Category: Encryption

New research suggests that AIs can produce perfectly secure steganographic images:

Abstract: Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has classically been studied in security literature, recent advances in generative models have led to a shared interest among security and machine learning researchers in developing scalable steganography techniques. In this work, we show that a steganography procedure is perfectly secure under Cachin (1998)’s information theoretic-model of steganography if and only if it is induced by a coupling. Furthermore, we show that, among perfectly secure procedures, a procedure is maximally efficient if and only if it is induced by a minimum entropy coupling. These insights yield what are, to the best of our knowledge, the first steganography algorithms to achieve perfect security guarantees with non-trivial efficiency; additionally, these algorithms are highly scalable. To provide empirical validation, we compare a minimum entropy coupling-based approach to three modern baselines—arithmetic coding, Meteor, and adaptive dynamic grouping—using GPT-2, WaveRNN, and Image Transformer as communication channels. We find that the minimum entropy coupling-based approach achieves superior encoding efficiency, despite its stronger security constraints. In aggregate, these results suggest that it may be natural to view information-theoretic steganography through the lens of minimum entropy coupling.

News article.

EDITED TO ADD (6/13): Comments.

In an open letter, seven secure messaging apps—including Signal and WhatsApp—point out that the UK’s Online Safety Bill could destroy end-to-end encryption:

As currently drafted, the Bill could break end-to-end encryption,opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves, which would fundamentally undermine everyone’s ability to communicate securely.

The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services—nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.

In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.

Both Signal and WhatsApp have said that they will cease services in the UK rather than compromise the security of their users worldwide.

Quantum computing, while still in its infancy, is developing rapidly and holds tremendous potential for solving complex computational problems. However, its growth also presents significant challenges to cybersecurity, as it has the potential to render traditional cryptographic algorithms obsolete.

This guide aims to provide a comprehensive understanding of the implications of quantum computing on cybersecurity, review the most notable quantum security technologies and vendors, and offer real-world examples of how companies can prepare for the quantum era.

Understanding the Quantum Computing Threat

The power of quantum computers lies in their ability to perform computations much more efficiently than classical computers. This efficiency comes from their ability to utilize qubits, which can exist in multiple states simultaneously, rather than the binary bits used in classical computing. While this capability offers incredible potential for problem-solving, it also poses a significant threat to existing cryptographic methods.

Two key quantum algorithms pose specific threats to cryptography: Shor’s algorithm and Grover’s algorithm. Shor’s algorithm, when run on a sufficiently powerful quantum computer, can factor large numbers exponentially faster than classical algorithms. This poses a threat to widely used encryption methods like RSA, which relies on the difficulty of factoring large numbers for its security. Grover’s algorithm, on the other hand, can significantly speed up the search for an unknown value, compromising the security of symmetric cryptographic systems and password hashing algorithms.

Quantum-Resistant Cryptography

In response to these emerging threats, researchers and cybersecurity experts have been developing quantum-resistant cryptographic algorithms. These algorithms are designed to be secure even when faced with the power of quantum computing. Some popular quantum-resistant cryptographic techniques include:

  1. Lattice-based cryptography: This approach relies on the hardness of mathematical problems related to lattices, which are multidimensional grids of points. Lattice-based cryptography is considered to be resistant to both classical and quantum attacks.
  2. Multivariate cryptography: This technique is based on the difficulty of solving systems of multivariate polynomial equations. Multivariate cryptographic schemes have been shown to resist attacks from quantum computers, providing a viable alternative to traditional cryptographic methods.
  3. Code-based cryptography: This method is based on the theory of error-correcting codes, which are mathematical techniques for detecting and correcting errors in data transmission. Some code-based cryptographic schemes, such as McEliece and Niederreiter, are considered to be quantum-resistant due to their reliance on problems that are difficult for quantum computers to solve efficiently.

Quantum Threats to Traditional Cybersecurity Systems and How to Upgrade Your Defenses

As quantum computing continues to advance, it is important to understand which traditional cybersecurity systems and technologies are most at risk of being circumvented by quantum computing capabilities. The following sections detail the most vulnerable systems and provide recommendations on how to upgrade security defenses to withstand these emerging threats.

1. Public Key Cryptography

The most significant risk posed by quantum computing is to public key cryptography, which forms the basis of many widely used encryption and digital signature schemes such as RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC). These systems rely on the computational difficulty of certain mathematical problems (e.g., factoring large numbers or solving discrete logarithm problems) for their security. However, with Shor’s algorithm, a sufficiently powerful quantum computer could solve these problems exponentially faster, effectively breaking these cryptographic systems.

Approach to upgrading defenses: To protect against the threat posed by quantum computers, organizations should start transitioning to quantum-resistant public key cryptography. This may involve adopting post-quantum cryptographic algorithms based on lattice, multivariate, or code-based cryptography. It is crucial for organizations to monitor the development and standardization of these algorithms and plan for a smooth migration to ensure long-term security.

2. Symmetric Key Cryptography

Symmetric key cryptography, used in encryption schemes such as AES, is less vulnerable to quantum computing attacks than public key cryptography. However, Grover’s algorithm can significantly reduce the effective key length of symmetric encryption systems, halving the security level. For example, AES-256 would effectively provide the security of AES-128 against a quantum computer running Grover’s algorithm.

Approach to upgrading defenses: To maintain a high level of security in the face of quantum computing threats, organizations should consider increasing the key length of symmetric key algorithms, effectively doubling the current security level. For instance, transitioning from AES-128 to AES-256 would provide a higher degree of protection against potential quantum attacks.

3. Hash Functions

Hash functions, widely used in password hashing and digital signatures, are generally considered to be more resilient against quantum attacks than public key cryptography. However, quantum algorithms like Grover’s algorithm can still pose a threat, potentially reducing the security level of hash functions by a factor of two.

Approach to upgrading defenses: Organizations should evaluate the current security level of their hash functions and consider adopting stronger hash functions with larger output lengths if needed. This will help maintain the desired level of security and protect against potential quantum computing attacks.

4. Secure Communications

Many secure communication protocols, such as SSL/TLS and VPNs, rely on public key cryptography for key exchange and authentication. As mentioned earlier, public key cryptography is particularly vulnerable to quantum attacks, potentially compromising the security of these communication channels.

Approach to upgrading defenses: To ensure the long-term security of communication channels, organizations should begin exploring and implementing quantum-resistant alternatives to traditional key exchange and authentication methods. This could include adopting Quantum Key Distribution (QKD) systems or integrating post-quantum cryptographic algorithms into existing communication protocols.

How to Adapt to Quantum Threats

To prepare for the quantum era, companies should start by assessing their current cybersecurity infrastructure and identifying potential vulnerabilities that could be exploited by quantum computing advancements. Here are some real-world examples and best practices for adapting to these emerging threats:

  1. Securing Sensitive Data: Organizations should consider upgrading their encryption algorithms to quantum-resistant alternatives, such as those based on lattice, multivariate, or code-based cryptography. This will help ensure that sensitive data remains secure even if traditional cryptographic methods are compromised by quantum computing advancements.
  2. Quantum Key Distribution (QKD) for Secure Communications: Companies can implement QKD systems to secure their communication channels against both classical and quantum attacks. By using QKD, organizations can establish secure connections that are resistant to eavesdropping or other forms of interception, ensuring the confidentiality and integrity of transmitted data.
  3. Transitioning to Quantum-Resistant Algorithms: Organizations should develop a long-term plan for transitioning to quantum-resistant algorithms and technologies. This may involve updating cryptographic libraries, migrating to new encryption schemes, and training staff on the latest security best practices. By planning for this transition, companies can ensure that their cybersecurity infrastructure remains robust and secure as the field of quantum computing continues to evolve.

As quantum computing advances, it is crucial for organizations to understand the potential threats it poses to their cybersecurity infrastructure and take steps to prepare for the quantum era. By staying informed about the latest developments in quantum-resistant cryptography, working with leading vendors, and implementing best practices, companies can safeguard their critical assets and be better prepared for the challenges ahead.

Quantum Security Solutions

Several companies are at the forefront of developing quantum-resistant security solutions. Here are some of the most notable vendors in the field:

  1. ISARA Corporation (https://www.isara.com/): ISARA is a leading provider of quantum-safe security solutions. They offer cryptographic libraries and migration tools to help organizations transition to quantum-resistant encryption algorithms. By using ISARA’s solutions, companies can safeguard their sensitive data from future quantum computing threats.
  2. ID Quantique (https://www.idquantique.com/): ID Quantique is a pioneer in quantum-safe cryptography. They provide quantum key distribution (QKD) systems, quantum random number generators (QRNG), and other quantum-safe solutions to ensure long-term security for sensitive data. Their QKD systems can be used for secure communication channels, protecting data from both classical and quantum attacks.
  3. Post-Quantum (https://www.post-quantum.com/): Post-Quantum offers a range of quantum-resistant security solutions, including encryption algorithms, digital signatures, and secure communications. Their solutions are designed to protect against both classical and quantum-based cyberattacks, ensuring the long-term security of an organization’s data and infrastructure.
  4. Quantum Xchange (https://quantumxc.com/): Quantum Xchange focuses on providing quantum-safe key management and secure communications through their Quantum Key Distribution (QKD) network, Phio. By leveraging QKD, Quantum Xchange aims to enhance data security in the quantum era, offering a layer of protection that is resistant to the potential threats posed by quantum computing advancements.
  5. Qrypt (https://qrypt.com/): Qrypt offers a suite of quantum-resistant cryptographic solutions, including key management, secure data storage, and encrypted communication systems. Their solutions are designed to protect against current and future cyber threats, ensuring that sensitive information remains secure in the face of evolving quantum computing capabilities.

In conclusion, as quantum computing advances, it is crucial for organizations to assess the vulnerabilities of their existing cybersecurity systems and technologies and take proactive measures to upgrade their defenses. By adopting quantum-resistant algorithms, strengthening symmetric key and hash function security, and ensuring the integrity of secure communications, companies can better prepare for the emerging threats posed by quantum computing capabilities.

The post Quantum Computing Threats: A How-to Guide for Preparing Your Company’s Cybersecurity Defenses appeared first on Cybersecurity Insiders.

CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process.

Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack.

The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.

This is a neat piece of historical research.

The team of computer scientist George Lasry, pianist Norbert Biermann and astrophysicist Satoshi Tomokiyo—all keen cryptographers—initially thought the batch of encoded documents related to Italy, because that was how they were filed at the Bibliothèque Nationale de France.

However, they quickly realised the letters were in French. Many verb and adjectival forms being feminine, regular mention of captivity, and recurring names—such as Walsingham—all put them on the trail of Mary. Sir Francis Walsingham was Queen Elizabeth’s spymaster.

The code was a simple replacement system in which symbols stand either for letters, or for common words and names. But it would still have taken centuries to crunch all the possibilities, so the team used an algorithm that homed in on likely solutions.

Academic paper.

EDITED TO ADD (2/13): More news.

When Ubiquiti suffered a hack the world assumed it was just a regular security breach, but the truth was much stranger... why are police happy that criminals keep using end-to-end encrypted messaging systems… and why is the Apple Watch being accused of crying wolf? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley. Plus don't miss our featured interview with SecurEnvoy's Chris Martin.