[Cryptography] A thought about backdoors and quantuum-resistant encryption

ianG iang at iang.org
Sat Aug 29 08:20:36 EDT 2015 

On 28/08/2015 18:04 pm, Theodore Ts'o wrote:
> I don't know if this is possible, because I don't know enough about
> quantuum computing, and I don't know enough a about "quantuum
> resistant encryption".
>
> Suppose quantuum computing is a thing, and suppose NSA^H^H^H NIST
> supplies us with a quantuum-resistant encryption algorithm.  Would it
> be possible to create an encryption algorithm which is resistant to
> quantuum computing --- except for someone with a quantuum computer
> *AND* knowledge of some secret quantuum state stored in a quantuum
> computer only available to the NSA.


As PHB indicates, prevailing thesis is that this means the algorithm is 
a public key algorithm with the NSA holding the private key.  Or perhaps 
the weak keys argument.

It's certainly possible.  If it was done using paramaters, that would be 
one thing.  If it was done using some scientific understanding, that 
would be another, more risky thing, because others could figure it out.


> Even more, would it be possible to create such a thing in such a way
> that NSA^H^H^H NIST could introduce non-transparently in such a way
> that the public world *thinks* that that the encryption algorithm
> against all quantuum computers, but in fact there is a trapdoor that
> only the NSA could utilize --- but no one knows this?


It's certainly something they would try if they could get away with it. 
  If one has followed the DUAL_EC story, and recent revelations about 
Crypto AG and the NSA mission statements that directly seek to pervert 
commercial cryptography, one can only conclude they would do it if they 
thought they could get away with it.


> Of course, people wouldn't have to use the new quantuum resistant
> encryption algorithms, but if quantuum computer were a thing, they
> would be screwed if they kept on using AES, so the NSA would be quite
> happy with that outcome.
>
> And of course, if it was introduced non-transparently, then China and
> Russia and Iran would be able to demand that a backdoor be engineered
> for them, because no one would know that the backdoor existed.  And if
> someone future Snowden leaks this, all of the current fear-mongering
> from James Comey and Keith Alexander would help prepare the ground in
> case it does leak.  (Or maybe they plan to introduce this
> transparently, if they've learned their lesson from the Snowden
> disclosures.)
>
> All of this is premised by the hypothesis that it is possible to
> create quantuum-resistant encryption system for everyone but NSA, and
> preferably (for the NSA) in such a way that it's not possible to
> modify the encryption system so that backdoor can't be removed or
> changed so that China and Russia could have their own
> quantuum-backdoored encryption algorithm, and force companies who want
> to do business in those countries to use their alternate-backdoored
> encryption.   Is this possible?


I think on the whole it is possible.  It is also likely that they have 
thought of it.  And they are spending money on that area in a big way.

Whether it happens or not is too many hypotheticals for us to seriously 
predict at this stage.  Which is to say, what the risk level is and 
whether to mitigate is too hard to tell.  And normal Occam's razor logic 
on risk analysis would say that if you can't model it, treat it as if it 
doesn't exist.



iang

More information about the cryptography mailing list