David
Kahn (1930-2024)
Sept 11, 2025
“Abundance of Caution” is C-suite lingo for “Oopsie, oh flying squirrel”
See last 2022 status
Quantum Superposition when used for computing.
Such bits are in quantum superposition of True and False, which is a bug in classical computing but a feature in QC.
This allows non-deterministic algorithms.
Quantum Annealing - big qubit counts, great for optimization problems
but not cryptology. (?yet? well maybe …) Not general purpose.
Quantum Circuit/Logic - small numbers of qubits so far.
In theory, algorithms for these hardware types can use non-deterministic parallelism to evade classical performance limits, and in particular, could allow factoring fast enough to be dangerous, provided big enough quantum circuits can be made to work.
Yes !
Quantum Cryptanalysis
Every unbreakable cipher has been broken eventually (at least partially1).
20thC RSA and other PKI not guaranteed proof against either of:
Schor’s Algorithm in theory would factor fast on enough quantum circuits but 21 is not a large number yet. (see also Wikipedia. Some say 433 bits on IBM Osprey QC is enough for RSA2048 with Schor’s algo needing 372 Qubits (with pre-processing and post-processing), but will it work? Schneier and Schor doubt it. Shouldn’t someone try it?)
Other probabilistic quantum algorithms (Grover, GEECM, Variational Quantum Factoring (VQF)) can do some much bigger numbers (which may just define new class of unsafe primes??), and with classical pre-processing, can use a much smaller number of qubits than the ^obvious^ log2N.
not clear this will ever be able to generally break RSA4096, but it’s not impossible, so prudent to plan for that day.
Classical “Forward Secrecy” - old messages not broken by later loss of host key
Generalized: old saved messages not broken by later breakthroughs either.
Realistic threat? 
* VENONA: It worked Once! {[BLU Sept 2018](http://blu.org/meetings/2018/09/)}
* We now have a Vacuum Cleaner of Holding (_Greenpeace photo c/o Wikimedia_)So yes, it can happen again.
Normal Forward Secrecy requires that if e.g. the Host Key is compromised later, any retained cryptograms sent with nonce keys negotiated with the compromised Host Key aren’t also compromised.
This is nice, but we’d also like to protect against advances of technology, e.g. fast factoring or solutions of discrete logs.
This may not be within your threat model, yet, but in dystopian plausible futures, things you’ve already discussed/downloaded might be retroactively illegal/disloyal and oops.
The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. – NIST
National Institute of Standards & Technology started a multi-round competition, similar to with AES and SHA3 competitions
NIST, the Bureaucracy formerly known as NBS.
Goal is to have PQC ready for use not only before quantum breakthrough but early enough (roughly now) that anyone who wishes to avoid save-intercepts-now-to-break later can switch quickly; although it may already be too late WRTO NSA archive?
This competition was “more brutal” than prior; of 69 candidates, peer cryptanalysis has broken 62. So far.
RSA2048 in play or not? - Chinese academic paper claiming 2k bit RSA within range of current gen NON-fault-tolerant QC, no great surprise given Qubits available and theoretical algorithm size. Schor and Schneier unconvinced - does it actually converge w/o FT? Schneier 2023-01
[2023.02.28] CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.
OTOH as seen in TETRA:BURST, a side-channel attack can be used to extract key or algorithm from a piece of equipment that falls into opponent lab.
TL;DR No. It’s happened. (see in notes)
Lack of randomness failure isn’t just hypothetical, lots of SSH keys got invalidated in 2008 because they were well-known-primes.
random^[DSA-1571-1 openssl predictable random
number generator {CVE-2008-0166}
{Schneier}
which compromised many SSH keys.(WTAF? Yep. Debian packagers applying normal
best practices where they shouldn’t even touch (Normal doesn’t
apply!) had removed the entropy-harvesting because Valgrind and
Purify gave accessing uninitialized memory warnings. Well
yeah, that’s how we harvest entropy! Another problem (mostly
solved?) is host key generation at VM start - the VM’s entropy is rather
deterministic (biased) at that point. Similarly, optimizing compilers
removing zeroing memory prior to releasing it can allow keys to leak
into the memory pool. Cryptographic software is an ongoing a battle
against computer ^science^ that ^knows better^.)
And failure to salt wouldn’t surprise me when non-specialists (applications developers, database programmers, protocol developers) who should stick to packaged PKI use-case libraries (e.g. NaCl) try to use cryptographic primitive routines directly to avoid dependencies.)
2023 added few more low-entropy initialization examples added to the list.
And 2024’s PuTTY key disclosure was due to implementing low-entropy nonces badly for use in VMs and everywhere else.
Won’t someone think of the random numbers?
FIPS Allowed: NIST
announced finalized PQC standards for 3 of 4 “winners” (3 more to
come)FIPS Approved.one line summary
blah
The YouTube of this presentation will be linked on BLU.org along with these slides and extended notes etc as 2025-sep as per usual.
Prior
talks in this series - most talks have slides &/or
YouTube attached, sometimes extras.
Alas the YouTube audio pre-pandemic wasn’t great, BLU will need a
donation of a wireless clip-on mike if we ever return to
Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset
while presenting in person?
News and Focus sections have embedded links.
Good security news streams to either research history or to follow
year round are Scneier
Crypto-gram and SANS ISC, the
latter being less cryptologic and more operational in focus – but both
cover the wide span of vulnerabilities, tools, remediations, etc, not
just the cryptologic that I’m cherry-picking here.
Highly recommended.
Start your day with the 5 minute SANS Internet Storm Center
StormCast pod-cast; the Red Team is, so, so should you.
text
See our prior discussions of GEE, VENONA for breaks of One Time Pad↩︎