Ask Slashdot: Post-Quantum Asymmetric Key Exchange?

First time accepted submitter LeDopore writes "Quantum computers might be coming. I'd estimate that there's a 10% chance RSA will be useless within 20 years. Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent. Are there any alternatives to RSA and ECC that are trustworthy and properly implemented? Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"

Oblig.

[MachDelta]

Get your most closely kept personal thought:
put it in the Word .doc with a password lock.
Stock it deep in the .rar with extraction precluded
by the ludicrous length and the strength of a reputedly
dictionary-attack-proof string of characters
(this, imperative to thwart all the disparagers
of privacy: the NSA and Homeland S).
You better PGP the .rar because so far they ain’t impressed.
You better take the .pgp and print the hex of it out,
scan that into a TIFF. Then, if you seek redoubt
for your data, scramble up the order of the pixels
with a one-time pad that describes the fun time had by the thick-soled-
boot-wearing stomper who danced to produce random
claptrap, all the intervals in between which, set in tandem
with the stomps themselves, begat a seed of math unguessable.
Ain’t no complaint about this cipher that’s redressable!
Best of all, your secret: nothing extant could extract it.
By 2025 a children’s Speak & Spell could crack it.

You can’t hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.

And future people do not give a damn about your shopping,
your Visa number SSL’d to Cherry-Popping
Hot Grampa Action websites that you visit,
nor password-protected partitions, no matter how illicit.
And this, it would seem, is your saving grace:
the amazing haste of people to forget your name, your face,
your litanous* list of indefensible indiscretions.
In fact, the only way that you could pray to make impression
on the era ahead is if, instead of being notable,
you make the data describing you undecodable
for script kiddies sifting in that relic called the internet
(seeking latches on treasure chests that they could wreck in seconds but didn’t yet
get a chance to cue up for disassembly)
to discover and crack the cover like a crème brûlée.
They’ll glance you over, I guess, and then for a bare moment
you’ll persist to exist; almost seems like you’re there, don’t it?
But you’re not. You’re here. Your name will fade as Front’s will,
‘less in the future they don’t know our cryptovariables still.

Now it’s an Enigma machine, a code yelled out at top volume
through a tin can with a thin string, and that ain’t all you
do to broadcast cleartext of your intentions.
Send an email to the government pledging your abstention
from vote fraud this time (next time: can’t promise).
See you don’t get a visit from the department of piranhas.
Be honest; you ain’t hacking those. It’d be too easy,
setting up the next president, pretending that you were through freezing
when you’re nothing but warming up: ‘to do’ list in your diary
(better keep for a long time — and the long time better be tiring
to the distribution of electrical brains
that are guessing every unsalted hash that ever came).
They got alien technology to make the rainbow tables with,
then in an afternoon of glancing at ‘em, secrets don’t resist
the loving coax of the mathematical calculation,
heart of your mystery sent free-fall into palpitations.
Computron will rise up in the dawn, a free agent.
Nobody knows the future now; gonna find out — be patient.

Non-issue to 99.9% of us

[pla]

Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?

Because the vast majority of us don't need to keep our data secure for the next century... Even for some of the most nefarious uses of crypto, merely lasting long enough to exceed the statute of limitations will suffice, and I'd put that as a serious fringe case.

Personally, I only use encryption for my financial documents and to make myself a more difficult target in the present (whether to identity thieves or the government or to my ISP trying to control my traffic). For the former, I consider basic access control (ie, keep it offline) as the first line of defense, and the encryption as a fallback; for the latter, if it takes even five minutes more effort than merely watching the wire, the crypto has done its job.

Even corporations don't tend to care about a scale longer than five years out (and that, only when they can even see past the next quarter)... Which leaves really only governments caring about how soon someone like Assange can find a way to embarrass the talking heads.

Re:One Time Pads

[Desler]

To elaborate asymmetric key exchange involves passing a key in the clear to setup the secure channel. How does a one-time pad help you securely exchange that key in the clear? Or did you just make your idiotic post hoping to get modded up for trying to sound smarter than you are?

Re:Vulnerable in 20 years

[Waffle+Iron]

Well the person is an idiot. His estimation of 20 years is laughably naive.

My response to this statement is a quantum superposition of two thoughts:

A. I agree. A 20 year estimate is ludicrous. It's far too much time.

B. I agree. A 20 year estimate is ridiculous. It's far too short.

Re:Sky isn't falling

[hawguy]

Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"

Because the sky isn't falling, chicken little?

I use SSH to keep someone from snooping my password, or hijacking my session to take over my servers.

I'm not so worried that someone is recording all of my SSH streams for future use in the hope that Quantum Computing becomes a reality and they can decode the stream and see that I typed "sudo service apache2 restart".

Things to keep in mind.

[KeithIrwin]

You should keep in mind that although theoretically there may be efficient quantum algorithms for a variety of problems on which cryptographic schemes are based, in practice, the only one which has been found is factoring. So, yeah, RSA will become toast if we can get the number of qubits in a quantum computer up into the neighborhood of RSA key lengths (1024, 2048, 4096). But, exceedingly few of the other major cryptographic systems rely on factoring being hard. So, for example, Diffe-Hellman or El Gamal (both integer and elliptic curve versions for both) will probably not be appreciably easier to crack. So, there doesn't seem to be any serious reason to be worried about public key cryptography, just RSA. So changes to SSH are pretty straight-forward.

As for why people aren't worrying about it, my guess would be that most people don't follow quantum computing, and the few which do may have reason to wonder if we will ever actually reach the 1024 qubit size in a functioning quantum computer. A few years ago, I would've told people not to worry about it because I was following the state of the art and it was around 5 qubits and research had shown that under current models, you needed 9 qubits of output to reliably output 1 normal bit (if my memory is correct). So, we weren't even one 0.1% of the way to cracking RSA. These days, the number of qubits is higher, but it's still not clear how long it will be until we can actually functionally factor a 1024 bit number.

probably

[superwiz]

because most people estimate that the cost of putting a software of even hardware-based keylogger is cheaper today than quantum computing will be even when matures. ie, the powers that be, that need to keep tabs on you, already can keep tabs on you.

Re:Sky isn't falling

[hawguy]

I don't think the attacker is so much interested in the "sudo service apache2 restart" command but rather the response to the password prompt immediately following...

If he can break the RSA key exchange to get to the symmetric key encrypting my session, he can already log in as me, he doesn't need the password. But unless he gets his quantum computer within the next 90 days, I'll have already changed the password.