@6:03
@23:32
@27:37
@28:32
Someone in the comments:
@a__f
I also work in this area, and this talk has some mistakes that I feel were pretty important.
I don't think the speaker understands NIST's justification for allowing AES-128/SHA-256. NIST justifies allowing AES-128 in the report that the graphic at 38:09 is taken from. There are two reasons why Grover's algorithm cannot crack modern symmetric crypto.
1) Grover's algorithm does not parallelize well at all. Cracking AES-128 with Grover's would require 2^64 iterations, but they would largely be *serial*. When the EFF cracked DES, they were running iterations on many processors (about 1800) in parallel, but they likely would not have been able to do this if they had to do all 2^56 operations on one processor.
2) Evaluating AES/SHA-256/other modern crypto on a quantum computer is really inefficient. NIST links the state of the art papers in this area, and they require tons of qubits and tons of resources. According to recent NIST estimates, running Grover's algorithm for AES-128 would require 2^108 gates in a serial computation (yes it's only 2^64 iterations, but those iterations are really expensive). This is not feasible.
Another commenter:
@sourkrause9354
I wouldn't classify myself as a "quantum denier", but its important to realize that even if Quantum attacks on cryptography are possible by 2030, its not going to be a commodity threat nor is it going to be something 90% of organizations will even be targeted with at first. That will take at least another 5 years after the "breakthrough" simply because of how expensive and non-generic these computers are. They're just not going to be widely available to 99.99% of threat actors.
Also you stated "CISOs don't want to deal with this because their lifespan at the org is 2 years". That's not why. They don't care about this yet because they have far more fundamental issues. They're still dealing with systems that have vulnerabilities 10+ years old, shadow IT, poor governance, users clicking phishing links, and so much more. We have much more fundamental things to worry about. Quantum is edgy and cool, but it doesn't do you any good if the threat actor can get into an unpatched firewall and pivot to the web server and steal all your passwords that some dumb developer decided to hash without salting using MD5.
@nicholasbridge829
What's the largest number we've factored so far?
@a__f
The largest number we have factored so far is 21. There are some results that claim to factor much larger numbers, but they all have asterisks and don't scale up for various reasons. For instance, you can make Shor's algorithm run much faster if you already know the factorization of the number, which is obviously a bad assumption. Some of them use "adiabatic quantum computing", which most likely doesn't scale to very large numbers either.
No comments:
Post a Comment