The premise is that current encryption algorithms could be broken once quantum computers become available, hence bad actors could collect sensitive encrypted data today and decrypt it when that happens: Harvest Now, Decrypt Later (HNDL).
It should also be stated that the key algorithms that are most vulnerable are
asymmetric algorithms, the armpit in your plate armor, as it were. It's these algorithms that allow you to exchange the more secure symmetric keys used for actual data encryption, or sign a hash that represents a digital signature. What makes them uniquely vulnerable is because the private and public keys are
correlated, and yet, the public key must be resistant against attack. For example, RSA's public key is two prime numbers multiplied together, while the private key are the two prime numbers. The only thing keeping an attacker at bay is the compute power required to run a general number field sieve on a number that is on the order of 10^600 when using a 2kbit key.
RSA is vulnerable to Shor's, as is Elliptic Curve (TIL). The new hotness for key exchange and digital signatures is apparently the CRYSTALS project, which includes Kyber (key exchange) and Dilitihium (signatures). NIST officially started looking at standardizing both of these not that long ago:
https://www.nist.gov/news-events/ne...lgorithms-can-resist-attack-quantum-computers
So what Apple's doing here is bringing in Kyber along with the Elliptic Curve key exchange. It sounds like both keys are required to complete the key exchange, and produce the shared symmetric key. Which is good. Kyber is relatively new and if a vulnerability is found that somehow makes it worse than Elliptic Curve, then at the very least, an adversary still needs to break Elliptic Curve
as well. So they are hedging their bets in the off chance that CRYSTALS doesn't deliver on its promises. It's this sort of detail I was hoping to get from Apple's blog post, and they delivered.
So is the present-tense version of HNDL (which I suppose we could term "Harvest Previously, Decrypt Now") happening? I've not been able to find any articles that touch upon this.
If it is, I don't think it's been discovered by researchers. A lot of what you mention above (such as 512-bit RSA and 128-bit AES) was deprecated quite a while ago. NIST updated their guidance of using 1kbit RSA
at a minimum back in 2002, as of 2015, the recommendation is 2kbit RSA
minimum.
Out of curiosity, I looked at an HTTPS certificate I got from Let's Encrypt recently. It's using SHA-256 for the signature hash, and Elliptic Curve for the asymmetric key pair with a strength equivalent to roughly a 7kbit RSA key pair, which is reasonable for today's needs. Because TLS certificates need to be kept up to date, you aren't going to find a bunch of stuff on older keys for very long unless someone screwed up badly. Odds are that if folks were harvesting data only protected by 512-bit RSA keys, it's almost twenty years old now. Have to be playing quite a long game.
256-bit AES is still considered resistant to quantum attacks. But I would expect to see AES and SHA go to larger sizes in the future to keep ahead of advancements in quantum computers. So Apple's not changing out the underlying encryption on the message itself (it's still AES256 as far as I can tell), but rather how these keys are cycled using the ratchet, and the addition of a key exchange mechanism that's assumed to be resistant to quantum attacks.
The padded payload is encrypted with AES-CTR using a 256-bit encryption key and initialization vector, both derived from the message key. While public key algorithms require fundamental changes to achieve quantum security, symmetric cryptography algorithms like the AES block cipher only require doubling the key size to maintain their level of security against quantum computers.
9to5mac.com
