Quantum Computer decrypt RSA, Bitcoin PQC, Solidity audit tool, Meaningless threat
Notable news for the week of Oct 20th – 26th , 2024. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about POC of a Quantum Computer can decrypt RSA cipher, Downtime Required for Bitcoin Quantum-Safety, False positives of Solidity audit tool, and Threat to distribute the free data?
We in F5 SIRT invest lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
POC of a Quantum Computer can decrypt RSA cipher (but 50bits)
A quantum computer is a computer that can significantly reduce computation time compared to conventional computers. By increasing the number of qubits, multiple calculations can be performed at the same time, thus greatly exceeding the calculation speed of conventional computers. This raises concerns that quantum computers may be able to decipher the RSA cipher by solving its prime factorization with a large number of digits in a short period of time. The quantum annealer, a type of quantum computing process that specializes in solving a prime factorization problem in cryptography, was developed by the Canadian company D-Wave Systems.
On Oct 22nd, a team of Chinese researchers announced that they have successfully conducted an experiment using D-Wave Advantage, quantum annealer, against the RSA cipher. They published a paper, Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage,
In the experiment, D-Wave Advantage successfully factorize a 50-bit RSA encryption key. RSA cryptography is based on the difficulty of prime factorization, and the larger the key size, the more difficult it is to decipher. The results of this research are positioned as a POC that proves that quantum computers could theoretically pose a threat to existing cryptosystems. However, there is a strong view that the current technology does not pose an immediate threat to practical large-scale cryptography, which uses more than 1024bits.
In response to this result, cryptography experts have pointed out the need for a new cryptography technology that is resistant to quantum computers, called Post-Quantum Cryptography(PQC).
Source: Chinese scientists claim they broke RSA encryption with a quantum computer — but there's a catch
Source: Chinese Researchers Successfully Decrypt RSA Cipher Using Quantum Computer (Japanese)
Downtime Required for Bitcoin Quantum-Safety
Last week I came across two papers on blockchain security on arxiv.
One is "Downtime Required for Bitcoin Quantum-Safety" which discussed how much time is available for Bitcoin to transition to PQC. As mentioned earlier, research is underway to crack the RSA cipher by quantum computers. Considering of quantum resistance of current cryptography, it is expected to take around 10 years or more with reasonable probability before RSA cryptography can be decrypted by a quantum computer. There are already proposals to adopt quantum resistant cryptography for bitcoin. The question is when it will be implemented. Of course it is better to start as soon as possible. In this study, the author highlighted that the very real threat of quantum attack (means quantum computer decrypts address and public key) on the Bitcoin network demands immediate action. The author calculated that upgrading to PQC would result in a minimum of approximately 305 days to perform the complete upgrade.
By the way, I have discussed about blockchain security before
False positives of Solidity audit tool
The other paper, “Vulnerability anti-patterns in Solidity: Increasing smart contracts security by reducing false alarms”, discusses how to reduce false positives from the audit result that check for vulnerabilities in the code of Solidity, the language of Ethereum's smart contracts. We blockchain developers use auditing tools to check that Solidity code for potential vulnerabilities. If there are any known vulnerabilities, the audit tool will warn us. In the paper, the verification results show that 92% of the vulnerabilities flagged by traditional tools are actually false positives. This is because generating too many false positives is more detrimental to productivity and security awareness. This study used a static analysis of checking process of OWASP Top10 vulnerabilities in a code, and the observations of which will increase the reliability of tool audit. As a result, they were able to significantly reduce false positives.
Threat to distribute the free data?
On October 22, the National Institute of Genetics Center for Bioinformatics and DDBJ Center in Japan, had announced that they were blackmailed by a hacker group via X saying that they had stolen data and that they would release 5% of the data and release the remaining 95% if they did not pay $10,000. However, the DDBJ found that the key data which supposed to be stolen, was available for anyone to download for free, so the threat was meaningless.
On Oct 8th, The DDBJ Center for Life Information found that the message that an international hacker group “CyberVolk” had stolen the information of DDBJ, a database of nucleotide sequences, and CyberVolk threatened to make the stolen information public.
DDBJ Center had investigated the details of the situation, but as of the Oct 22nd, there were no indication of exploit or tampering.
DDBJ is a platform that collects and annotates DNA and RNA sequence data submitted by researchers and makes them available to the public free of charge. The data that CyberVolk was threatening to release was those data. So CyberVolk's threat was meaningless (CyberVolk seems to have misunderstood the Japanese data labels, I guess).
Since no impact on the business, DDBJ did not halt their service even after the threats. However, some new data were delayed to register, but it was a slight impact, and the company plans to restore the service to its normal state by the end of the Oct 22nd.
Source: Hacker group threatened to distribute the free and publicly available data (Japanese)