Quantum Resistant Encryption

Feature Requests Password Manager
, ,
1

Although it is likely to be circa 10 years before quantum commputing poses a significant risk to current encryption algorituns, should quantum resistant algorithms start to be built into the Bitwarden road map? An interesting article from the makers of the Signal app explains thevbackground Read: Signal >> Blog >> Quantum Resistance and the Signal Protocol

1 Like
2

While presently AES-CBC encryption works well, it is not far away when quantum computers would be able to crack the encryption. Quantum computing is already available through clouds to the general public and malicious actors are already storing data to be cracked in the upcoming years. NIST has announced 4 quantum resistant algorithms that can be used in place of existing encryption algorithms. See https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms.

Considering the future risk, it is best to start implementing a quantum resistant encryption algorithm like Kyber.

See GitHub - pq-crystals/kyber

1 Like
3

Aren’t most symmetric encryption cyphers (like AES) already quantum resistant?

My understanding is that it is asymmetrical cyphers (such as RSA) that are at risk if/when quantum computer becomes viable.

4

You are right, the NIST initiative linked by @0xcrypto is to standardize quantum-resistant public-key cryptographic algorithms (i.e., asymmetric cryptography). AES256 is currently quantum resistant, and will remain so until quantum computers become at least an order-of-magnitude more powerful than the current cutting-edge technology in quantum computing.

5

Question was well answered. Just to add a little from my googling
https://techbeacon.com/security/waiting-quantum-computing-why-encryption-has-nothing-worry-about
The table shows how much Quantum computer reduce effective key lengths for a common asymmetric public key cryptography algorithm (RSA) and for a common symmetric cryptography algorithm (AES).

The effective symmetric key length is reduced by a factor of 1/2 (i.e. one half)
The effective asymmetric key length is raised to a factor between (1/2) and (1/3) square root or cube root.
I think I remember hearing someone sayd the reduction in effetive symmetric key length is linear while the reduction in effective asymmetric key length is exponential or logartihmic or some other mathematical sounding thing…

6

Reading further on those post quantum encryption and the link provided by @bw-tinkerer I realised they are somewhat same as AES-256.

That being said, there’s Grover’s Algorithm that can be applied to bruteforce keys for symmetric encryptions like AES. See https://mzhandry.github.io/courses/2021-Spring-COS533/LN/ln22.pdf

Obviously I do not have understanding of how it works and everything I got to know was from section 2 “Why is Grover’s Algorithm important” which is kinda readable.

While presently there’s no need to change algorithms, keeping an eye on future developments is important in my opinion.

7

Table
Table780Ă—257 66.3 KB

Yes, as shown the 256 bit symmetric AES encryption key length looks like 128 bits of entropy to a quantum computer using Grover’s algorithm. It is a significant reduction, just nowhere as much as the asymmetric RSA where the 15,360 bit key would look like a measly 31 bits of entropy to a quantum computer using Shor’s algorithm. So the asymmetric encryption used in things like like logging into the server will be in jeopardy earlier, and the symmetric encryption used directly on the vault will be safe a lot longer. But if you think today’s vault might still be sensitive in a few decades, then don’t leave your encrypted backups laying around in public anywhere (not that anyone does that anwyay)

2 Likes
8

Noted. Thanks for clarifying.

9

I see others have posted on the topic of post quantum cryptography, but there are a couple recent resources that may be of interest to bump up roadmap priority:

  • Cloudflare’s recent implementation: https://pq.cloudflareresearch.com
  • Another Helpful Resource: PQConnect: Cryptography
    Edit:
    I am limited to 2 links, but Googling for the Google Willow Blog Post is also interesting…
    Edit 2:
    I recommend looking at the March, 2024 and also more recent blog posts of Cloudflare on this topic.

Thank you for your consideration

10

@ThrowAway Welcome to the forum!

Feature requests should be posted in the Feature Requests section of the forum. I have moved your post into an existing feature request on the same topic.

1 Like
11

Let’s Encrypt community Post Quantum Encryption discussion (includes many useful links):

“The current weak spots in the ecosystem, and the immediate target of improvements, are all in the [TLS] key exchanges.”[1]

  1. https://community.letsencrypt.org/t/roadmap-request-post-quantum-cryptography/231143
12

The linked discussion is about asymmetric (public key) encryption, and thus not directly applicable to symmetric encryption algorithms such as AES.

13

Yes, I agree with you! I was actually merged by someone into this thread. I could have been clearer that the concerns involved potential TLS weaknesses with respect to Post Quantum Encryption. TLS protects Bitwarden’s traffic, of course, though…

14

Anything sensitive sent from Bitwraden’s servers to your computers (and vice versa) is encrypted by AES-256 (before being TLS-encrypted as part of the https protocol).

1 Like
15

That’s awesome!! Thank you! Do you know If someone uses a FIDO2 Webauthn HSM with Bitwarden, is its traffic similarly protected? I saw that Google was taking some action on it here in 2023:
https://arstechnica.com/security/2023/08/passkeys-are-great-but-not-safe-from-quantum-computers-dilithium-could-change-that/

16

Also, what if you log into the Bitwarden website (using a browser) with your master password?

17

The authentication process is described in Bitwarden’s Security Whitepaper. Basically, the master password is hashed on your local device before being transmitted to Bitwarden’s servers. The master password cannot be reconstructed from its hash (other than by brute-force guessing, which becomes practically impossible if your password entropy is sufficiently high).

1 Like
18

There are still quite a few uses of asymmetric crypto, both for personal vaults and org vaults. (PRF, TDE, Emergency Access, Account Recovery, Login-with-device, just to name a few). The latter 3 have the potential to become harvest-now-decrypt-later avenues for getting the symmetric user-key, so they need to be replaced sooner than later.

PQ-ciphers are definitely on the list, but hybrid KEMs are still not stable/standard enough to be implemented. A good contender here is KEMs/x-wing at master · RustCrypto/KEMs · GitHub , but it needs to be standardized and the implementation needs to be audited by cryptographers first.

AES in general, and AES-CBC don’t fall apart that much from quantum attacks, but there are other good reasons (not quantum related) to replace the current CBC-HMAC construction specifically…

2 Likes
19

I assume that you are referring here to HNDL attacks against asymmetric encryption only. My understanding is that even a standard delivery of the encrypted vault and protected user key during a login would be susceptible to HNDL (using Grover’s algorithm to reduce the brute force search space) — although in this case the “later” would be significantly later than the “later” for a HNDL threat against asymmetric crypto.

20

My mention of HNDL is referring to asymmetric only, for any of the aforementioned methods to encapsulate a user key. It is my understanding that even with Grover’s algorithm, only AES128 (which is not used, except for a very small set of legacy users >7+ years old, that have not logged in to migrate) is brought down to a relevant time frame.