While the current generation of quantum computers can only run Shor’s algorithms for trivial cases, many experts predict that in five to 15 years, they’ll be big enough to break all of today’s public key crypto systems.
We read:
Another thing CIOs should do is protect against “store-now, decrypt-later” attacks. Hackers may be collecting encrypted data already that they can decrypt once quantum computers become big enough and reliable enough to run Shor’s algorithms.
The whole article is based on the following premise:
Yet, none of these “experts” have been named, quoted, or cited, nor has any evidence been presented to support the above assertion.
Note also that the (theoretical) risk is limited to asymmetric encryption, using private-public key pairs, and does not extend to symmetric encryption such as the AES-256 algorithm used to encrypt vault data and user keys in Bitwarden.
Asymmetric encryption is used for organization vault keys and for passkeys. IIRC, asymmetric encryption is also used for Emergency Access and for Sends. I trust that Bitwarden will move to a PQC algorithm for these applications when the time is right.
When this kind of speedup is talked about, it often mentions Grover’s algorithm.
The info about not being able to speed up symmetric encryption seemed to be what was presented about 12 months ago, if you search now, it mostly says that the algorithm speeds up brute-forcing symmetric encryption as well. From: Grover's algorithm - Wikipedia
Grover’s algorithm could brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations, or a 256-bit key in roughly 2^128 iterations. It may not be the case that Grover’s algorithm poses a significantly increased risk to encryption over existing classical algorithms, however.[4]
Shows how rapidly computing power still is increasing. Clearly one doesn’t want their vault in the possession of an enthusiastic adversary willing to wait a few years before feeding said vault to their ultra advanced cracking arsenal.
From that site, I take it that computing power is going up about 25% a year. Taking further information from the 1Password site, it would cost US$100 billion to crack a 12ch password today (only upper and lower case). If I assume you have $10 billion on hand to steal today, then in approximately 40 years an attacker would have a 50-50 shot of breaking even on the cost of cracking your password by brute force. Human security failure will happen long before then.
If computing progress is faster, sensible passwords and phrases today are already significantly stronger than 12 ch alpha only. It may also help to have less money and not all in the same place; or to appreciate that brute force is not a very useful attack vector against people with password managers.
What quantum computing would say to me is to use 2FA where available for critical sites. Defence in depth.
That’s just garden-variety Moore’s Law type performance increase, not quantum computing.
To protect against “store-now, decrypt-later” attacks using conventional computing technology, you can just add one more passphrase word for every 25 years of future-proofing required (to match the pace of Moore’s Law — doubled computing power every 2 years).
Some of these concerns are not without merit in general. I know that my Tuta accounts have been updated to quantum proof/resistant methodologies. Its nice to at least see some proactive preparations since email is about as weak as it gets with vanilla email services.
I trust the BW will evolve as needed. In the years I have been here they have repeatedly fortified their robust security. I am in good hands!!!
“since email is about as weak as it gets with vanilla email services.”
Not true. Basic e-mail services like gmail have good security. Not zero knowledge encryption, but e-mail transmissions go through TLS whenever possible, and the account itself is well secured if you use a strong password.
E-mail used to be weak and in some cases still is, but it has gotten much better recently for better service providers, like gmail and fastmail.
In my understanding, transmission encryption doesn’t have to be quantum resistant right now. If the data is all scrambled during transmission, using algorithms secure right now, it can’t be harvested.
If we are really lucky, post-quantum-encryption cypher suites will become available and fit within the TLS 1.3 protocol. This will allow a graceful transition, because clients and servers can default to PQE and fall back to the old cyphers for interoperability. If we are a bit less lucky, PQE will require an upgrade to TLS 1.4 (or 2.0), which will greatly delay deployment.
The other nearer concern after human error is the continuing push in various democratic countries for back doors into encrypted messaging, and the extent to which that could be quarantined if provided.
I will not discuss the can of worms opened by the arguments and related opinions on either side of that push. I merely note it.
Color me “tin foil” but if any agency can show up with a piece of paper and get the entire contents of your email account (emails, contacts, drive) from your provider my .02 is that is not security at all. These major email companies that are FREE to you are only that way because they are absolutely collecting your data and using it. That is how they get paid for providing you a free account. That is not a political statement its such an obvious fact.
Strangely there is so much research on folks knowing their stuff is being collected and used. YET they will not change their habits because the “big boy email providers” make everything so easy and pretty to look at. In my family circle using Tuta or Proton or “fill in the blank” is useless for all of them on my end.
Looks like there has been more progress than I knew. The above is exactly how they are being rolled out, but due to larger size, it is revealing programming bugs in web servers.
and not all in the same place; or to appreciate that brute force is not a very useful attack vector against people with password managers.