6

Im trying to learn more about cryptography and ran into a post, Is AES-128 quantum safe?, which asks if AES-128 is safe. From the articles and replies it seems that AES-128 (symmetric key) is safe even with the advent of quantum computers (for now). However, it seems that asymmetric keys are not safe?

So, assuming you have a TLS 1.3 (which uses symmetric AND asymmetric keys) would quantum computers be able to decrypt the traffic sent using a cypher like TLS_AES_128_GCM_SHA256? Is decrypting the Diffie-Hellman (asymmetric key) enough to see the plaintext of something or would you still need to decrypt the AES-128 as well?

Do you need to decrypt both the symmetric and asymmetric key in a TLS_AES_128_GCM_SHA256 or can you just decrypt the public key then you don't need to bother with the private key.

Community
  • 1
cryptoman534345
  • 69
  • 1
  • 1
  • 3

3 Answers3

26

It's almost public knowledge by now.

  • Quantum Computing (QC) does break existing asymmetric-key algorithms - those based on integer factorization and discrete-logarithm such as RSA, DH, ECDSA, etc.

  • QC does weaken symmetric-key algorithm, but not breaking them in the practical sense.

So, in the TLS example you've given, once we've broken the DH key exchange, we'll be able to derive the symmetric key used in the cipher suite.

That's why we're developing post-quantum cryptography. The goal is to develop algorithms that're based on hard problems that quantum computers can't solve any more efficiently than classical computers.

hoppla1232
  • 3
  • 1
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
8

In general in Internet cryptography there is a key establishment mechanism separate from a bulk encryption mechanism. Where Diffie-Hellman (including elliptic curve Diffie-Hellman) is used, it is as a key establishment mechanism that provides a symmetric key for a bulk encryption method such as AES-GCM or chacha20. Breaking an Internet Diffie-Hellman would likely provide a symmetric key which could then be trivially used to break the bulk encryption. There's a similar challenge around authentication which is where RSA might come in.

However, TLS1.3 is not limited to key establishment using Diffie-Hellman nor authentication using RSA. In addition to DH key establishment, TLS1.3 supports pre-shared key (PSK) mechanisms and mixed-mode. These allow keys to be established out of band. If the out-of-band establishment method is quantum safe, then the quantum vulnerability is avoided. Examples of quantum safe methods might include physical key management (such as using MILENAGE key material from mobile phone SIM cards) or symmetric key management systems such as Kerberos.

However, for many (most?) Internet connections today, the DH method is currently favoured. Future standards may support other key establishment options.

Daniel S
  • 29,316
  • 1
  • 33
  • 73
3

Independent of quantum computing considerations, what you see is encrypted AES traffic if and when you decrypt the asymmetric encryption, as well as getting the keys for the symmetric encryption which is the point of asymmetric encryption, i.e., key exchange for the communication session.

kodlu
  • 25,146
  • 2
  • 30
  • 63