Slashdot Mirror
Ask Slashdot: Post-Quantum Asymmetric Key Exchange?
First time accepted submitter LeDopore writes "Quantum computers might be coming. I'd estimate that there's a 10% chance RSA will be useless within 20 years. Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent. Are there any alternatives to RSA and ECC that are trustworthy and properly implemented? Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
that isn't vulnerable to Shor's algorithm and get back to us. (Is ECC even vulnerable? I know RSA and Diffie-Hellman are...)
Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
Because the sky isn't falling, chicken little?
One Time Pad.
Without overly snarking, 20 years is too long a time frame to care.
When we get down to 3 years take a "miniscule amount" of $100,000 (in "then dollars") and hire 30 mathematicians/cryptos/NSA types + 1 Slashdot Geek/1 Local Prodigy/2 Hotshots of the month/1 Sales guy/1 admin/1 Hotel Lodging rep and tell them to get cracking for 3 months. Problem solved.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Quantum is still in it's infancy, and it still has a lot of moore's law to catch up on. There are quantum safe (at least so far) cryptomethods, but the danger of untested and poorly understood crypto is larger than the danger of quantum computers to regular crypto.
Last I checked, they're still secure.
There's also security through obscurity. If they don't know the math you're doing, it can be hard for them to analyze its flaws.
Since DRM is based on encryption, devices that break encryption are TPM-circumvention devices. Canada is about to outlaw them as well in proposed Bill C-11 (even in non-infringing situations, and even when the copyright expired (after hell froze over).
Get your most closely kept personal thought: .doc with a password lock. .rar with extraction precluded .rar because so far they ain’t impressed. .pgp and print the hex of it out,
put it in the Word
Stock it deep in the
by the ludicrous length and the strength of a reputedly
dictionary-attack-proof string of characters
(this, imperative to thwart all the disparagers
of privacy: the NSA and Homeland S).
You better PGP the
You better take the
scan that into a TIFF. Then, if you seek redoubt
for your data, scramble up the order of the pixels
with a one-time pad that describes the fun time had by the thick-soled-
boot-wearing stomper who danced to produce random
claptrap, all the intervals in between which, set in tandem
with the stomps themselves, begat a seed of math unguessable.
Ain’t no complaint about this cipher that’s redressable!
Best of all, your secret: nothing extant could extract it.
By 2025 a children’s Speak & Spell could crack it.
You can’t hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.
And future people do not give a damn about your shopping,
your Visa number SSL’d to Cherry-Popping
Hot Grampa Action websites that you visit,
nor password-protected partitions, no matter how illicit.
And this, it would seem, is your saving grace:
the amazing haste of people to forget your name, your face,
your litanous* list of indefensible indiscretions.
In fact, the only way that you could pray to make impression
on the era ahead is if, instead of being notable,
you make the data describing you undecodable
for script kiddies sifting in that relic called the internet
(seeking latches on treasure chests that they could wreck in seconds but didn’t yet
get a chance to cue up for disassembly)
to discover and crack the cover like a crème brûlée.
They’ll glance you over, I guess, and then for a bare moment
you’ll persist to exist; almost seems like you’re there, don’t it?
But you’re not. You’re here. Your name will fade as Front’s will,
‘less in the future they don’t know our cryptovariables still.
Now it’s an Enigma machine, a code yelled out at top volume
through a tin can with a thin string, and that ain’t all you
do to broadcast cleartext of your intentions.
Send an email to the government pledging your abstention
from vote fraud this time (next time: can’t promise).
See you don’t get a visit from the department of piranhas.
Be honest; you ain’t hacking those. It’d be too easy,
setting up the next president, pretending that you were through freezing
when you’re nothing but warming up: ‘to do’ list in your diary
(better keep for a long time — and the long time better be tiring
to the distribution of electrical brains
that are guessing every unsalted hash that ever came).
They got alien technology to make the rainbow tables with,
then in an afternoon of glancing at ‘em, secrets don’t resist
the loving coax of the mathematical calculation,
heart of your mystery sent free-fall into palpitations.
Computron will rise up in the dawn, a free agent.
Nobody knows the future now; gonna find out — be patient.
I for one would be interested to understand the grounds of your estimation ? In terms of key exchange you could also estimate quantum entanglement may replace the requirement for intercept-able information exchanges. If the estimate of the latter is greater than the former then I estimate based on that conjecture we will be fine and broadband is dead :-) Oh and long live time travel at the same time!
The article mentions two ways to overcome the problem of QC breaking traditional cryptography, but IIRC there are three ways:
1. Develop "classical" algorithms that are immune to QC, which is what the article mainly refers to
2. Develop crypto algorithms that require QC to execute with viable performance and would require at least "QC^2" to be broken, which we don't assume to exist (not mentioned by the article)
3. Quantum cryptography, which the article mentions but which is totally different and required specialized communication hardware (non-switched optical fibers or a similar medium that doesn't interact with the signal at all)
There is no known attack on ECC using quantum computers.
If you assume it might be broken because there is no proove that it's secure, you might assume the same fron any other method - there is no known method to proove that some algorithm is _not_ attackable by quantum computers.
(Of course, knowing the "new" slashdot, AC comments are never moderated +1, so noone will read this).
(And, hey, my captcha is 'druggist'...)
This 1978 crypto is supposed to be safe against quantum computers: http://www.technologyreview.com/blog/arxiv/25629/ (if that's the specific angle you're worried about). The downside is the key management because the keys have to be really really long (i.e. 20,000+ characters vs having a memorable passowrd or passphrase that you'd be able to use today).
Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?
Because the vast majority of us don't need to keep our data secure for the next century... Even for some of the most nefarious uses of crypto, merely lasting long enough to exceed the statute of limitations will suffice, and I'd put that as a serious fringe case.
Personally, I only use encryption for my financial documents and to make myself a more difficult target in the present (whether to identity thieves or the government or to my ISP trying to control my traffic). For the former, I consider basic access control (ie, keep it offline) as the first line of defense, and the encryption as a fallback; for the latter, if it takes even five minutes more effort than merely watching the wire, the crypto has done its job.
Even corporations don't tend to care about a scale longer than five years out (and that, only when they can even see past the next quarter)... Which leaves really only governments caring about how soon someone like Assange can find a way to embarrass the talking heads.
In previous discussions it has been pointed out that not all encryption algorithms are susceptible to quantum computers. If I remember right (I am sure someone has a reference that I don't) it only effects RSA and others that rely on the hardness of factoring discrete logarithms.
Anyway...only reference I can find, from wikipedia (http://en.wikipedia.org/wiki/Quantum_computers#Potential ):
"I opened my eyes, and everything went dark again"
I'm more interested in finding out what kind of data you're protecting that needs to remain private for a century. A century ago, telephones were new and uncommon in homes (a few million phones existed, but no transatlantic lines, there was no dialing -- calls were placed through manual exchanges where a switchboard operator manually connected the callers), there was no TV, there were no commercial radio broadcasts. Electricity to the home was uncommon except to the wealthy in urban areas.
I'd really like to know what kind of information you have that still needs to be a secret in the year 2111 when we'll all be driving fusion powered flying time traveling cars and vacationing in hotels on the Moon and Mars and carrying petabyes of data on our iMicrosoftPods with end-to-end DRM that terminates in chip implanted in our brains.
Square the number of bits used in your asymmetric keys.
(Tongue in cheek.)
Crack my code bitches!
Quantum entanglement is being studied hard by bright people, who are publishing. I think that the technology is a ways off, and I expect that there are some limitations on entanglement. Being able to collapse 2^2048 super-positions seems a bit preposterous to me. I could be horribly wrong, but I have a feeling that there are going to be limits on how many "entanglements" can be made by a given subatomic particle.
I'm a bit more worried about someone who finally get's a eureka on factoring large numbers. Then the genie is out of the bottle, and no-one knows it. Heck it might already be cracked, and held as a state secret, only makes sense.
What would you do if you had a factoring algorithm that could factor a RSA number as fast as the generator could make them?
What would be the fallout?
I believe that GPG maybe your best alternative to look into. If those don't work for you there are the fishes - Blowfish and Twofish.
You say things that offend me and I can deal with it. Can you?
I wouldn't be surprised if in 20 years we can use a quantum computer to factor a number greater than 100. But that only requires a handful of functioning qbits. It is unlikely that the technology will be that advanced. There are however non-factoring based cryptosystems that are not as of yet known to be vulnerable to quantum computing. Unfortunately, we're a long way from proving that. The claim that there exists an encryption system which is not breakable by a quantum computer is a claim which is much harder than P != NP (you are in fact making a claim that us substantially stronger than NP not being a subset of BQP which many people aren't even sure they believe). In fact, even the existence of encryption secure against classical computers requires believing claims which imply P != NP. Moreover, if one starts implementing other encryption systems that aren't as widely studied as things like RSA one opens up the danger that those encryption systems have their own flaws as well.Also, at a practical level, there's very likely not going to be someone who is going to be recording all your RSS sessions on the offchance that they can decrypt them thirty years down the line. But if you really care then use one variant of elliptic curve cryptography. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography. ECC systems are well-studied and have implementations. The people who study these sorts of things seem to think that ECC is one of the systems that is more likely to not be unable breakable by quantum systems.
This article should never have been posted. There's no facts to respond to. Linking to a wikipedia article that talks about the possibility of Quantum computing is not a topic for discussion. Where does the estimate of 20 years come from? What will Quantum computing be able to do in this imagined 20 years? How much will it cost?
Unless the submitter can give real answers to the above question, based on facts and not idle speculation, there's nothing to talk about.
AccountKiller
SSH != crypto algorithm.
Surely the Republic of South Africa has been useless since Mandela gave up politics?
Todd: I hope it proves as delicious as the farmers that grew them
You should keep in mind that although theoretically there may be efficient quantum algorithms for a variety of problems on which cryptographic schemes are based, in practice, the only one which has been found is factoring. So, yeah, RSA will become toast if we can get the number of qubits in a quantum computer up into the neighborhood of RSA key lengths (1024, 2048, 4096). But, exceedingly few of the other major cryptographic systems rely on factoring being hard. So, for example, Diffe-Hellman or El Gamal (both integer and elliptic curve versions for both) will probably not be appreciably easier to crack. So, there doesn't seem to be any serious reason to be worried about public key cryptography, just RSA. So changes to SSH are pretty straight-forward.
As for why people aren't worrying about it, my guess would be that most people don't follow quantum computing, and the few which do may have reason to wonder if we will ever actually reach the 1024 qubit size in a functioning quantum computer. A few years ago, I would've told people not to worry about it because I was following the state of the art and it was around 5 qubits and research had shown that under current models, you needed 9 qubits of output to reliably output 1 normal bit (if my memory is correct). So, we weren't even one 0.1% of the way to cracking RSA. These days, the number of qubits is higher, but it's still not clear how long it will be until we can actually functionally factor a 1024 bit number.
Even though current publicly known experimental quantum computing is nowhere near powerful enough to attack real cryptosystems, many cryptographers are researching new algorithms, in case quantum computing becomes a threat in the future.
Did the submitter even read TFA? Everyone is happy with ssh and rsa because they work. People are working on encryption methods for when they don't. Nobody knows what's going to happen in the future but it's not here yet because there are no flying cars.
I double-checked things after I wrote this, and I'm wrong. I didn't realize that Shor's algorithm could be used to solve discrete logarithm problems. So, the ECC versions of things are not affected, but the integer versions of El Gamal and Diffe-Hellman are.
Not really a menace, it will take some effort to implement a quantum cryptographic system. So it will be more than 20 years out. But AES is still good and has a future.
The one thing you have to look at is its to prevent tapping into communications real time. If someone were to get the packets of a vpn tunnel and decrypt them oh lets say in a few weeks most likely months or years depending on the equipment, how will that data be relevant?
Chances are, anything that does need to be secured against such threats, already is. Anything that does not, is probably fine with RSA.
Barring gross incompetence.
because most people estimate that the cost of putting a software of even hardware-based keylogger is cheaper today than quantum computing will be even when matures. ie, the powers that be, that need to keep tabs on you, already can keep tabs on you.
Any guest worker system is indistinguishable from indentured servitude.
Assume hypothetically that every packet of your transmission has been recorded for future decryption when technology has advanced sufficiently.
Can you confirm or deny that your method is safe if, say, quantum or otherwise fast solutions have been discovered that solve both the factorization problem and discrete logarithm problem?
Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent.
If I may, I would like to quote the MC Frontalot song, "Secrets From The Future":
You can't hide secrets from the future
with math, you can try, but I'll bet that in the future
they laugh at the half-assed schemes and algorithms
amassed to enforce cryptographs in the past.
The rest of the song does a pretty good job of explaining exactly how absurd the entire concept of keeping data private, long-term (like, say, a century as suggested, or even twenty years when RSA is theorized to fall), entirely using encryption algorithms. Brings up points like how nobody's going to care about things like your shopping habits (as embarrassing as they may be), credit card transactions from cards expired twenty years previous, sensitive SSH streams decades old, etc. And that it's a moot point anyway, as it's impossible to predict technology out that far, so it's more than a bit futile to count on math to protect things on a time scale like that.
Best of all, your secret: nothing extant could extract it
By 2025 a children's Speak & Spell could crack it.
Demanding constant attention will only lead to attention.
NTRU is probably the most trustworthy and useable post-quantum cryptosystem.
There are several asymmetric protocols with very nice security properties, even against adversaries with quantum computers. My personal favorite is based on the Learning With Errors problem, which is in turn based on some lattice results. Wikipedia has a decent summary, and the original paper is here. The old McEliece cryptosystem might be secure against quantum attack. NTRU is commercialized but its security bounds make me very nervous. There also systems based on elliptic curve isogenies, but a new quantum algorithm comes somewhat close to breaking them. The main problem with these cryptosystems is that the resulting ciphertexts and signatures tend to be fairly long. RSA produces ciphertexts that are about the same length as the original messages and DSA produces nice, short signatures. ECC protocols are even better, but Shor's algorithm breaks them just as easily as RSA and DSA. The fancy post-quantum protocols, on the other hand, tend to produce large messages that are slow to work with.
Your only option for keeping data secret for 100 years is use one-time pad of really good, truly random data and keep it secure until the instant you no longer need to retrieve the data, then completely destroy it. Once it's completely destroyed, then it's even safe from two guys with blowtorches going to work on your knees. On the other hand, now you don't have anything you can say to save your knees! So it may be a matter of defining priorities for you.
If somebody with massive resources is seriously committed to getting a particular piece of data, they are probably going to be able to get it. Yes, I could save network captures of SSL traffic and decrypt it someday to get some credit card numbers, but it's a whole lot easier just to steal your wallet and it's a whole lot more efficient to run a social engineering scheme some credit card processor and steal 100,000+ at once.
is a public key system that is resistant to quantum fourier sampling attacks (ie. attacks of the type Shor discovered). That's not to say it's resistant to quantum mechanical attacks, but that if it is, nobody knows what the attack looks like. http://en.wikipedia.org/wiki/McEliece_cryptosystem http://arxiv.org/abs/1008.2390
Maybe I'm just paranoid, but I pretty much assume that every algorithm that we have now could well be effectively useless in 20 years. And I would never presume to think any of them even has a chance of lasting 100 years, or even close to that.
Computers will get faster. Weakness will be found in algorithms. Any other number of things that no can predict might happen. It would be silly to assume things encrypted today, left untouched, would be safe in 20 years and completely naive to have even a sliver of hope they'd be safe in 100, quantum computers or not.
~Warning!~ The above is encrypted using rot676!
So called quantum computing does not break the computational complexity barriers, it just shifts them a bit.
What is exponential (like the RSA) remains exponential; we may have to increase the key size a little and that's it.
I think a key argument being lost here is that, while Quantum Computing may tear through current encryption, it will also be responsible for the creation of new and improved cryptography methods. In fact, with quantum factoring, there is a theoretic possibility to create an encryption that is so difficult to break, it could be considered impossible...and it could be done with very basic quantum mathematics (If you can call quantum mathematics basic). As for SSH and RSA, until the "Quantum Menace" actually rounds that corner, these will remain the industry standard for a while. Even once someone creates a quantum computer that is actively breaking encryption, companies will not likely have the technology available to counter this for a while. You can't simply walk into Radio Shack and pick a quantum computer up. All we can hope is that the good guys get it up and running first, and make a solid encryption method that follows.
...For future-proofing, at least. Encryption always tends to be broken (think Enigma), but it's quite effective to combine encryption with, yknow, actually HIDING the stuff:
http://en.wikipedia.org/wiki/Steganography#Digital_steganography
hahaha.
Creating messages that can be decrypted more then one way; one of which is used to the key from a book only known to the actor pretty mush solves that.
For the rest of us, I'm not sure when it will become cost effective to implement.
The Kruger Dunning explains most post on
That's what popped into my head as well.
The Kruger Dunning explains most post on
I'll be sneaking up on you...
Here is the relevant quote from Bruce Schneier:
A quantum computer will reduce the complexity of an attack by a factor of a
square root. So it will effectively halve the keyspace; that's all.
-- Posted by: Bruce Schneier at August 18, 2011 8:34 AM
Nothing at all to worry about. Doubling the key-space quadruples
usage effort and is not really a problem.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Why are you sending sensitive data over a network that can ship your packets blithely through any router on the planet?
Encryption? Are you kidding?
The question was about a possibility that someone might record all our communications now, crack it when it's possible - maybe 20 years from now - and the data might still be sensitive at that point.
To fix this, we abandon public/private key entirely.
Instead, your bank, or Facebook, or any entity that you do business with sends you a USB storage stick with 16 GB of random OTP (One Time Pad). This can be sent through postal mail or by secure courier or exchanged in person.
Once you've sent and received 16 GB of data you need to get a new OTP.
There should be no way to break OTP encryption except by having a copy of the OTP or if the OTP was generated by non-random methods, or if the attacker was nearby and could recover most of the OTP random noise during generation. The most likely way to break the OTP would be to attack the client or server computer system to install spyware or to break in physically and make a copy of the OTP.
I am not worried. Unless there is an unexpected breakthrough there will be no QC able to factorize anything beyond 2^30 in 20 years.
If you've got something so secret that it has to remain secret for a century or more, then you're just going to have to re-encrypt it periodically as requirements change.
Or you can simply rely on the fact that after about 20 years, no one will be able to read the data stored on that USB stick anyway without some seriously ancient, clunky equipment that's so full of tin hairs and accumulated smoke and coffee breath that the error-correcting code slows it to a crawl and prevents even quantum-style brute force in any reasonable time scale.
It's fun to imagine the future, and think that people will value then what you value today, but you're most likely going to be proven wrong. Secrets may very well be of utterly no consequence in a world where everything of consequence is already transparent.
Gee, you guys are getting me all misty eyed for the old slashdot.
Browsing at -1 used to be such fun here, but kudos to Taco he really killed the fun off.
Now I'm going to go drink a bottle of whisky and jerk off my cat.
speaking as someone who is applying to work in the semiconductor industry, where the company in question fabricates the secure PIN chips that you see embedded on your credit or debit card, its common knowledge within the industry that the chips are designed to be secure only for a given lifetime (5 years is the highest i know of). beyond that there is no manufactures guarantee of security. so what point am i trying to make?
that the goal of cryptography isnt to try to design THE MOST SECURE SYSTEM EVER, then start worrying when it fails. accept that at some point IT WILL FAIL. instead the goal is to always be actively researching new ideas and to stay one step ahead of the competition (hackers) trying to thwart your system.
for people working on the secure systems that matter, whatever "LeDopore" writes about has already been discussed and analyzed many many years ago. the reason we are still happy with ssl/RSA and such is that they are still (relatively) secure for the time being, and slowly they will be phased out and replaced as it reaches its end-of-life. no need to fear-monger or worry :)
Perhaps I'm looking at this rather simply... but I thought it's easy enough TODAY to build a computer with 2048 GPU threads... wouldn't this be much easier?
The reason quantum computing is so powerful is that this device effectivly has zero wait state. The changes to the entangled bit are instant, faster even than the speed of light. What this means is that a quantum computer would instantly solve any problem that has an answer, That makes even the simplest quantum computer more powerful than all the other computers on earth put together.
Things that seem impossible now will be reality soon. The intelligence singlularity is upon us.
From wikipedia:
"NTRU is an asymmetric (public/private key) cryptosystem. It has two characteristics that make it interesting as an alternative to RSA and Elliptic Curve Cryptography; speed and quantum computing resistance. There are two NTRU based algorithms: NTRUEncrypt and NTRUSign.
Because it is based on different mathematics (lattice-based cryptography) from RSA and ECC, the NTRU algorithm has different cryptographic properties. At comparable cryptographic strength, NTRU performs costly private key operations much much faster than RSA. In addition, NTRU's comparative performance increases with the level of security required. As key sizes increase by n, RSA's operations/second decrease at n3 whereas NTRU's decrease at n2."
open source java implementation of ntru:
http://ntru.sourceforge.net/
Cyassl - an openssl replacement that supports ntru
http://freecode.com/projects/cyassl
This might be of interest:
http://middleware.internet2.edu/idtrust/2009/papers/07-perlner-quantum.pdf
The McEliece cryptosystem is a strong candidate for post quantum cryptography.
It has been shown to resist the quantum attacks that break the security of most standard asymetric key exchange protocol.
Link: http://en.wikipedia.org/wiki/McEliece_cryptosystem,
http://arxiv.org/abs/1008.2390
Consider the rate at which mankind is currently generating and spreading basically useless data that at some stage happens to get encrypted. How much more data will there be in say 20 years?
I think its naive to imagine that of all that data, some unknown man-in-the-middle is gonna capture and waste say 20 years of storage on one of your ssh streams or whatever, until the power to brute-force decrypt it is reasonably available, just on the off-chance that it may contain something still useful by then.
For all your anagrammatical Sneakers snickers.
I double-checked things after I wrote this, and I'm wrong. I didn't realize that Shor's algorithm could be used to solve discrete logarithm problems. So, the ECC versions of things are not affected, but the integer versions of El Gamal and Diffe-Hellman are.
ECC is still the discrete logarithm problem, just applied to a group other than integers mod another integer.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Not a day goes by when I don't think fondly of the Brown Rope guy.
DRM: Terminator crops for your mind!
IIRC all the public key systems fall to quantum computers. The only known way around this problem is algorithms that require quantum computers. So the replacement becomes available at the same time the present methods fail and not sooner.
Nice reply.
The theme I am grasping at though is that "100 years is overkill soon". Even 50 is something fierce, like when these blog posts surface with stuff from 1962 we're like "oh cool" not "OMG our country is doomed!".
I know I know, since 1981 we're saying "It's a Fast Paced World" but it really wasn't, sorta. It's the fresh new Wikileaks-Anonymous effect, which is arising in response to authority abuses. It's like one of those xkcd's, paraphrased, "what use is it encrypting for 20 years when you can just have a hooker get the key?" Then twelve days later it's all over the net forever. Even in bad old security breaches that never happened.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Heh those aren't hired, those are "development accessories!"
And to an AC earlier, yes, I was sorta snide in my currency amount, it was a joke that everyone works cheap lately, so maybe that's cheap beer and cheap hookers.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Perhaps it explains why intelligent life hasn't been detected in the Universe. First they develop Telnet then they come to their senses and develop SSH - a bit in line with Stephen Hawking's idea that the recipients of an encounter with an alien civilization might wish they weren't... and would do better to actively "hide" or make their communications hard to decode.
Quantum entanglement also brings to mind, if it can be done in a laboratory, shouldn't it be possible in nature. And if that is so perhaps there are bits of quantum entangled matter all over the Cosmos. Perhaps it is so common that's it rarer to find matter that isn't quantum entangled nearby. Wouldn't it be cool to work out the approximate location of a bit of quantum entangled matter a long ways away and use it for communications.. like a wormhole.. only not a wormhole. The best delivery agent I could think of on a very large scale would be the jet firing out of black hole, neutron star, or some other stellar event. But its all pure science fiction speculation right now.. hmm a Quantum "telescope".
What happens to the legal system if digital signatures become untrusted? I might not own my house in 20 years because the "papers" where signed with digital signature?
Note that digital signature is a norm in my country and is used extensively.
Screw your shitty, generic pop music.
I only listen to Post-Quantum.
You probably haven't heard of it.
There is no credible evidence anyone has the faintest idea how to build a scalable QC.
Noone can currently credibly approach the question of whether it is possible such a computer could exist.
If the question is how can one develop a strategy to deal with an unknowable future. One half answer is crypto agility however this will not protect prior communications.
A better ancient solution is to exchange a few gigs of quality thermal noise with your pals. Enough OTP for years of text and voice conversations. No quantum computer, genius or three letter agency EVER stands any hope of breaking that.
Obviously preventing a TLA from breaking you and your pals is a much harder problem to solve than keeping your secrets safe on an unfriendly wire.
If you're asking about key exchange specifically, then there's quantum key distribution, which is equivalent to a one-time-pad. It relies on an initial shared secret, but once the key has been exchanged, it can be proven whether it's been eavesdropped, so this is not as much of a problem as it sounds. http://en.wikipedia.org/wiki/Quantum_cryptography#Quantum_key_distribution
Out of interest: are there, presumably theoretical, estimates, just how long it would take a quantum computer to crack RSA and the like? Would this be an instantaneous thing, would it take minutes, days, weeks?
Inquiring mind wants to know...
Even so I think 20 years estimate is way too optimistic... but for what it worth - lattice-based algorithms don't have know quantum computer attacks and Shor algorithm would not work for them.
http://xkcd.com/538/ (and be sure to read the alt tag)
http://xkcd.com/538/
What use is a 20" steel door if the wall is made of styrofoam? There are much easier ways to get to the goods than to break encryption. Breaking legs, keyloggers, whathaveyou.
quantum computing is just around the corner? what a joke! :D