Quantum computing is coming, is VeraCrypt ready?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Anyone who's watching knows that quantum computing is advancing pretty quickly and will apparently be ready to actually do stuff soon.
How will VeraCrypt's current strongest encryption hold up against a quantum computer?
Are there plans to implement stronger levels of encryption anytime soon?
Background
Quantum computing is not a particular danger to most modern assymetric encryption algorythms. A quantum computer can search through a keyspace of size 2n in 2n/2 operations. This means a 256 bit key can be searched through in 2128 operations. First of all, 2128 operations is still infeasible at any obtainable search speed. Secondly, these aren't regular operations, these are quantum operations, so this isn't something where you can use ASICs or PGAs or GPUs to speed up the search. We can (very safely) assume that one quantum operation will be much slower than anythng in normal silicon for a very (very) long time.
There are some VeraCrypt features that are based on principles that are unproven even in conventional cryptography. How quantum cryptography will affect them is still uncertain, but they should be noted since they may act differently in quantum computing than in conventional. These are key derrivation and cypher cascading.
Key derrivation: The key derrivation is how VeraCrypt turns your password into an actual key. The backbone of this process is the use of a hash, repeated many times on itself, in order to make brute force attacks on the password more difficult. The purpose is to require an attacker to have to calculate the hash many times for every password attempt they make. There is, however, no mathematical proof that I know of that says that to get the result of the (say) millionth hash requires you to calculate all previous 999,999 hashes to get there. It is quite possible that either a conventional or quantum algorythm will be found that allows jumping directly to the result of that millionth hash. There is some evidence that suggests there may be an easier way to do this with quantum cryptography than with conventional.
Cypher cascading: VeraCrypt has an optional feature where you can have it run your data through multiple cyphers. So it will, say, run it through AES and then SERPENT, each of which using a different header key derrived separately from your password. There is no mathematical proof that says this is any more secure than a sincle cypher, In fact, there is an outside chance that this actually decreases security. Modern cyphers are carefully chosen to produce output that is as mathematically random as possible. It is possible that using two cyphers can interact in ways the designers did not intend to weaken security. In actuality, it is very unlikely that cascaded cyphers reduce security - they probably greatly increase it. However, there is some evidence to suggest a reduction in security is a greater risk for conventional cryptography than for quantum. In fact, there is some evidence to suggest that cascaded cyphers greatly increase resistance to quantum attack from 2n/2 to 2n/2+c+1 or possibly 2nc/2 quantum operations. (where "n" is the key size and "c" is the number of cascaded cyphers).
Analysis
VeraCrypt, by it's nature, is already very resistant to quantum computing attacks. Two things that can be done right now to better prepare yourself are:
Last edit: Kurt Fitzner 2019-07-20
Thanks so much for the very detailed response.
So I take it 40-50 character AZaz1234567890!@#$%^&() passwords with AES-twofish-serpent and whirlpool will be pretty resilient to quantum computing.