Google Is Working To Safeguard Chrome From Quantum Computers

Quantum computing could potentially someday be used to retroactively break any communications that were encrypted with today's standard encryption algorithms. Google realizes this, and hence, is ensuring that it doesn't happen. Today, it announced that it has begun to deploy a new type of cryptography called the New Hope algorithm in its Chrome Canary browser that is designed to prevent such decryption attacks. From a report on The Verge: Although quantum computers of this variety are only small and experimental at this stage, Google is taking precautions for the worst case scenario. "While they will, no doubt, be of huge benefit in some areas of study, some of the problems that they [quantum computers] are effective at solving are the ones that we use to secure digital communications," writes Matt Braithwaite, a Google software engineer, in a blog post. "Specifically, if large quantum computers can be built then they may be able to break the asymmetric cryptographic primitives that are currently used in TLS, the security protocol behind HTTPS." In other words, quantum computers could undermine the security of the entire internet. Quantum computers promise computational power far exceeding today's standards by taking advantage of the underpinning physics discipline. So the presence of a hypothetical future quantum computer, Braithwaite adds, puts at risk any and all encrypted internet communication past or present. It's unclear how secure New Hope (PDF) will prove to be for Chrome, and Braithwaite admits it could be less secure than its existing encryption. But Google says New Hope -- developed by researchers Erdem Alkim, Leo Ducas, Thomas Poppelmann and Peter Schwabe -- was the most promising of all post-quantum key-exchange software it looked into last year.

Quantum still around...?

[__aaclcg7560]

I wouldn't buy Quantum Bigfoot hard drives back in the day. I'm sure as hell not buying a Quantum computer any time soon.

Re: Quantum still around...?

[WarJolt]

I'd only buy one if it fit in a 5.25-inch bay.

Re: Quantum still around...?

[__aaclcg7560]

I'd only buy one if it fit in a 5.25-inch bay.

I used to find Bigfoot drives in Compaq systems. The last 5.25" hard drive I owned was a 20MB RLL for an IBM AT.

Re: Quantum still around...?

[RuffMasterD]

They did fit into a 5.25 inch bay. Mine was 1.2GB! One of the most attractive designs I have ever seen in a HD. Also the only HD I had that spectacularly failed. I seem to remember at the time they had a reputation for failing. Maybe something to do with the platter size, and the reason we don't have 5.25 inch HDs anymore.

security of the Internet?

[DogDude]

"security of the entire internet."

The author of this nugget doesn't know, apparently, that the Internet was never designed to be secure, and any attempt to make it so will inevitably fail. The Internet was designed to facilitate the OPEN exchange of information.

Re:security of the Internet?

What defeatist nonsense. In your world, no one should even try to encrypt communications or study the math behind it, because DogDude on slashdot says the Internet wasn't designed for security. Shut the fuck up.

Re:security of the Internet?

192.168.0.1

Re:security of the Internet?

[umghhh]

this may or may not be. 127.0.0.1 is more likely to be there.

Re:security of the Internet?

[sexconker]

It's not defeatist, it's correct. A secure line needs to be physically secured and controlled and carry traffic directly from A to B only. This is unfeasible to do on the scale of the internet. So we rely on encryption and hope that it keeps things private enough for long enough. It does not make the connection "secure".

Re:security of the Internet?

[LichtSpektren]

"security of the entire internet." The author of this nugget doesn't know, apparently, that the Internet was never designed to be secure, and any attempt to make it so will inevitably fail. The Internet was designed to facilitate the OPEN exchange of information.

Who cares about the security of the Internet per se? Peak and tamper with the tunnels as much as you want, so long as the data is encrypted and signed then it makes no difference.

Re:security of the Internet?

A secure line needs to be physically secured and controlled and carry traffic directly from A to B only.

Nonsense. The entire point of modern public key cryptosystems is to allow secure communication over non-secure links. This secure channel can even be established without private key exchange - hence the name.

Re:security of the Internet?

[DogDude]

The thing is that encryption is just some bolted-on technique to make something that is inherently insecure, secure. I doubt it'll ever be completely effective. To have a "secure Internet" would require starting from scratch.

Re:security of the Internet?

Okay, so you're arguing over what secure means? Do you agree with what the original poster is saying, that all attempts (like encryption, which is the subject of this article) to make the internet secure will fail?

Re:security of the Internet?

In fact that is the only practical way to go about it. It is very difficult to establish whether a given point to point channel is secure, so you must assume insecurity, and establish a secure channel on top of it.

Fortunately, mathematics allows this.

Re:security of the Internet?

[skids]

I could see an argument to the point that calling a medium that can be DoSd "secure" does not meet muster if you consider reliability part of "security."

But for common use cases "secure" just means aaa, integrity, and confidentiality are protected, and modern crypto suites guarantee this against all known non-quantum attack mechanisms, and the new stuff rolling out is a first shot at killing all known quantum-computing-based mechanisms. For any use case where the security only needs to last a couple decades, the state of the art, if not the state of the installed base, is doing pretty well.

Science-wise, there's a good chance quantum encryption will develop faster than quantum computing as well, which will render it possible to transmit across untrusted nodes without breaking these security guarantees on a raw physics level. Economically, though, the case for wide-scale deployment will be weaker probably than it will with quantum computing capabilities -- basically, the financial sector will likely be the only ones willing to pay for it.

Re:security of the Internet?

[NatasRevol]

Also, 169.254.0.0/16 and/or fe80::/10

Re:security of the Internet?

[Plus1Entropy]

encryption is just some bolted-on technique

I'm not trying to be an asshole, but this statement shows that you need to learn a lot more about cryptography. It has nothing to do with the medium. Mathematical operations are performed on the data. There is even the concept of perfect secrecy, which has been mathematically proven. The channel can be as insecure as you like, you could shout the ciphertext from the rooftops, it doesn't matter.

Haven't you ever heard of numbers stations?

post-quantum

Post-Quantum cryptography, but still can't give us an option to disable middle click scrolling on Windows.

Holy

>So the presence of a hypothetical future quantum computer, Braithwaite adds, puts at risk any and all encrypted internet communication past or present. It's unclear how secure New Hope (PDF) will prove to be for Chrome, and Braithwaite admits it could be less secure than its existing encryption.

Braithwait is really pushing their wristwatches hard. That is some serious marketing.

fox guarding the chicken coop

[TheGratefulNet]

somehow, I don't fully trust google to safeguard ANY privacy.

I know they have the financial ability to do major work like this, but their results are 100% untrustable, given WHO they are and WHAT they do.

damn. we could use a good ally on the freedom trail; but google will NEVER be it.

Re:fox guarding the chicken coop

your data is OUR data and NOBODY is going to get it except US....... and besides, TLAs have their own door to get in anyway

Re:fox guarding the chicken coop

[LichtSpektren]

somehow, I don't fully trust google to safeguard ANY privacy.

I know they have the financial ability to do major work like this, but their results are 100% untrustable, given WHO they are and WHAT they do.

damn. we could use a good ally on the freedom trail; but google will NEVER be it.

You're not wrong, but Google's cash cow is that they are the exclusive broker of your personal information to advertisers. So it's in their best interest to keep their services secure, because (a) they don't want you going to some other service that's more secure, (b) they don't want your personal info leaking to somebody else [since its sole value to Google is that they hold it exclusively].

Re:fox guarding the chicken coop

[fuzzyfuzzyfungus]

It's really worth keeping a precise distinction in mind when talking about Google and privacy:

Google is clearly hell-bent on being as much of an Orwellian data overlord as possible; so trusting them to design products in such a way that they don't tend to leak data to Google during the course of routine use is foolish.

However, Google's approach to gathering alarming amounts of data is usually to make themselves attractive enough that they get invited in to the system(eg. gmail, google voice, 'free' google analytics for website operators, 'benevolently' hosting common javascript libraries so that you can save yourself bandwidth at the minor cost of inserting Google into every page load, that sort of thing.) They get the target to 'agree'(certainly they'll exploit ignorance and product tie-ins to do this, they are hardly committed to some idealistic vision of contracts between fully informed equals); rather than compromising the target's security and malwareing the data out. Presumably this is both because that would probably open them to legal exposure; and because an "insecurity and hacks" data collection mechanism would open the field to Google competitors who would do none of the work but get the same data just by compromising the system.

Because of this; Google actually tends to be pretty respectable in terms of design and implementation; sometimes even notably superior, in terms of quality of implementation and resistance to unauthorized 3rd parties. Chrome routinely scores very well in browser security comparisons, ChromeOS is also quite solid; Android usually doesn't turn into a dumpster fire until 3rd parties get involved, Gmail is better than an alarming number of sites about support for 2 factor authentication, and so on. It's just that all their products and services are designed to put them 'in the loop' by default and if you want everything to work smoothly, so that they have no need to compromise the system; because they are a trusted part of it.

If given the choice between a design where there is no need for anything to talk to the mothership and a design that relies on a Google account and being logged into Chrome and so on; they'll choose the latter every time; but when they set out to keep unauthorized parties out; they usually mean it, though they work to ensure that they are not 'unauthorized parties' in as many real world use cases as they can.

Re:fox guarding the chicken coop

[TheGratefulNet]

google is careless and irresponsible.

I will point to a bug in the VPN code that is marked wonfix and has been for 2 years, now, on android 4.x. I can't (wont) run 5.x on my phone and I really would like to be able to run vpn's on mobile, yet google just won't fix the bug and instead tells you to 'upgrade to a new os', which has issues of its own (other things break when I try 5.x).

sorry, but google has lost my confidence in doing quality work. way too large of a company, hires too many 'children' wet behind the ears, its the 'short attention span' company of the century and their motives are questionable at best. ties to the NSA don't help, either.

zero confidence. we are the product. therefore, zero confidence.

A New Hope?

[R3d+M3rcury]

[...] a new type of cryptography called the New Hope algorithm [...]

Maybe it's just me, but I have some reservations using an encryption technology with the word "Hope" in the name--as in, "We really hope this works." It's kind of like PGP, "Pretty Good Privacy." It's not great, but it's pretty good.

Granted, what's in a name? Take the same encryption and call it "Anti-Quantum Encryption" and I'd probably be on board.

Re:A New Hope?

[jfdavis668]

Just like Star Wars Episode IV

Re:A New Hope?

[Megahard]

That's because they are trying to fight The Quantum Menace.

next protection against God?

[sittingnut]

never mind quantum computers, shouldn't almighty goog starts working on protecting itself, and its zombies, against omniscient God too?

after all unencrypted communications from goog will indicate its pledge to 'do no evil' was a fat evil lie? especially communications between bloody scum like jared cohen, eric schmidt, ilk, with hillary/kerry run state department. plotting murderous regime change in syria by helping 'rebels'(ie in reality al nusra and isis).

Re:next protection against God?

[umghhh]

What US government did support regime changes that resulted in major bloodshed? Was there one?

Wha--?

Why do you feel the need to keep repeating this? Do you think doing so will suddenly make it true?

Ever hear of cryptography? Ever hear of IPSec, for example, not to mention the numerous protocols- TLS, PGP, SSH, the Signal protocol, etc. etc. etc.? What about the underlying nature of "the Internet" are you saying makes security layers on top of it "inevitably fail?"

Re:Wha--?

[sexconker]

The nature of the internet is such that communications are routed over lines you physically don't control.
That is insecure on two fronts.

You neither have control over the pipe nor what the router at the end of it does.

A secure communications network requires physical control over the transmission medium and a direct connection for each path. No dynamic routing. Switching may be used if you control and verify each switch and guarantee a single, direct, unshared path each time you communicate.

Phones used to be switched this way - there was a physical switch board and you would get a direct connection to the person on the other end. Of course, you had to trust the physical line and the operator. Phones quickly started sharing lines, though because it was simply impossible to have 1 line for each call during times of heavy use. (You'd get the ol' "All lines are busy at the moment.")

But the concept of a hard line or a secure line still persists today.

Layering encryption on top of an unsecured line and that is dynamically routed/switched and co-mingles signals from others doesn't make the internet a secure communication medium.

Secure enough for most things, yes. Until that encryption is broken or the implementation has back doors built into it or flaws discovered.

Re:Wha--?

[LichtSpektren]

Secure enough for most things, yes. Until that encryption is broken or the implementation has back doors built into it or flaws discovered.

Yeah, alright, but by that logic, nothing is really secure, because it's only secure *until* some vulnerability is found.

When people talk about "security," they don't mean some Platonic Form that signifies some absolute and eternal protection in all cases. Practically, however, the best modern forms of encryption are reasonably secure enough that you can rely on them, moreso than any kind of physical lock-box.

Re:Wha--?

[Dutch+Gun]

Layering encryption on top of an unsecured line and that is dynamically routed/switched and co-mingles signals from others doesn't make the internet a secure communication medium.

I think perhaps you're conflating the transportation mechanism with the content itself. The internet was *designed* to layer different content and protocols on top of simple, insecure, and even *unreliable* transport protocols.

If you're talking about remaining anonymous on the internet, no, we don't yet have a reliable way to do that, because ultimately you need to give someone your IP address to receive content back. If you're talking about securing content transmitted over the internet, then yes, we absolutely have a reliable way to do that - so far as we know.

You neither have control over the pipe nor what the router at the end of it does.

And that doesn't matter at all. I'm perfectly happy to blast my encrypted traffic over the internet or even over the air where anyone can listen to it, because all they'll hear is the initial handshake followed by a whole lot of pseudo-random noise. It sounds like you're saying that you believe you need a secure, dedicated line to secure your traffic. If so, either this means you don't understand how modern encryption works, or you're trying to play the cool pessimist by saying "well, someone could find a flaw" (which is like claiming airline travel is not safe because airplanes occasionally crash). No decent encryption scheme should rely on a secure transportation mechanism, because that's more or less impossible... or at least impractical... with today's technology.

Security isn't a black and white issue, because you can never actually prove something is secure. It's about degrees of confidence that can only be established over time and lots of cryptographers and researchers trying to break said security. At the moment, we have a pretty high degree of confidence in TLS, because we haven't yet seen a single example of anyone breaking it. Unless you think all the government complaining about the internet "going dark" is a false flag operation, that's a pretty good indicator that no one has been able to break modern encryption methods.

Retroactive

I'm not a security expert, but being able to retroactively break everything encrypted using quantum computing is why I think peer-to-peer file storage of personal documents is a non-starter. Sure it's secure today, but someday all your bits will be visible to the world.

Break TLS? Isn't it already broken?

Break TLS? Isn't it already broken?

Re:Break TLS? Isn't it already broken?

[fuzzyfuzzyfungus]

I'm not anything approaching a cryptoanalyst; but my understanding is that TLS has been 'broken' at various times because of either implementation flaws or legacy-compatibility stuff not being dropped fast enough(and there's the minor problem of CAs being a total clusterfuck); but that these breaks were of the somewhat less scary kind that can be fixed by deprecating a specific cipher, or increasing a key length, or patching/replacing a specific flawed implementation.

A development of the 'hahaha, prime factorization is now trivial!' flavor would be the sort of ugly break where fundamental underlying assumptions are no longer correct and there no amount of incremental fixing will work.

Re:Break TLS? Isn't it already broken?

I've ran some scenarios. The scariest one is when somebody publishes the private keys for all root CAs on the same day out of the blue.

Re:Break TLS? Isn't it already broken?

[cryptizard]

That is actually slightly less scary than a fast factorization algorithm. If you could factor, then you could calculate the root CAs private keys from their certificates, but also you could retroactively decrypt any communication that was intercepted in the past and decrypt it. If the CA private keys were released alone, it would not allow you to retroactively decrypt anything because Diffie-Hellman key exchange provides perfect forward secrecy that ensures retroactive decryption is not possible even if you later learn the private key.

It's not computational power

[cfalcon]

It's not really fair to call what a quantum computer does "computational power", is it? If you factor N by trying all the integers greater than one and smaller than M= floor( square root ( N ) ), you will eventually find the answer, and the more computational power you have, the faster you can race from 2 to M. Using Shor's algorithm on a quantum machine, you don't actually end up doing all of the intervening computation, but you do get the answer. But that doesn't mean you can automatically take any set of problems and "solve them all at once", because that isn't really what is happening. It's not computational power in that sense, right?

Re:It's not computational power

[cdrudge]

According to media reports and Hollywood, quantum computers will be able to do anything normal computers do instantaneously. Find the last digit of pi, divide by 0, factor N where N = infinity, decrypt any and every unknown encryption algorithm, etc.

Re:It's not computational power

Yes No.

Re:It's not computational power

As I understand it (which I don't), you will be attempting to solve all these different problem instances just like in a conventional parallelized search, but the threads of reality in which the computation failed don't necessarily manifest themselves into physical reality, so once you've got your answer all you know is that it is AN answer. Also, something about tunnel universes in which the computation failed and you didn't get your answer cropping up but generally evaporating or merging back with the experimenter some time later, perhaps as you continue to run the algorithm to see if you get any different results?

Thus, a totally useless and possibly dangerous technique.

Still looking for real experts to explain this one and not just smile and nod.

Re:It's not computational power

Right. While a quantum computer can, in some vague interpretations, "try out all possibilities at once", the naive way of doing it is completely useless because getting it only to output the correct answer suddenly becomes the hard part (i.e. there is no way of telling it "only output the trial that lead to a successful division without remainder"). You can always pick a random trial to output, but that could be simulated with a classical computer anyway.

Instead, the way quantum algorithms work is by trying things out in a complicated way that causes bad solutions to cancel each other out via destructive interference while good solutions (e.g. integer factors) interfere constructively. If you do this right, with enough repetitions you can begin arbitrarily amplifying the probability that your quantum algorithm outputs a good solution, to the point where you can have a fast program that breaks RSA 99.999999% of the time.

Re:It's not computational power

[iris-n]

Yep =)

What you are arguing against is a very common, and very wrong, way to explain how quantum computers work. It is notoriously hard to explain it concisely, but even Trudeau did better than that.

You do start by putting all the solutions of the problem in a superposition, but that in itself doesn't help, as if you just try to read it off you will get a random solution. And a random solution you could get just by running a classical computer with a random number generator.

What you have to do is make all the solutions interfere, a delicate coreography of wrong solutions cancelling each other and correct solutions being reinforced. After that you make a measurement, and get a correct solution with high probability.

Re:It's not computational power

[skids]

Only calculations that consist of certain combinations of certain operations can be "solved all at once". Most specifically, you cannot read the state of a qbit and see whether it contains both a 1 and a 0, just a 1, or just a 0. You'll either get a 1 or a 0. Second you cannot copy a qbit's "state" over to another qbit to try to work around this. Because of these limitations (and probably some others I won't understand unless/until I have a long stay in a hospital bed or prison with nothing better to do than learn hamiltonians) it is possible to design problems that confound quantum computation. The people that do this could probably be called crazy smart geniuses, but probably also have trouble making change or crossing the street or something.

Re:It's not computational power

[Plus1Entropy]

I don't know what's worse: that I don't understand what you said, or that I almost understood what you said.

Devil you don't know

[WaffleMonster]

The core problem with pushing "post quantum" crypto into production is you are essentially making choices in the blind based exclusively on fear and *baseless* speculation. There is no affirmative evidence of any kind Quantum computers with the capability to crack crypto are even possible let alone expected in the near to medium term.

I can't help but wonder if at least some of those pushing "post quantum" crypto are intentionally making a play to nerf security more than it already is.

There are a million practical things Google could elect to do to improve real world practical security starting with not reading everyone's email to applying TLS-SRP patches to enable secure password authentication to making Android less of a security joke. Time spent on post quantum crap is time not spent addressing actual threats we know for sure exist in the real world.

Re:Devil you don't know

Unless they're talking about a one-time pad. It's marketing bullshit that won't work.

And considering key-exchange issues, it's not a one-time pad.

Re:Devil you don't know

The core problem with pushing "post quantum" crypto into production is you are essentially making choices in the blind based exclusively on fear and *baseless* speculation. There is no affirmative evidence of any kind Quantum computers with the capability to crack crypto are even possible let alone expected in the near to medium term.

Perhaps, but the problem is that if those systems are in fact coming in the near to medium future (and there's "no affirmative evidence of any kind" that it *isn't* true) then they'll absolutely *destroy* most forms of encryption currently in use. Google decided that the high risk outweighed the low chance. Plus their work goes towards research which will, eventually, be beneficial.

You should focus on your cost-benefit argument instead because that actually holds water.

Re:Devil you don't know

[WaffleMonster]

Perhaps, but the problem is that if those systems are in fact coming in the near to medium future (and there's "no affirmative evidence of any kind" that it *isn't* true) then they'll absolutely *destroy* most forms of encryption currently in use.

If in fact hostile space aliens (or pancake monsters from the 5th dimension) are coming in the near to medium future then they'll absolutely *destroy* most forms of encryption and everything else currently in use.

Why shouldn't Google care equally about this threat too given the consequences are much worse and there is no affirmative evidence it isn't true? Where does hedging against completely baseless nonsense end? Are there any limits? At all? Of any kind? Only when you can prove a negative?

Google decided that the high risk outweighed the low chance. Plus their work goes towards research which will, eventually, be beneficial.

Merely selecting algorithms OTHERS created is hardly what I would consider to be research. There are literally hundreds of cipher suites available in TLS.. adding new ones isn't a particularly noteworthy exercise.

Re:Devil you don't know

First of all, Google is big enough to pat their head and rub their belly, simultaneously. Truly.

Second of all, even if Google 100% stopped working on quantum computer resistant encryption, there's little probability those resources would switch over to "real world practical security". Encryption is a specialty and quantum resistant encryption is an exotic sub-specialty of a specialty. People capable of this work will switch to different employers who do want quantum resistant encryption.

Third, now that we're talking about the real world, let's get serious. The NSA and all similar Three Letter Agencies will have working quantum computers first. Furthermore they will make sure that their quantum decryption capability will remain Top Secret (or higher) for years. They count on your naiveté, need for affirmative evidence, and complacency to keep you far behind the state of the art in encryption. That way they'll be able to read your data for years (or better, decades) before you become aware of exactly how insecure you really are.

Fourth, the theoretical basis for quantum computing is now firmly established. There is hardware (as yet primitive, but real). There are quantum logic circuits. There is an understanding of the error levels experienced and error handling protocols needed. There are quantum algorithms. My understanding is that Quantum theory is now Turing complete. Quantum computing is officially "hot" and it is a respectable area of study, drawing in substantial money and talent. Papers are being published monthly.

Fifth, we now regularly see articles (like the OP) that cater to a broader market, far beyond quantum specialists. They nearly all recap that quantum computing could render all existing encryption algorithms vulnerable. This leads to a pervasive question mark over those conventional encryption algorithms. Even if they are strong today, how long will that endure? The writing seems to be on the wall.

The encryption community faces a huge challenge, and (large-scale) quantum encryption seems much farther off than quantum decryption. The average personal (phone, tablet, PC) isn't going to have a quantum processor/subsystem for decades, most likely. Thus, to simply kick the can down the road and say "well the solution to quantum decryption is quantum encryption", is more than a little dismissive. Even if it is true in the long term, we need conventional encryption that can withstand quantum decryption in the medium term.

Re:Devil you don't know

You can say the same thing about pre-quantum crypto. Much of it is based on factoring integers, and there's never been a proof that there is no quick algorithm to do so. It's based on people trying for years and failing.
Of course, the RLWE is relatively new and less effort has been put into breaking it. But there's still been considerable effort, and nothing that breaks it has been found.
It's not a guarantee; but there IS a guarantee that most other problems are broken.

Re:Devil you don't know

[cryptizard]

Why shouldn't Google care equally about this threat

Because they have no power to defend against that threat, no matter how much money they throw at it. Post-quantum cryptography just takes a handful of engineers to work on. It is basically free for a company the size of Google, and the benefits are potentially large.

Merely selecting algorithms OTHERS created is hardly what I would consider to be research.

Read the linked paper. That is not what they do. They optimize and improve security bounds on an existing scheme, making it more practical for real-world applications. Many of the most recent encryption schemes developed by academia are wildly impractical in terms of the exotic mathematical operations they require and the huge parameter sizes you need to meet currently understood security requirements.

worst name ever for math stuff

Why not just call it the JesusAlgo? Someone send the geniuses over at GoogleSec the definition of connotation.

Combined with a traditional key-exchange algotihm?

New Hope is interesting, because it's a DH-like key exchange algorithm that supposedly withstands quantum computers. If that holds true, then even if the RSA or EC keys used in the certificates are broken in the future, because DH-like algorithms provide forward security, you won't be able to decipher communication that you saved today at a later date. For this reason it's fantastic to see that they implement this now.

The only thing that the article doesn't really go into detail on is whether they combine that with traditional DH or ECDHE? If you read the New Hope paper, the authors themselves recommend (because they can't even guarantee that there's no classical attack on their shiny new algorithm) to perform a traditional key exchange in parallel and then derive the session key from a KDF (key derivation function) applied to the output of both New Hope and the traditional algorithm. This would ensure that even if one of these algorithms were to be completely broken in the future, as long as the other one holds forward secrecy would remain intact. For this reason it'd be great to know a bit more details in how they actually implemented this: do they do this combination? Or do they just implement New Hope?

Does my Robot Insurance cover this?

I already have Robot Insurance from the Old Glory Insurance Company. Would my policy cover attacks from Quantum Computers? That would be a type of robot, wouldn't it?

Re: Does my Robot Insurance cover this?

No. You need to buy a special rider for that.

What a joke

Meanwhile, remembered passwords are still stored in plain text by default.

Is this sarcastic news?

What's their model of a quantum computer?

Perhaps somethings which takes a description of a known schematic of gates and can find a set of values for the nodes interconnecting the gates which is consistent with the schematic and operation of the gates. (For example, a schematic for a multiplier with constraints to make the output 15, input A input B, and input A != 1.)

A useful quantum computer would be one which can do this when the number of unknown nodes and topology is such that no classic computer can figure this out, but the quantum can because it considers all the possible value combinations at once. (One that can solve the above is interesting, but not useful because you can get the answer by exhaustive search on a cheap computer.)

If this is the model, then what are they doing to the algorithm to make it hopefully safe?

If this is not the model, then what model are they using?

Re:Combined with a traditional key-exchange algoti

[mcl630]

According to Google's blog post:

Today we're announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used. By adding a post-quantum algorithm on top of the existing one, we are able to experiment without affecting user security. The post-quantum algorithm might turn out to be breakable even with today's computers, in which case the elliptic-curve algorithm will still provide the best security that today’s technology can offer. Alternatively, if the post-quantum algorithm turns out to be secure then it'll protect the connection even against a future, quantum computer.

If I read this correctly, they are using "New Hope" in combination with an existing algorithm.

I think practical quantum computers already exist

Of course not based on silly electronic qubits though.

Optical quantum computers on the other hand, pretty sure the NSA has them.