Slashdot Mirror
IBM Warns Quantum Computing Will Break Encryption (zdnet.com)
Long-time Slashdot reader CrtxReavr shares a report from ZDNet:
Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years...
In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"
In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"
What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?
This could theoretically be the biggest breakthrough in computing since transistors, and this person is wondering about how it's going to affect Monopoly money? Jesus.
I don't respond to AC's.
This was predicted at least 15 years ago. Someone should warn IBM they are at least a decade behind.
...and how about private keys? Especially in the console world, that would come in quite handy so paying for quantum computer time via crowdfunding to discover Sony's, Nintendo's, etc. private signing keys could become a thing.
When the copyright term is "forever minus a day", live every day like it's the last.
"does this also mean that remaining crypto-coins can be instantly discovered?"
No, that's not how the minting of new coins work, at all.
There are theoretical issues where someone might learn your private key from seeing a transaction, but they're mitigated for all new addresses and usage.
https://en.bitcoin.it/wiki/Qua...
it's in my head
I am thinking back to the saying 'AI, like fusion, has been 10 years away for 30 years now'. I think that quote was from the 60s or 70s, so add a few decades. The earth shattering predictions for quantum computers have been around for a while and they are always 'just about to be realized', but even today it is cheaper to emulate quantum computers on traditional machines than to actually build and use them. It is questionable, given advances in traditional semi-conductors, if it will EVER be cheaper to use quantum computing, even for the tasks it is best suited for.
Wasn't elliptic curve cryptography supposed to be resistant to quantum computers?
I call BS, show me a single quantum system which does anything faster than a conventional computer can....doesn't exist yet, never will.
If it can be used to instantly generate the rest of the coins in the blockchain (it can't, but hypothetically, if it could) then very similiar to a time machine, the person who designed/controlled/owned/operated it would kill anyone else to keep its discovery/operation a secret, and leverage it for their own benefit.
Much like time travel, quantum computers could allow the digital equivalents. Rewriting history by inferring cryptographic keys without brute force and allowing them to sign fake information that will now appear real. Spying, by compromising others keys and being able to read their presumed secure communications. And lastly taking these two together: changing the future and altering the state of humanity to benefit themselves.
Now realistically, that isn't how quantum computing works, on an individual level. However were you to scale it up to the level of a nation-state, and concentrate your focus on a few pivotal cryptographic keys, while keeping under wraps that you had the technology, you could for instance modify and then sign open source packages or proprietary software, allowing you to avoid detection as your malware is considered a legitimate part of the software you are now privileged to sign.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"
Yes and No.
I think you underestimate just how much I just dont care.
Yes, quantum computers will eventually allow people to crack the private keys for most cryptocurrency wallets. However, some projects are already working to address this. The best example is Quantum Resistant Ledger (QRL), which is redesigned from the ground up to use quantum proof crypto algorithms. Look it up, they have a lot of info on exactly HOW quantum computers will affect cryptocurrencies, and other related data.
Of course the alternate encryption like that which IBM recommend happens to be owned by IBM. Better buy in now!
Now what?
Article is very light on evidence of any new form of successful attack so it's a bit premature to advise the sky is falling just yet!
Better encryption methods are always being worked on and we will phase out the old encryption methods when they become stale and move onto more resistant types.
As it so happens there are already some constructions (and they have been around for some time) that can be used such as Ring-LWE and NTRU which have been shown to hold up against classic and Quantum based attacks.
I'm going back to my bowl of cereal now.
Are (any) fiat-currency and (any) cryptocurrency really equivalent, as cryptocurrency fans claim?
For example, US Dollar and Bitcoin are really equals?
Value/validity/authorization of US dollar is provided/guaranteed by US Government (and in-turn whole US Public)!
Also, not to mention, US Dollars in any US Bank is insured by US Government!
What authorization/guarantee/insurance is behind Bitcoin? Nothing!
Sorry but that is the end of discussion then!
Why do you think Satoshi Nakamoto is really hiding his identity, if Bitcoin is really such a great innovation?
He is just someone does not like media/fan attention?
Or, could it be really because Bitcoin (and all cryptocurrencies followed it) are actually Ponzi Schemes?
(So he knew very well that law enforcement would come after him sooner or later?!)
If so-called cryptocurrencies are really good innovation, why they attract so many criminals/criminal activity?
Could it really be because, all cryptocurrencies themselves are scams, and that is why they attract all kinds of criminals/criminal activity?
If so-called cryptocurrencies are really currency, why no company/store can use Bitcoin as currency anymore?
Because the price of Bitcoin proved to be extremely unstable to use as a currency?
Would the result be different, if Bitcoin replaced by any other "cryptocurrency"?
Aren't all work the same way?
If so-called cryptocurrencies are really money; isn't people issuing their own money, illegal already, in all countries?
If so then, why they are still not banned in all countries?
Or, they are not actually virtual currency but virtual investment?
But, if they are actually investment, why we need/want them?
What would happen to world economy, if people invested in virtual investments, instead of real investments?
Or, all so-called cryptocurrencies are actually just a modified (made decentralized and paying variable interest) Ponzi Schemes?
(Price of cryptocurrencies would keep increasing in the long term (by their design), so it is equivalent of paying variable interest to all long term investors.)
Also, since all so-called cryptocurrencies are actually financial scams (Ponzi Schemes), that means, they cannot be the solution for any of existing financial problems of our world!
As more and more people invest in cryptocurrencies, it will become harder and harder to ban their trading everywhere (because people invested in cryptocurrencies, would try to stop anyone trying to ban cryptocurrencies)!
All cryptocurrencies need to be banned globally before it is too late!
Probably wrong on the details
But that's slightly different than dead wrong.
It does emphasize what we all sort of know. Encryption that is good enough today will probably be not good enough in a few -- five, ten, fifteen -- years. Which suggests that all your email and metadata that you and others have stashed in encrypted stores may be decodable if you (and they) keep the stores around too long.
And it doesn't matter what technology makes the data readable. Quantum computing, brute force, some clever algorithm, some flaw in common encryption algorithms or the software implementing them. Your secrets may not remain secret.
That's probably not a good thing.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Quantum computing has been long on promises and short on delivery for decades now. If you can break our encryption in less time than it takes to make a cup of coffee then show us the money. How about a public demonstration where in 15 minutes or less you break the private keys of all of the big certificate authorities and issue yourself fake certificates for Google, Apple, Facebook and Netflix signed with those cracked private keys?
Anything is possible here but this seems like an irresponsible prediction when we don't have a single practical example of this technology "actually" working either as a machine we designed or as some natural phenomenon that we've observed. Which is not to say we haven't studied the subject... but we don't actually know that quantum physics can be used in this manner.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Each computation takes just a few watts
So each computation uses a few watts for...how long? A femtosecond? The heat death of the universe? What a meaningless statement.
... when quantum computing is capable of breaking current encryption, that same computer will be providing unbreakable encryption.For example:
. A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett.0031-9007 https://doi.org/10.1103/PhysRe... 67, 661–663 (1991). Google ScholarCrossref, CAS
It little behooves the best of us to comment on the rest of us.
It doesn't say what kind of encryption will be broken.
Will it be asymmetric or symmetric?
Quantum computation doesn't guarantee NP = P.
To protect the encryption, to create larger keys, problem solved.
Problem solved.
If quantum computing will be able to break encryption, why can't quantum computing be used to create better encryption?
Quantum computers will solve current encryption algorithms as soon as we solve general AI. Oh, wait ...
The head of IBM Research is bordering on lying. While theoretically possible, there are no known software solutions that work in QCs to break current encryption.
And there might never be one. No one knows. It's a new field.
IBM is trying to create a problem that doesn't yet exist, and then selling us the solution to it. Otherwise, over 30 years of IBM research on QCs would have been for nothing for them.
Q-computers will replace GPUs for training Deep Machine Learning.
So it makes much more efficient the training to lowest watts and shortest time.
Q-computers will be used for breaking encryption, training deep ML (that reduces lowest error ratio and more intelligent), improving classifiers, etc
I was working in the lab late one night
When my eyes beheld an eerie sight
For my johntheripper from his script began to daemonize
And suddenly to my surprise
He did the hash
He did the mini-mash
The mini-mash
It was a server farm smash
He did the hash
It caught on in a flash
He did the hash
He did the mini-mash
There's a book about post-quantum cryptography, and also conferences. There is plenty of research on the topic, and cryptography will be fine, just computationally more expensive (since our current block ciphers were chosen to be as computationally simple as possible).
"First they came for the slanderers and i said nothing."
Which suggests that all your email and metadata that you and others have stashed in encrypted stores may be decodable if you (and they) keep the stores around too long.
Worse than that: We're constantly putting sensitive information out in public because, "Hey, it's encrypted. Even if someone intercepts this or downloads this, it'll take them billions of years to crack the encryption." If someone has scooped that data up now, they might be able to get access to a whole lot of information that people thought was safe.
On the other hand, most of us can take some solace in the volume of data on the Internet. It'd be challenging just to "scoop that data up" and store it all. Then once it's all decrypted, someone would still need to sort through it all, looking for juicy secrets. After 10 years, a lot of those juicy secrets won't be relevant.
Still, people will justify having data in the open because "it'll take billions of years to crack it". If that "billions of years" just got cut down to "5 years", that's a little scary.
their business services? yes. IBM's actual technical parts (what's left...)? not really.
It has been known for years that quantum computers will break RSA using the Shor algorithm.
The interesting question, which is not answered in TFA, is: what algorithms are resistant to quantum computers? Do we have some available in TLSv1.3?
The OP is missing some key aspects of blockchain POW mining. The coins are not under millions of rocks where they could be instantly mined. Each block can only be mined one at a time. The block is just a bunch of transactions (or state changes in smart contracts) that need to be processed by the distributed system. In fact, the coin reward is just a clever mechanism to incentivize nodes to process these blocks.
With quantum it might be possible to mine each block very quickly, instead of the average 10 minutes we have now, however any chain would just fork to us a new system. As other commenters have pointed out, the real issue is the asymmetric keys that controls the use authentication and wallets. With quantum you would effectively be able to access anyone's wallet, deriving their private key through quantum brute force. Not to mention HTTPS etc. The fact that blockchain is an immutable ledger (and generally public) is an even bigger issue.
There are various ciphers that are considered quantum resistant. Most real time systems like HTTPS will likely switch to them. However pre-shared traditionally encrypted data (or wallets) could be a major issue.
-G
The company that sheds jobs, non stop revenue door and off shoring jobs
Their insights are marketing equivalent of click bait
If you can break it then why in the hell would you ever advertise the fact? It would be worth way more... WAY, WAY, WAY!!! more to keep it secret and snoop/steal everything in the world.
In other words, nobody is going to demo it until years, probably decades, after it was already possible.
More accurate would be be "if an ideal (perfect) quantum computer existed, with enough cubits, it could break some types of encryption in a reasonable time".
Ideal quantum computers don't exist, and never will. An open question how near actual, physical quantum computers will get to this theoretical perfect machine. It's kinda like doing physics approximations and starting with "ignoring air resistance and friction ...". Well yes, if there were no friction we could build machines that do a lot of things which can't actually be done, because in the real world there is friction.
In a universe that only exists in textbooks, a universe of ideal machines, ideal quantum computers could factor numbers in polynomial time. Not instantly, but it wouldn't take a billion years like it would with classical computers.
Some of the cryptographic algorithms we use today get their strength from the difficulty of factoring certain types of large numbers. Those algorithms would need to be replaced if quantum computers developed sufficiently.
Already, we deprecate cryptographic algorithms every couple of years. Part of my job is checking https, ipsec, and other systems to see that they are configured to use strong algorithms. I have to update our list of currently accepted algorithms a couple times per year. The designers of these protocols were smart in that the designed the protocols to support any algorithm you want. For example, TLS defines that "key exchange" messages should be exchanged, but doesn't define what type of key exchange. It could be RSA key exchange, it could be Diffie-Hellman, it could be elliptic curve Diffie-Hellman, or supersingular elliptic curve Diffie-Hellman. TLS (aka SSL) doesn't know or care. Classical Diffie-Hellman can be replaced with supersingular DH without changing anything about TLS.
I thought they moved to India?
While encryption can certainly be a trouble for certain parties, I wouldnt associate any certainty with it.
Homeboys can get your shit should the want be high enough.
Correctamundo.
If IBM, MS and all the other major tech players are predicting commercial quantum computers will be available in 5 years time, then you can bet your last dollar the intelligence community have had them for the last 5 years already.
China went public on their QC satellite program but silence from the 5 Eyes..
A real or true quantum computer can find any factor in less than 12 steps.
Get ready for it.
aArvind Krishna might be an important person but he is hardly in the position to make such bold predictions (he wrote one paper on cryptology from 1990). But setting this aside, even giants in mathematics got it completely wrong when dealing with scalability or predicting the future in research. Quantum computing might theoretically break through complexity barriers but this has not been demonstrated yet. There could be fundamental problems when trying to scale things up. Theoretically things look always easy. Laplace argued that the future of events can be computed in principle by knowing the positions and momenta of particles. Laplace could refer to Newton's laws which justify this theoretically. But there were not only practical but fundamental objections, even for a small number of particles as errors grow exponenbtially (and then of course just because of quantum mechanics). Similarly, there could be fundamental problems when trying to break the complexity barrier (evenso theoretically, algorithms like Shor's work), maybe because of decoherence problems. If some engineers start to factor integers fast using quantum computing, then one can start worrying, until then it is just fancy advertisement. Come back with such claims if a quantum computer can factor the first integer not factored yet by traditionial computers. There are currently bigger problems to worry about, like CPU's with design flaws.
We can't handle the truth.
Suddenly revealing mass numbers of important secrets that have surely been stored in preparation for this day would be devastating to both national and world order. This kind of capability is a doomsday weapon to the powers that truly decide the laws and directions we take.
Like nuclear weapons, we will experiment with it for a while to prove we have it. Then, after a few super tense situations, we will keep the capability and ban its use through international treaties. Any other approach would result in mutual destruction.
Unless you're say...Equifax and putting everyone's names, social security numbers and full financial history out in public due to gross negligence I'd say that's 90% correct. Thank you ever so much United States government for doing exactly nothing about it, along with all previous (less) major data breaches you did exactly nothing about. You've made me feel as confident about our digital future as I did after watching the movie Terminator.
If you can break it then why in the hell would you ever advertise the fact? It would be worth way more... WAY, WAY, WAY!!! more to keep it secret and snoop/steal everything in the world.
Two problems with that:
1. IBM is an above board publicly traded company. What you're suggesting sounds illegal and moreover, it's not likely to be as profitable as you think. Scammers and criminals make hundreds of thousands or maybe millions of dollars if they're lucky. That's not even pocket change to a Fortune 500 company like IBM, whose revenue last year alone was nearly 80 Billion dollars. You think they would risk all of that for a few cheap scams or even a systematic criminal enterprise? Never happen.
2. The US Government and the NSA would obviously be interested in hardware with these capabilities. However, they would probably also make the patents classified top secret and force IBM to limit production for their own uses and keep it secret. They would pay IBM something for their trouble, but nothing like what they could have gotten if the tech went public.
Either way, this technology seems to have limited profit potential and certainly not the fabulous riches that you seem to be imagining.
In other words, nobody is going to demo it until years, probably decades, after it was already possible..
Maybe not, but they're not going to make much profit from it either.
then you can bet your last dollar the intelligence community have had them for the last 5 years already.
I'm unconvinced. The NSA has a large budget and probably does spend some of it on hardware research. However, IBM is world famous for their hardware research operation and they've been working on this for decades now with an even larger research budget and apparently only modest success. The NSA has knowledge that few others do, but hardware is physical and costs tons of money to research and produce. With this in mind it's hard to believe that the NSA has beaten IBM to the punch on a quantum computer.
Quantum computers have the potential to break some types of public key encryption like discrete log (Elgamal) and RSA because of Shor's algorithm, assuming that a large enough quantum computer can even be built.
However, there are public-key systems like lattice problem and code-based cryptography that quantum computing researchers have made virtually NO progress on in the decades since Shor published his algorithm. Various systems have a few problems, like large plaintext to ciphertext message expansion, but otherwise are pretty damn good. And, because PK crypto is used mainly to exchange keys for symmetric ciphers like AES, that problem isn't even that important.
The main threat quantum computers pose would be the possibility of decrypting stuff that was encrypted AND intercepted today using RSA/Elgamal to exchange AES keys, assuming that an attacker has a bunch of sufficient intercepted traffic sitting around somewhere. Which, I admit is a little scary.
"What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
with enough cubits
What an old-fashioned unit of measure!
So, you are saying that all the encryption will be broken and your solution is to move to something else?! Even without having to analyse the implications/sensibility of that first statement, anyone saying such a thing should be completely aware about its meaning. Encryption refers to virtually any way to hide information. The only alternative to encryption is immediately understandable information. On the other hand, the underlying premise to that first statement (being able to almost immediately decrypt anything) is certainly quite incompatible with any form of encryption.
Yesterday, I did a programming interview completely focused on technical aspects, but not too deep and the interviewer seemed nice and understanding. After writing the code to solve a fairly easy problem, the interviewer asked me about the time/space complexity. I said that I was understanding what he was expecting (big-O), but that I would prefer a different approach; due to my background and to how most of my programming learning happened (at work, during the last quite a few years), I don't rely on those concepts intuitively. I explained him that my algorithm was slightly inefficient, but much more modular; also that, even under extreme conditions, the proposed problem was too simplistic to provoke any time/memory problems. To not mention that I relied on specific functionalities of the given programming language whose memory/time impact should also be weighted, what wasn't precisely a simple matter (other than via my relevant experience with that language). Long story short, I said that rather than blindly applying certain generic ideas, I brought my experience (what was precisely being assessed there) into picture and made a decision by accounting for different aspects. He said me that everything sounded fine, but that he wanted his answer. What he finally seemed to get via "do you mean that it is directly related to...?" Did he ignore all what I said and try to fit it within the answer which he was expecting? Logically, I understand that he was probably following a some instructions, but this isn't relevant for the point I am trying to make.
How are the two previous paragraphs related you might wonder? Both refer to what, IMHO, is misusing theoretical abstractions (or, at least, not maximising all what they might bring). Personally, I tend to have a quite practical approach to almost anything, but also understand the utility of more generic methodologies mainly in certain contexts and for certain people. What I cannot defend is people forgetting about the actual point of the given abstraction (helping understand) and elevating it to some kind of ultimate truth; much less when dealing with knowledgeable enough individuals (blind application of what is assumed to always work is usually the resource of people with limited knowledge). The only goal which any scientific-like field or person should pursue is the truth, objective correction, proper understanding of what actually is. If you stop caring about that goal and, rather than improving your understanding and knowledge, focus on making sure that whatever assumption has to be true, you would move from scientific-like to religious-like, even to fanatic-like.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
"Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," Please contact IBM Professional Services for further assistance in this matter.
Encrypt, then break file in half.. and place other half someplace safe away from the first half? Wouldn't that work?
Then hope that decrypting files, assumed to be encrypted with "secure" algorithms, aren't really constructed, so as to decrypt the whole plaintext from a fraction of the ciphertext, or, partial plaintext from a fraction of the ciphertext.
Hm, I am no expert, but given the rotary technology in the past, it wouldn't surprise me, if there was encryption tech that would be able to ciphertexts where a bit in a location might perhaps have more than one value, depending on what decryption scheme is used, as if, a bit could have more than one value, by associative values to bits in the proximity of the bit in question, or maybe some padded bit values added later.
-- I have no very little knowledge about encryption, but I don't trust people that say "trust the math", if you can't trust the implementation, nor the tech.
In the near future, encryption for darknet transactions, bitcoin usage etc will be cracked. I wonder what will happen with the intel for thousands/millions of drug users who otherwise pose no threat to society?
If the quantum computer is 300 cubits in length, 50 cubits in width and 30 cubits in height - well then it's Noah's ark.
Qubits, of course. My brain does that - I spell well and all, but I tend to write homophones, words that sound identical, because I think audibly.
"Better encryption methods are always being worked on and we will phase out the old encryption methods when they become stale and move onto more resistant types."
At what point? When QC is widely available? When the NSA has QC that can crack all encryption? (which they are unlikely to announce and may already have)
Enjoy your cereal.
We know for sure that converting matter into energy by nuclear fusion works fine - both the sun and hydrogen bombs are certain proof of that.
For "quantum computing", on the other hand, there is no proof yet that they are ever going to perform any better than conventional computers. It is currently just a theory based on a model that predicts such.
I for one still don't believe that quantum computers will perform better at anything but emulating themselves than conventional computers - much like the analog computers of the 1960s were good at a very narrow field of tasks, but not quite for generic computations.
It's kinda like doing physics approximations and starting with "ignoring air resistance and friction ...".
To calculate the air resistance of a horse at a gallop, we first assume the horse is in the shape of a sphere...
Quantum computers can solve two problems that can affect modern encryption. They force us to double the length of a hash for the same security and they can solve the period of a function. The first application obviously affects hash functions, the second eventually leads to breaking RSA, discrete log type asymmetric functions and many elliptic curve primitives. However they don't make any of this instantaneous. SHA-256 is still safe and the amount of work to massage RSA, Diffie-Hellman and other current schemes into something that a quantum computer can solve is still difficult. So even if your quantum computer were instant, the classical computing is going to take time.
Bitcoin is also safe. You need a public key before you can let loose your quantum computer to try and find a wallets private key but the public keys in bitcoin are only stored as hashes until money is spent the first time from a wallet. So you can only start attacking a wallet once its transaction is broadcast into the network. You would then have to find the private key before the valid transaction was included in the block chain.
Your communications today however are not safe. Someone recording the initial hand shake of a TLS session would in the future be able to figure out what AES key was agreed upon and then be able to read your communication. Anything you digitally sign today will have to be resigned by you before the 10 years expire if you still want to be able to prove you signed it.
You donâ(TM)t need to break encryption when we have the likes of the FBI and NSA doing everything they can to implement backdoors or subtley weakening the algorithms themselves.
Compromised software, active trojans and keyloggers, ISP level malware injection, etc means you canâ(TM)t trust anything network connected as it is.
When the day finally arrives, only the old school methods like the OTP via paper and pencil will remain secure.
I cant think of many problems of importance for letter organization to own one.
This article is IBM smoke. If a key is a million bits long, I defy IBM to decrypt a message instantly. If they succeed, then square the key size and try again. As for analyzing for patterns, encrypt the encryption over and over again with different keys. Best of luck IBM with your self promoting FUD.
On the other hand, weak encryption will always be broken by a quantum, or any other type of super computer.
Why didn't someone say something sooner?
We'll just wait for the time results and then lengthen the keys equivalently.
"each computation takes just a few watts" -- are computations eternal?
"applications such as bitcoin" -- are part of the "warning your encryption will break" problem, not the "save energy" benefit. The use of energy by bitcoin is a feature not a bug: it's the work being proven in a proof-of-work system. The answer to energy saving is a proof-of-stake system, which has its own downsides around volatility. Quantum computing is not an answer. It's a way to steal coins.
I have some uncertainty about this
In an ideal situation they aren't "negotiated", but are established over a secure channel in advance.
The world is not ideal, and sometimes what may initially look absurd turns out to be the least bad. For example, over what secure channel would you recommend that Slashdot offer to establish a symmetric key between your browser and its server over which to send your credentials when signing in as sexconker?
Lenovo has a laptop sale.
They're up to... "Intel ® Core i7-8650U with vPro ® (1.90GHz, up to 4.20GHz with Turbo Boost, 8MB Cache)"
with "up to 16 GB LPDDR3 2133 MHz (Onboard"
Wow, huh?
At the rate in which quantum computing is progressing, I'd bet that things like crypto-coins will implode just fine on their own long before they have to worry about quantum computing causing a problem...
Shor's algorithm can also be used to solve problems based on discrete logarithms. This means that it can also break all deployed elliptic curve cryptography, in which curve points are used to form a group, and the security is based on the discrete logarithm problem for that group. There are other forms of elliptic curve cryptography which are not based on discrete log, and which are secure against quantum attacks. But these are all academic, and not widely used.