LUKS and quantum computing

LUKS and quantum computing

[Patrick Callaghan]

If we use LUKS encryption with SHA-256 configured (i.e. the default), is this considered safe against attacks by quantum computers? 

I ask because NIST suggests SHA512 in general for quantum safe algorithms (see "old Q17" in https://csrc.nist.gov/projects/post-quantum-cryptography/faqs) and we want to be LUKS quantum safe now and for several years to come, even if no practical attacks currently exist.

Note, the cipher we use is "aes-xts-plain64" so we have no question about this as AES with 256-bit keys is considered quantum safe. 

Thank you.

Re: LUKS and quantum computing

[Arno Wagner]

No idea. And frankly, I have stopped caring. "Quantum Computing" is
a Fata Morgana that does not amount to anything practical at this 
time (after 50 years of resarch) and may well never amount to anything.  
It will certainly not be a real treat in the foreseeable future.

Here is what Peter Gitman thinks of the topic, and I think it
is spot on: https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf

Regards,
Arno


On Mon, Nov 25, 2024 at 23:13:17 CET, Patrick Callaghan wrote:
> If we use LUKS encryption with SHA-256 configured (i.e.  the default), is
> this considered safe against attacks by quantum computers? 
> 
> I ask because NIST suggests SHA512 in general for quantum safe algorithms
> (see "old Q17" in
> https://csrc.nist.gov/projects/post-quantum-cryptography/faqs) and we want
> to be LUKS quantum safe now and for several years to come, even if no
> practical attacks currently exist.
> 
> Note, the cipher we use is "aes-xts-plain64" so we have no question about
> this as AES with 256-bit keys is considered quantum safe. 
> 
> Thank you.

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: LUKS and quantum computing

[Milan Broz]

On 11/25/24 11:13 PM, Patrick Callaghan wrote:
> If we use LUKS encryption with SHA-256 configured (i.e. the
> default), is this considered safe against attacks by quantum
> computers?

SHA256 has no problem, specifically if used for PBKDF2
(iterative hashing for key derivation).

Default LUKS2 configuration no longer use SHA256 anyway, only for
antiforensic filter (split key material among more sectors) and
this is not a cryptographically relevant operation.

We use Argon2 with Blake2 hash internally for PBKDF now in LUKS2.

> I ask because NIST suggests SHA512 in general for quantum safe
> algorithms (see "old Q17" in https://csrc.nist.gov/projects/post-
> quantum-cryptography/faqs) and we want to be LUKS quantum safe now
> and for several years to come, even if no practical attacks
> currently exist.
> 
> Note, the cipher we use is "aes-xts-plain64" so we have no question
> about this as AES with 256-bit keys is considered quantum safe.

The 256bit (2x256 bit for XTS) key is default, this is according to
what is suggested in general (even in the context of QC).
Otherwise there should be no problem with symmetric encryption related
to quantum computing.

BTW who is "we" in your pararaph?

Milan

Re: LUKS and quantum computing

[Arno Wagner]

On Tue, Nov 26, 2024 at 09:53:36 CET, Milan Broz wrote:
> On 11/25/24 11:13 PM, Patrick Callaghan wrote:
[...]
> BTW who is "we" in your pararaph?
> 
> Milan

I have been wondering that as well...

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: LUKS and quantum computing

[Patrick Callaghan]

Thank you Arno for the link and thank you Milan for the "iterative hashing for key derivation" point and the LUKS2 hashing comment.

The "we" is a couple of co-workers on my team who are interested in preparing their partition encryption setup according to the emerging NIST standards, including quantum computing safeness.


________________________________________
From: Arno Wagner <wagner@arnowagner.info>
Sent: Tuesday, November 26, 2024 4:34 AM
To: cryptsetup@lists.linux.dev <cryptsetup@lists.linux.dev>
Subject: Re: LUKS and quantum computing
 
On Tue, Nov 26, 2024 at 09:53:36 CET, Milan Broz wrote:
> On 11/25/24 11:13 PM, Patrick Callaghan wrote:
[...]
> BTW who is "we" in your pararaph?
>
> Milan

I have been wondering that as well...

Arno

--
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier