Hat tip Ray Dillinger. (I steal from the best. Been stealing from him for twenty four years.)
Nist has with great regularity issued kleptographic standards.
What is a kleptographic standard? It is a standard that ensures that NSA can read other people’s data. Snowden revealed the inside info on Nist Standards.
And, lo and behold, Nist is terribly alarmed by the terrible threat of Quantum Cryptography, the terrible terrible terrible awful horribly imminent threat, and has issued a new standard to deal with this terrible threat.
And lo and behold a whole lot of people promoting this terrible terrible threat and the new wonderful supergood solution to it, Post Quantum Cryptography, seem to be getting funding and support through the backdoor in ways that suggest that this funding and promotions is coming from the spooks.
In actual fact, the current state of Quantum Cryptography remains unchanged from what it was thirty years ago.
There are no actual quantum computers: There are “fiddly delicate machines demonstrating basic
principles that vaguely indicate a possibility that one day actual quantum computers could be constructed.”
None of these machines has actually accomplished a quantum factoring of any integer, notwithstanding numerous headlines that might lead one to believe that they have factored the numbers fifteen and and twenty one. They have not.
An actual quantum computer would need to have a lot of Tofolli gates, which would need to establish a massively entangled state over a lot of qubits. To do something interesting with that massively entangled state, you need a lot more Tofolli gates than qubits, and the massively entangled state has to remain coherent for long enough. Trouble is as soon as you put in some Tofolli gates to entangle the state, the system decoheres.
This situation just is not changing, even though from time to time we get various basic principles demonstrated in ways that are arguably more impressive than previous demonstrations, we are still back where we were in the beginning — no substantial controlled entanglement that remains coherent, and no real factorisations even of very small integers.
Ray Dillinger:
We’ve been hearing a whole lot about Quantum Cryptography lately. And considering the state of play in terms of actual quantum computers, it’s hard to justify how much fear, uncertainty, and doubt there is.
The mismatch between perceived threat and demonstrated threat is so spectacular that it looks like a FUD campaign. Which is a necessary step in a Kleptographic Standards attack. Kleptographic Standards are promulgated addressing fear of some threat, so that the fear can be used as a lever to get people to do something stupid.
Post Quantum Cryptography, “(SKEIN, KYBER, KEM) is promulgated by NIST, the same people who brought us the Dual-EC DRBG standard.” Which looked like it was designed so that it could have a hidden backdoor, and then Snowden revealed that it did have a hidden backdoor.
And, what do you know: The new Post Quantum Cryptography standard also looks like it was designed so that it can have a hidden backdoor.
https://eprint.iacr.org/2022/1681.pdf
https://link.springer.com/chapter/10.1007/978-3-031-82852-2_11
algorithms in this class may have backdoors structurally built into them!
These papers are not reassuring. These remind me of Bernstein’s paper when the Dual-EC DRBG was being standardized.
Quantum Cryptography, while intellectually neat, does not present a practical attack that we need protection against at this time.
Kleptographic Standards on the other hand are very much a practical attack that we need to protect against at this time.
When a standards body tells you that you should cast aside well-studied cryptographic algorithms which have earned their trust through dozens of years of examination, testing, and motivated attackers, for the sake of protection against Quantum Crypto? The attack you should be protecting against isn’t Quantum Crypto.
And this is why Coin Shill is now banned on this blog, as is anyone promoting Quantum Crypto Fear Uncertainty and Doubt.
[*deleted for not conforming to the moderation policy*]
If you are going to post from the frame and point of view that you are Christian and we are Christian, please first affirm that Christ is King, born in Bethlehem, died at Jerusalem, and is, is from before the beginning of the world. Through him all things were created. Fully God and fully man. God is three and God is one.
I am kind of sick of Jews who last year were trying to ban Easter pulling the “hail fellow Judeo-Christian, you should unite with us Jews against those horrid Muslims” card.
I get shills saying “Jews bad, therefore we should get with the George Soros program to defeat Orange Man Bad”, and I get shills saying “Muslims bad therefore die for Israel”, and I fairly sure both sets of shills are Jewish. (Two Jews, three factions.)
The George Soros Jews say I a Jew, and the die-for-Israel Jews say I am a Muslim.
There was never anything wrong with ‘master’ and ‘slave’, nor ‘whitelist’ and ‘blacklist’.
Forgive my ignorance of the topic, but I am curious: Is the ‘threat’ they’re talking about the idea that quantum cryptography could crack any kleptographic standard, or is the ‘threat’ that quantum cryptography would not be kleptographic and would be secure against alphabet agencies? Or perhaps both?
But there isn’t any reason we here should see any threat now is there? Better cryptography, if achieved, is just better for us. As we may be interested in saying things alphabet agencies don’t want said, but we’re not really interested in cracking other peoples codes anyway. And if current standards are already plausibly booby trapped so our enemies can decode them then more decoding doesn’t really make our position worse.
I had thought most computing had CPU level back doors for alphabet agencies, so I tend not to presume anything is secure. Perhaps I’m wrong about that, but I’ve never found erring on the side of paranoia to be erroneous.
We have compelling evidence that all existing “Post Quantum” Cryptographic algorithms are insecure against existing spy agencies and their existing classic computers.
The question of interest is: What existing algorithms could quantum computers crack.
Critical steps that make a quantum computer fundamentally different from a classical computer have to be done in something analogous to a single operation in a classical computer, so the limit is not the number of qbits and the number of steps — not memory and time, but rather the number of gates. The hard part is not keeping quantum coherence over a certain number of qbits for a certain time, which is theory soluble, and great advances have been made towards solving it, but keeping quantum coherence over a certain number of gates, a lot of gates. And essentailly zero progress has been made towards solving it. Maybe kind of sort of quantum coherence over one toffoli gate has been accomplished. So, for an algorithm to be proof against quantum computing, we require cracking the algorithm to require a non polynomial number of quantum gates, rather than a non polynomial number of steps.
We need a complexity theory that will tell us how many quantum gates are required.
Do existing elliptic curve public key algorithms require a non polynomial number of gates? It looks like they do. In which case worst case outcome is that we might, eventually, after quantum computers actually work, and have been working and getting larger and larger for decades, need larger public keys.
Post Quantum Computing algorithms are all one hundred percent snake oil, because we lack a complexity theory to tell us how many quantum gates are required, and classic complexity theory is all about the number of steps required. Which is not the significant limit for quantum computing.
[*deleted for not conforming to the moderation policy*]
There is a shilling operation in progress to create to create totally unwarranted fear, uncertainty and doubt about what code cracking quantum computers might might be able to do “ooh, they might make all your current cryptography broken — how can you prove they cannot, given that quantum is heap big magic”, and at the same time create totally unwarranted confidence about what post quantum cryptography can do. “Do you have official statements acknowledging the post quantum cryptography was created with malicious intent”.
Demonstrate you are not yet another shill.
I OP’d first and asked you to support your claim
[*deleted for not conforming to the moderation policy*]
It is the job of those threatening us with an alleged danger to provide evidence of the danger, and one semi sort of working toffoli gate, working after thirty years of supposed progress in quantum computing, is not evidence of danger, and the job of those providing an alleged protection against this alleged danger to demonstrate that it is in fact protective.
To crack the Bitcoin public keys would require a quantum computer that maintains quantum coherence over seventy million tofolli gates. Current state of the art after thirty years of progress is one tofolli gate, and it is debatable whether even that.
The number of qbits has been growing, but it is not qbits that are the limiting factor.
I see. Thank you. So it’s just a bogey of something that could be a threat to cryptography in general and crypto-currency etc…
I agree that that question is only interesting if quantum computers have working prototypes that appear scaleable.
“It looks like they do. In which case worst case outcome is that we might, eventually, after quantum computers actually work, and have been working and getting larger and larger for decades, need larger public keys.”
Makes me think of the Y2K panic. Yes Y2K did require some people to do some work to fix and yes some things did get overlooked, but nothing serious came of it. It appears that if quantum computing becomes a real threat to any particular system, there will be ways to mitigate it and time to mitigate it.
So that makes me wonder why there are people worrying about it, or rather I can see why you’re suspicious of people who promote it as a serious problem we must talk about right now.
Anyway it doesn’t appear to be a very special threat to cryptography to me. If anything the biggest threat is someone quietly coming up with a much more elegant decryption equation. I’ve seen more elegant equations do things that seem miraculous to me, cutting the complexity of tasks many orders of magnitude, transforming things from computationally impossible at the current technology to computationally trivial.
But you can’t feasibly protect against such an unknown as that, so there isn’t any reason to worry about it.
____
Do you think the purpose of the shilling is just to try to undermine crypto? Or is there some other agenda?
Thank you very much, Jim. Your posts on cryptology are always most interesting. I particularly remember you hinting at everything based on AES-256 being broken compared to AES-128. I’m not sure if you were referring to AES-256 key expansion related key weakness that surfaced long ago, or other issues. I always wanted to ask and didn’t.
Anyway, I’m glad to see you share my lack of confidence on post-quantum cryptography. Makes me more confident on being right.
I’ve being going farther than that, and keep using RSA over ECC for all secure communications. And I’m quite wary of ECC as currently implemented. I’d love to get your opinion: I’m not shilling, worst of cases I’m just an idiot. Key points:
– I believe that ECC is group-theoretically secure and sound, but we should really call it ECC+RNG cryptography, because unlike RSA, you need a safe RNG for every application. And the glowies have been attacking RNGs quite obviously for a very long time.
– Curve 25519 is 20 years old. If ElGamal’s logjam attack serves as a metaphor, we should be scared of using the same group over and over. Why don’t we change elliptic curve groups with more frequency? Keys would be a bit larger, containing curve parameters, but the chance of a precomputation attack on a 20 year old group should not be underestimated. For comparison, I can change my RSA underlying group very easily. Even ElGamal groups are easily changed. BTW, even old versions of PGP suggested precomputed “safe groups” for ElGamal before logjam surfaced, and keyserver statistics show an alarming high quantity of ElGamal keys sharing just a few groups even today.
– RSA key strength estimate is based on General Number Field Sieve algorithm _time_ efficiency. People use to ignore space efficiency, which is I believe no better than the quadratic sieve. I think RSA keys are stronger than advertised.
I know you’ve posted that ellitpic curves have algebraic characteristics that make them uniquely suited for advanced cryptocurrency features, but I believe there has been an slippery slope: RSA->ElGamal->ECC->Post Quantum. ElGamal introduced dependency on RNGs and tried to slide fixed underlying groups, which was achieved with ECC.
Anyway, I think that well applied ECC is probably unbreakable. But I believe it has a bigger attack surface than RSA, and that it’s being exploited.
Yes, ECC has a much bigger attack surface than RSA. Except for Ristretto255 which fixes all those obscure and surprising issues.
I know something about elliptic curves, and based on what I know I have great confidence in Ristretto255. All new projects should use Ristretto255. I share this opinion with the great cryptographers, who know considerably more than I do.
RSA has the great defect that there has been steady progress in factoring large numbers. There has been no progress in factoring elliptic curves. Elliptic curves have been subject to other attacks, which were not tech advances in factoring, but rather reflect the fact that implementing elliptic curve cryptography is hard, and implementations had some very subtle bugs in them. Ristretto255 does not have these subtle, obscure, and difficult to comprehend gotchas.
Random numbers are not hard. Every system has timing true randomness — one part of your CPU cannot know the timing of another part of your CPU, let alone that of network and disk accesses, and once you have 256 bits of true physical entropy, you can use that for the rest of the session.
I will look into Ristretto255, thank you very much. You’re right that the RNG problem is not hard: some time ago I checked the entropy generation of venerable PGP 2.6.3i taking a big sample. The results were consistent with at least four bits of entropy per keypress. But then you look at libsodium random data generation, and in windows it defers to RtlGetRandom(), a Windows API pseudorandom (sic, according to the documentation) function. I’m sure libsodium code is perfect, but depending on the OS for the RNG could mean trouble.
I have been negligent, and libsodium has been negligent. I will have to add my own entropy collection on top of it.
No one can be diligent enough, hence the need of many eyeballs, as ESR used to say. Glad to be of a little help.
On reflection, I am going to introduce a stir routine that reads the high resolution counter, rdsc, after each disk operation, each network operation, and on the on-idle event. That should get at least ten or so true random bits per event. If that does not generate good entropy, after each mouse and keyboard event. (Some systems do not call on-idle all that often)
Please dude, Linux and BSD have already fixed their RNG problems, just go look at the commits. Zero reason to roll your own anymore. And on all of them you can add radioactive input to the serial port if you want.
Widows and Android have not fixed their random number generation. I am writing my software to on all platforms (it is inside the WxWidgets compatibility layer) and we have circumstantial evidence indicating attacks on random number generation.
https://ristretto.group/
https://doc.dalek.rs/merlin/index.html
You are shilling a crypto designed/tweaked coded and shilled by a bunch of torproject trannies and leftist activistas… please shame yourself in hypocrisy, mightily.
https://github.com/dusk-network/dusk-zerocaf
https://github.com/tangle-network/anon
https://safecurves.cr.yp.to/
[*deleted for not conforming to the moderation policy*]
So sayeth the intel 2004 BackRest system protocol. The Sata secure computing initiative controller could have been nice since we all knew bitlocker was compromised\\\\\\\\designed. Security is a process best served cold. The privilege of getting AES-256 code from the guys upstairs in Folsom was nice, C and optimized 64 bit x86 code. MTP protocol was designed to have a provably secure backup/restore system software for the iCh7 with the nice ability to stream files and sectors to local or remote drives.
My favorite thought crime is behind door 5!
What do they win Bob? Whitelisting? Sheeeit, dat raycisss!
They are feral, blindly following ancient instincts from prehistoric times, which instincts tell them to cruise for rape by alpha male Chads, and to resist kicking-and-screaming all attempts to restrain them from pursuing alpha male Chads. Stable monogamy has always been a way to allow each man to own a woman so each man can start a family and raise a future generation for civilisation’s survival. If women are emancipated, Miss Average will waste her youth, her beauty, and her fertility fucking Mister One in Thirty, thus a people, a race, a nation, a faith, or an empire that emancipates women will perish for lack of families, leading to lack of sons. Men have to impose stable monogamy on women with a stick.
If you pass the shill test, you are entitled to say anything you like, even if people disagree with it, find it offensive, or would prefer it is not true.
AI KYC is here. New claude subscribers asked for gov ID & photo. Not even a regulatory requirement – Anthropic just doing it because they want to. But regulatory is coming Next up will be laws: No AI without gov-issued ID All AI use tracked to individual – no private AI
https://blog.cryptographyengineering.com/2026/03/02/anonymous-credentials-an-illustrated-primer/
https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/