Does Terra Quantum AG break AES and Hash Algorithms?

Question

According to this Bloomberg article:

A Swiss Company Says It Found Weakness That Imperils Encryption

Terra Quantum AG has a team of about 80 quantum physicists, cryptographers and mathematicians, who are based in Switzerland, Russia, Finland and the U.S. “What currently is viewed as being post-quantum secure is not post-quantum secure,” said Markus Pflitsch, chief executive officer and founder of Terra Quantum, in an interview. “We can show and have proven that it isn’t secure and is hackable.”

The company said that its research found vulnerabilities that affect symmetric encryption ciphers, including the Advanced Encryption Standard, or AES, which is widely used to secure data transmitted over the internet and to encrypt files. Using a method known as quantum annealing, the company said its research found that even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now.

Vinokur said in an interview that Terra Quantum’s team made the discovery after figuring out how to invert what’s called a “hash function,” a mathematical algorithm that converts a message or portion of data into a numerical value.

We have already had limitations due to Grover's Algorithm that are asymptotically optimal. Are we going to have another snake oil sale like Treadwell Stanton DuPont?

---

Update: It turns out a product advertisement that we don't buy it!

• Businesswire: Terra Quantum Makes Electronically Transmitted Communications Unbreakable After Revealing Weakness in ‘post-quantum Cryptography

Answer 1

The onus is on the company to prove their claims, especially when they are extreme. There is also no financial motivation to not prove their claims. I can understand if they say that they want to keep their new "unbreakable algorithm" secret until they patent it, but what reason in the world would there be to not present a break? This is especially the case since it's not something that can be utilized now. Unless, that is, they claim that they can break AES using today's quantum machines in which case I really have to hold back from writing expletives.

In short, this has all of the smell of snake oil with all the motivations of a company trying to get a lot of press and attention, and doing damage while they are at it. It's unfortunate that people don't think that they can make money while keeping their basic ethics.

Of course, one could argue that how can I make this judgment without having seen the details. I guess I'm old enough to not care to be wrong with a 1 in a $2^{40}$ chance. (I just made up that probability but without publishing how I got to it, I guess that no one can challenge me.)

Answer 2

Edit 2021-02-10: covering now their latest press release

Red flags

While the details of their work/claims are yet to be published, this article is containing a lot of conspicuous statements.

Vinokur said in an interview that Terra Quantum’s team made the discovery after figuring out how to invert what’s called a “hash function,”

This would be a major breakthrough, especially since hash functions are non-injective functions, and are usually mapping a large domain onto a smaller co-domain...

Now, one thing to keep in mind is that it is "easy" to invert a quantum circuit provided you know all of its output qbits and ancilla qbits, because then you can simply "run the circuit" in the reverse direction. However any claim saying they've reversed a hash function using such a cheap trick would be immediately dismissed by the community, as it's basically a tautology. In practice, ancilla bits should be "erased"/not provided as part of the output.

Another red flag here is that mention of "quantum annealing":

Using a method known as quantum annealing, the company said its research found that even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now.

Quantum annealing is not exactly the best candidate for quantum speed-ups, even if recently the first provable speed-up for the adiabatic annealing problem was announced (it is a quasipolynomial speedup). Furthermore, there are hints that for a quantum annealing speed-up to be effective, it might require operating at temperatures that should converge to 0K as the instance size gets bigger at such rate that any good sized instance wouldn't be practical.

Finally, the article also says:

a new encryption protocol that it says can’t be broken by quantum computers. Vinokur said the new protocol utilizes a method known as quantum key distribution.

However, quantum key distribution is about obtaining a shared key between two parties that will then use that shared key in a symmetric algorithm such as AES to communicate, which is kinda contradictory with their earlier statement of having broken AES. So maybe they've broken AES, and are using another symmetric algorithm to communicate after having used QKD to establish a shared key, but in general "using quantum" to fix something is a red flag.

But

We know that quantum computer are coming and now is definitively a good time to thing about it and start considering plans to achieve either "crypto-agility", that would allow us to easily switch to quantum-resistant algorithm when needed; or to try to be quantum-resistant already, since we have a lot of good candidates that were selected as finalist in the NIST PQ competition.

A fun thing about the NIST PQ competition: it features signature algorithms and PKE algorithm, which stands for "Public Key Encapsulation", and is meant to be used to exchange a secret key to be used with a... symmetric encryption scheme such as AES.

So having broken AES would definitively be a major breakthrough too, as we still consider it quantum-resistant nowadays.

The day after

As you might or might not have noticed, it appears they decided to "deliver" and we now have a follow-up press release: https://www.businesswire.com/news/home/20210208005290/en/Terra-Quantum-Makes-Electronically-Transmitted-Communications-Unbreakable-After-Revealing-Weakness-in-%E2%80%98post-quantum-Cryptography%E2%80%99 (saved on Web Archive)

This one also features a lot of red flags, let's go through them together.

In a quote by their CEO, they say:

Our ground-breaking results demonstrate the vulnerability of existing post-quantum encryption schemes.

So far so good, we have a PQ competition going on to try and rule-out existing post-quantum schemes that are actually flawed, let's see what they are attacking...

Post-quantum cryptography is the set of methods to push protecting data to the standards required for a future technology environment in which hackers have access to quantum computing. One of the most popular is the Advanced Encryption Standard (AES), built to withstand attacks from quantum computers. Post-quantum cryptography has become the gold standard for organizations seeking long-term protection for their data.

Wow, okay. So that's awful: they say AES is one of the most popular post-quantum scheme... Well, technically AES is considered quantum resistant, but it does not really belong to what cryptographers typically name "post-quantum". So while technically not a lie, this doesn't looked like it's coming from actual cryptographers, if you ask me.

Alright, are they releasing their new AES attack?

To build the defence, Terra Quantum set out to look for a weakness by testing the AES against new algorithms. They Terra Quantum discovered a weakness on the message-digest algorithm MD5.

Blimey, please, no! So, they are talking about the security of AES and then start claiming an attack against MD5, which is known to be broken since 1996! MD5 is both vulnerable to collision attacks and to theoretical pre-image attacks, it's so broken that it's actually borken by today's standards. And its vulnerability to quantum computers was previously discussed here.

Next we can read:

Thus, Terra Quantum has demonstrated the growing opportunities for an inversion of the broad class of cryptographic hash functions (the hash function is the function that irreversibly transforms a long chain of bits into a single small number) such as MD5 or AES.

AES is NOT a hash function. No, period. It is meant to be reversible, unlike MD5 which is meant to not be reversible. They don't even share significant design components. An attack against MD5 is unlikely to lead to a break of AES...

But nonetheless they've found a way around it:

Terra Quantum bases its solution on the Vernon’s cipher, the so-called ‘one-time pad’, proven by Claude Shannon to be unbreakable.

Amazing, kelalaka's funny comment was spot on: they claim to use the one-time-pad to secure their data, well there's nothing wrong with that and it's secure and post-quantum, for sure. Actually Quantum Key Distribution and the OTP are natural fits, nothing new there. Now, I find it funny how they name Vernon and Claude Shannon in their sentence, as if to try and reinforce their credibility by using their names.

Anyway, they are claiming an improved quantum key distribution algorithm, but their "scientific material" in the appendix is actually mostly an empty, yet abstruse, discussion that could have been generated with SCIgen as far as I am concerned, scattered with claims such as:

Had the signal been classical, this “bending” would have opened unlimited access to the full content of the message for Eva.

Which would be fun, you known, if all it took to crack a message was to bend the optic fibre transporting it... That's why we have cryptographic schemes in the first place: establishing secure communication over insecure channels!

Last but not least:

The innovative breakthrough is that the proposed scheme enables us to transfer the signal encrypted by the unbreakable one-time pads with a tremendous speed comparable to the best rates achieved by Telecommunications

So they are not even doing Quantum Key Distribution any more now? Instead they are sharing the ciphertext using their method, so it's a way to transport information, not a cryptographic scheme? Okay, then we need not to worry, just go buy a new "secure" fibre-optic cable and be done with it, right? They are not even consistent, mixing transport layers, communication layers and key distribution within their own material... I can't. Let's stop here, right?

Well, maybe just one last titbit: digging further I landed on their website and couldn't even force myself to read all of their blog posts containing references to music theory and quantum gibberish along made-up acronyms, as these are typically used by scammers to make themselves look well-read...

I didn't want to say "balderdash" or "poppycock" at first, because it's important we behave ourselves online, right? But their whole story is nothing but a joke and shouldn't be taken seriously in any manner.

This was fun, but let's go back to proper cryptography, shall we?

Answer 3

There is also a non cryptographic alternative. From their site :-

"IP and legal rights" suggests that they are IP savvy. They may be after a patent for an attack algorithm/appliance against symmetric ciphers. Much like Terahash appliances and cell phone interceptors. A patent award requires that the applicant:-

1. Demonstrate aesthetic design or functional utility, depending on whether you're applying for a design patent or a utility patent.

2. Show novelty compared to existing products, inventions, or designs.

3. Prove uniqueness and non-obviousness to individuals with ordinary skills in the field of the patent.

4. Provide a complete explanation of the design or invention, with full details and specific examples.

Their breakthrough may just be around legal interpretations of point 4. If researchers and patent attorneys can describe the operation of the idea with (in)sufficient detail/vagueness to convince USPTO, a patent is granted. That's it. What lawyer can authoritatively evaluate re-linearisation? We see the same mathematical chicanery where svengalis from derivatives markets and hedge funds convince financial regulators that their products are fair and legal. And that opens the funding taps, and can create a monopoly.

The patentable invention does not even have to work in the real world. It's a legal instrument that has only to convince that it may work sometime in the near future. Catalogues are littered with daft unworkable patents, but they're there nevertheless. I like the 2012 "wind turbine on the roof of a car, which charges up batteries within" patent. Err, hang on...

And they did say "even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now." Not necessarily clever crypto, but perhaps cleverer legalese.

As commented above, quantum = magic. It probably is snake oil, but the thrust of this answer is that this may be a speculative IP grab based on (some) in-house theorizing and experience. Just imagine if you did patent snake oil. Then two years later a global pharmaceutics company discovers that extracts of snake skin oil can arrest Parkinson's disease? £££s.

Answer 4

Just to add some numbers on the current state-of-the-arts methods on these topics :

• the best quantum known attack on complete AES is using Grover (which is still $2^{138.8}$ in its 256-bit version, using 2k+ qubits). As far as I know, the best quantum attacks on reduced-rounds AES are barely better than the classical ones.
• concerning hash functions, the best known quantum algorithms are exponentials both for collision and pre-image search. Furthermore, it interesting to note that the algorithm that is considered, namely the BHT one, has been shown to be optimal. Hence, one can only hope for some exponential speedup when targeting structural designs in a given hash function, since we cannot have a magical generic quantum algorithm that does this for us. To the best of my knowledge, the only attacks on hash functions are against reduced-version of AES-MMO and reduced-version of Whirlpool. Even in this case, the attacks are still only sub-exponential. It is quite unlikely to me that a generic, efficient pre-image search algorithm was found.

Answer 5

The hyperbole is jaw-dropping: Advanced Quantum Domination, in the link Mr. Bodewes shared.

Terra Quantum AG is a little low on self-doubt:

Terra Quantum is a deep tech pioneer, developing revolutionary quantum applications to shape the technology of the future. Our international team of experts brings together the best minds from science, academia and industry to address the most fundamental questions of quantum physics and their manifestations in the world around us. We are building quantum technology for a better future, breaking down the barriers between science and industry and laying the foundations of a real quantum tech ecosystem and value chain.

Pardon me, tell that to the Chinese.

Markus Pflitsch, the CEO

It is rare to meet someone whose expertise spans both the scientific and financial sectors, but Markus Pflitsch, co-founder and Chairman of Terra Quantum AG, is an experienced CERN Quantum Physicist, senior financial executive and deep tech entrepreneur.

In these busy days,Valerii Vinokur was just appointed CTO for the U.S., to be based out of Chicago.

Terra Quantum AG, a world-leading European quantum technology company, is pleased to announce Valerii Vinokur as its CTO United States. Based in Chicago, he will oversee the project portfolio, with a particular focus on hardware components, while applying his deep and long-term world-class experience to build out of the intellectual property and patent portfolio. With his strong international footprint in academia and the global scientific community, Valerii will further strengthen Terra Quantum's network with universities and science organizations.

the best minds
world-leading
break down barriers
shape the future
lay foundations
a better future
advanced domination
deep and long-term world-class (as opposed to "short-term world-class")

Their English is hyperbolic, pretentious nonsense. It does not inspire confidence.

Answer 6

As a somewhat indirect answer to the question, notice that the company's publication list currently appears to be padded out with papers in cardiology(!), which does not inspire confidence in their reliability.

(Their staff list used to include some people I was familiar with, but they appear to have scaled it down to only the "leadership team", which suggests the previous list may not have been legitimate.)

Answer 7

No one bothered to contact NIST about the security of AES, SHA-2, or SHA-3 before rushing to publication with this article.

On the other hand, the Cryptographic Journal of Bloomberg News is a highly-cited technical resource.

---

To be clear: I am directly accusing Terra Quantum AG of blatantly unethical scientific behavior.