. That's HBR15. Better web hosting that's honest and fair at an honesthost.com. Hello, this is a huker welcoming you to Hacker Public Radio and another exciting episode in our security and privacy series. What I want to talk about today is encryption and how that is affected by quantum computing because quantum computers are starting to appear and they are starting to do things. Now if you've been paying any attention to encryption technology you probably know that the safety of encryption from being cracked relies on the concept of computational infeasibility which is a fancy way of saying that any encryption can be broken if you have enough time and enough resources but if those quantities of time and resource are simply impractical you can regard encryption as safe enough. Now in previous episodes and I've talked about this and in fact my episode on passwords entropy and good password practices I went through numerical examples that a good long password with high entropy you know if it was long enough and antropic enough it would take longer than it would go past the heat death of the universe basically. Now what we have to understand though is that was using current computer technology. So the other thing we've consistently talked about with all of this is that it's an arms race so attackers are always getting better. You know this is Bruce Schneier's rule attacks always get better they never get worse and that means defenders need to improve as well. Now so far that's worked reasonably well as computing has gotten cheaper and more powerful thus making it easier to crack encryption. The defenders have responded by improving encryption through superior algorithms longer key lengths and so on. In this kind of arms race a reasonable view in general is that anything encrypted today will if you did it properly remains safe for at least a period of decades before technical advances make it unsafe. Now this is not to deny that some older encrypted data may become vulnerable over time if anyone cares enough to save it and attack it when the technology has matured that far. For example there is speculation that a NSA facility constructed in Utah called the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center. That's a long title. So the idea is that we think that was probably constructed for this precise purpose and that's what the NSA is doing. I suspect either GCHQ is participating with NSA or has something similar in mind. Now the facility is capable of storing immense amounts of data and is near two sources of low cost hydroelectricity as well as being very favorably situated on internet trunk lines. All of this certainly makes a plausible case for what they're doing at the very least. Now personally I've not worried too much about this because this is not the threat model I need to defend against and I always start by defining the threats I care about. I got this from Bruce Schneier you know define the threat that you see and what it can do to you and then pick a countermeasure that is going to deal with that threat. So if someone says I just want to be 100% secure against everything it's like okay you're not ready for this you're not thinking clearly yet. So if the NSA can decrypt my emails 20 years from now I doubt they'd find anything terribly interesting and when I read my emails from long ago frequently I'm puzzled by what they're about but there are people who have very legitimate reasons to be concerned such as democracy activists in totalitarian countries like Russia China Turkey and so on. They should indeed be paying attention to the capabilities of the spy agencies and taking steps to protect themselves and for anyone who is concerned the biggest wild card has been quantum computing. So quantum computing differs from traditional computing we're used to by the way the bits work in traditional computing bits are either zero or one. Encryption in that environment is simply manipulating those bits such as techniques like XOR exclusive or and where the quantum difference comes in is that each quantum bit called a Q bit can take on many values simultaneously. This is a super position that allows both zero and one to exist simultaneously kind of like Schrodinger's cat which is both alive and dead until you look and that of course is a classic example of quantum weirdness a single qubit can be in two states at once two qubits can be in a total of four states at once three qubits can be in eight states at once and so on so take two raise it to the power of the number of qubits you have and that tells you how many states you can have and you know that's exponential so it gets really big really fast. Now for our purposes I do not propose to go into a detailed description of quantum computing best reason of all I'm completely unqualified to do it and it tends to make my brain hurt. The point we need to keep in mind is that quantum computing has the power to make feasible those decryptions that were previously considered infeasible. Now that said we are not there yet so far the quantum computers that have been developed are limited and finicky things but given the intense interest it is only a matter of time until they are developed to the point that they are practical and when that happens those messages the NSA has stored in Utah will be decrypted if they choose to do that. That's unavoidable at this point. I'm not sure that is all that much different from the march of decryption capabilities we witnessed until now. Encryption standards we once relied on such as MD5 are now considered useless for any security purpose. MD5 still lives on as a way of verifying that files have not been changed in any way so you will still see that with like downloads of Linux ISOs where file integrity matters a whole lot. So while files encrypted today using something like elliptical curve cryptography be broken in 20 years I would consider that highly likely. So if you are going to overthrow the government you might want to get a move on. But I have some people claim that quantum computing means the end of the age of encryption and that is nonsense. The arms race will continue and quantum computing will be used to create new forms of encryption that have equivalent safety in the quantum age to what we have had over the last 30 years. In fact it's happening right now. In the United States the National Institute of Standards and Technology drives encryption standards and as a practical matter tends to do that for most of the world not just the United States. They have a project called Post Quantum Cryptography and in December of 2016 issued a request for nominations for the proposed new standard. As they state, quote, if large scale quantum computers are ever built they will be able to break many of the public key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the internet and elsewhere. The goal of Post Quantum Cryptography also called Quantum Resistant Cryptography is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks. Okay so December of 2016 they issued a call. Hey all you smart folks out there give us some ideas. They did receive a number of submissions. So in March of 2019 on March 20th they delivered a briefing to the Information Security and Privacy Advisory Board which is a board within NIST established by Congressional Mandate. Their Matthew Scholl chief of the computer security division at NIST said that they had spent most of the previous year evaluating 69 submissions and then selected 26th of the most promising of them for further investigation with an eye to whittling down the list some more later in 2019. And I've got links to these lists and things that you can take a look at. So the show notes will help if you want more information about all of this. Now he did make clear that NIST is not looking for a single algorithm or even a specific number of algorithms which may be a good thing. One thing we know from experience is that monocultures can fall to a single vulnerability and it also looks like the expected different needs will lead to different algorithms being used. Again a very sensible way of looking at these things. Now to quote Mr. Scholl this is to ensure that we have some resilience so that when a quantum machine actually comes around not being able to fully understand the capability or the effect of those machines. Having more than one algorithm with some different genetic mathematical foundations will ensure that we have a little more resiliency in that kit going forward. So what is this telling us really? To me what it is saying is there is a need for encryption that need will continue and even if there's a change in decryption technology there are going to be people working on ways of getting around that. So I don't expect that there's ever going to be a point in my lifetime where encryption is totally useless. And so the arms race is going to continue one way or another and we should probably just get used to all of that. And so with that this is Huka for Hacker Public Radio reminding you as always to support FreeSoftware. Bye bye. You've been listening to Hacker Public Radio at HackerPublicRadio.org. We are a community podcast network that releases shows every weekday Monday through Friday. Today's show like all our shows was contributed by an HBR listener like yourself. If you ever thought of recording a podcast and click on our contributing to find out how easy it really is. Hacker Public Radio was founded by the digital dog pound and the infonomicon computer club and it's part of the binary revolution at binrev.com. If you have comments on today's show please email the host directly leave a comment on the website or record a follow-up episode yourself unless otherwise status. Today's show is released on the creative comments, attribution, share a light 3.0 license.