IBM Warns Quantum Computing Will Break Encryption (zdnet.com)

← Back to Stories (view on slashdot.org)

IBM Warns Quantum Computing Will Break Encryption (zdnet.com)

Posted by EditorDavid on Saturday May 19, 2018 @09:34AM from the no-more-secrets dept.

Long-time Slashdot reader CrtxReavr shares a report from ZDNet: Quantum computers will be able to instantly break the encryption of sensitive data protected by today's strongest security, warns the head of IBM Research. This could happen in a little more than five years because of advances in quantum computer technologies. "Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," said Arvind Krishna, director of IBM Research... Quantum computers can solve some types of problems near-instantaneously compared with billions of years of processing using conventional computers... Advances in novel materials and in low-temperature physics have led to many breakthroughs in the quantum computing field in recent years, and large commercial quantum computer systems will soon be viable and available within five years...

In addition to solving tough computing problems, quantum computers could save huge amounts of energy, as server farms proliferate and applications such as bitcoin grow in their compute needs. Each computation takes just a few watts, yet it could take several server farms to accomplish if it were run on conventional systems.
The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"

114 of 197 comments (clear)

Min score:

Reason:

Sort:

crypto-coins? by DogDude · 2018-05-19 09:38 · Score: 5, Insightful

What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?

This could theoretically be the biggest breakthrough in computing since transistors, and this person is wondering about how it's going to affect Monopoly money? Jesus.

--
I don't respond to AC's.
1. Re:crypto-coins? by FrankSchwab · 2018-05-19 10:01 · Score: 2, Insightful
  
  You have no idea what you're talking about, do you?
  You've got all the right words there, but completely the wrong concepts behind them. You do realize that ALL of the data shipped around via HTTPS is encrypted with symmetric algorithms, right? And that asymmetric algorithms are used to create and agree on the symmetric keys to be used for communications, right?
  
  --
  And the worms ate into his brain.
2. Re:crypto-coins? by Pinky's+Brain · 2018-05-19 10:02 · Score: 1
  
  The ownership of your wallet is still guarded by asymmetric encryption.
3. Re:crypto-coins? by Joce640k · 2018-05-19 10:04 · Score: 4, Informative
  
  To be clearer: Quantum computers break things based on number factoring, eg. certificate signing.
  It doesn't break block ciphers like AES.
  It might break blockchain, yes, but, like, who cares?
  
  --
  No sig today...
4. Re:crypto-coins? by glenebob · 2018-05-19 10:05 · Score: 3, Interesting
  
  What a strange and verbose way of saying "you're right, quantum computing will break HTTPS".
5. Re:crypto-coins? by ledow · 2018-05-19 10:05 · Score: 5, Interesting
  
  Hashes are actually one of the best ways to stay QC-safe.
  At the moment, we use our existing encryption algorithms to generate hashes. Instead, most of the quantum-safe encryption algorithms use hashes to build themselves.
  The reason is quite simple if I can use an analogy. It's not 100% accurate, but good enough to make most people understand.
  First - a hash.
  You take an input, you generate a "mini-mash" of it - you jumble it up and cut bits out in a predictable manner until you get something that is absolutely tiny but built from that original input.
  The same input will give the same hash every time, because you do the same thing every time. Yet millions of different inputs might give you that same mini-mash (because they are much fewer hashes than there are data-sets, so by chance they overlap sometimes - a hash collision) but that hardly matters in real life because the chances of those other inputs being valid Microsoft Word files, or containing the same secrets as your files are infinitesimally small.
  Quantum-computers attacking conventional encryption works like this:
  - you "build a circuit" that performs the same encryption that was used (e.g. AES, ECC, etc.).
  - you plug in the ANSWER (the encrypted text) into the end of it.
  - by some magic of physics, it instantaneously determines the only possible inputs that could have ever formed that answer. Thus, it works out the SECRET INPUT (i.e. the keys) that was originally used to encrypt it - all in one "tick".
  As such, QC defeats traditional encryption entirely. Every encrypted text/web session is one tick away from compromise with zero effort required and only tiny amounts of time expended.
  But when you apply that technique to hashes, there may not be only one possible input. In fact there may be an infinity of inputs that give the same hash (because the input can be any size, right? So the mini-mash of a entire novel could the same as the mini-mash of "123" or the same as the mini-mash of a dataset as large as the universe).
  As such, the QC can't determine the answer - it gets all the answers and doesn't know which one's right. To know which one was right, you'd have to check them all... and you're now back from "working out the answer instantaneously" to "checking all the possible combinations one at a time".
  So instead you can build QC-safe encryption by using hashes upon hashes upon hashes upon hashes. Now any possible inputs a quantum computer may determine is lost in an infinity of other inputs... and it's no longer as simple as "just give us the only input that looks like a Word file" - you have to check them all.
  As such, hashes are the basis of much more security, based on their "unknown but potentially infinite amount of data" turned into "a small set of characters" property.
  Crypto-currencies use hashes a lot (Bitcoin is/was basically built upon "keep hashing different things on the end of this string until you get a hash of 0 out of it") and so may be the last thing to fall to QC.
  In the same way that QC turns cryptanalysis on its head, to solve the problem of QC we turn hashes and encryption on their heads.
6. Re: crypto-coins? by Anonymous Coward · 2018-05-19 10:11 · Score: 1
  
  And you don't seem to realize that the KEYS for all that traffic being sent are vulnerable to quantum computers. The RSA algorithm is rather slow, so it's used for key exchange to cheaper crypto algorithms. And RSA is quite vulnerable to quantum computing.
7. Re:crypto-coins? by jetkust · 2018-05-19 10:12 · Score: 1
  
  What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered? This could theoretically be the biggest breakthrough in computing since transistors, and this person is wondering about how it's going to affect Monopoly money? Jesus.
  Yes. That "monopoly money" is kind of a big thing. And it uses encryption. Which is what this is about.
8. Re:crypto-coins? by Joce640k · 2018-05-19 10:27 · Score: 3, Insightful
  
  You have no idea what you're talking about, do you?
  You've got all the right words there, but completely the wrong concepts behind them. You do realize that ALL of the data shipped around via HTTPS is encrypted with symmetric algorithms, right?
  It's almost as if you don't know that HTTPS relies on signed certificates for authentication...
  
  --
  No sig today...
9. Re:crypto-coins? by Pinky's+Brain · 2018-05-19 10:30 · Score: 1
  
  I can easily see how you can sign something using a hash function (just use a secret salt). I don't see how you'd use a hash function to do asymmetric encryption though.
10. Re:crypto-coins? by Anonymous Coward · 2018-05-19 10:30 · Score: 2, Insightful
  
  You do realize that ALL of the data shipped around via HTTPS is encrypted with symmetric algorithms, right? And that asymmetric algorithms are used to create and agree on the symmetric keys to be used for communications, right?
  Except for the keys when not using Diffie-Hellman, which lets you break the whole thing. An the trust validation is done based on RSA/ECC signatures, so you could just crack the root cert and use it to sign whatever keys you want, letting you break the whole thing. If you want to try to sound smart, you should probably know what you're talking about first.
11. Re:crypto-coins? by Joce640k · 2018-05-19 10:32 · Score: 1
  
  It wouldn't be instant, it would be sqrt(todays_time);
  
  --
  No sig today...
12. Re:crypto-coins? by scottragen · 2018-05-19 10:34 · Score: 1
  
  - by some magic of physics, it instantaneously determines the only possible inputs that could have ever formed that answer. Thus, it works out the SECRET INPUT (i.e. the keys) that was originally used to encrypt it - all in one "tick".
  I know you said it may not be 100% accurate but as I understand it this statement's premise is completely wrong. It should read: "by some magic of physics, it instantaneously determines every possible input that could have ever formed that answer. Then you find the outcome that's not gibberish".
13. Re:crypto-coins? by sjames · 2018-05-19 10:39 · Score: 2
  
  Or, you generate the block you want which produces a partial hash. Now, you have a partial hash, a desired complete hash, and an empty field to make it happen.
  The blockchain doesn't care which possible solution goes in that field, just that one of them does.
14. Re:crypto-coins? by digitig · 2018-05-19 10:47 · Score: 1, Interesting
  
  This could theoretically be the biggest breakthrough in computing since transistors, and this person is wondering about how it's going to affect Monopoly money? Jesus.
  Yes, because the computer farms doing blockchain proof of work are devastating for the environment. If blockchain dies, there's a much better chance of there still being a habitable world for my grandchildren. The sort of person heavily into cryptocurrencies tends to be the sort of person who either doesn't believe humans have any impact on climate change or has wet dreams about helping cause widespread devastation, so it needs something external to kill them.
  
  --
  Quidnam Latine loqui modo coepi?
15. Re:crypto-coins? by ZorinLynx · 2018-05-19 11:05 · Score: 5, Insightful
  
  With the rate that crypto-currency mining is wasting energy, breaking blockchain might be a very good thing for our future.
16. Re:crypto-coins? by Anonymous Coward · 2018-05-19 11:07 · Score: 1
  
  I thought if you found /any/ input that generates the same hash, you can break in.
  If your password is "zebra" and its hash is "abc123def456", and the quantum computer finds out first that "aardvark" also produces hash "abc123def456", then it can input "aardvark" into your system and get in, because the system will compare the hash of "aardvark" to the hash it has stored for you, which will match, and lets you in. The system never stores your actual password so it can't determine that "aardvark" is not your password.
17. Re:crypto-coins? by flargleblarg · 2018-05-19 11:33 · Score: 1
  
  cryptocoin
18. Re:crypto-coins? by phantomfive · 2018-05-19 11:40 · Score: 1
  
  So, Bitcoin is screwed, because to 'unlock' money in Bitcoin, all you need is one hash that matches? What a shame,
  
  --
  "First they came for the slanderers and i said nothing."
19. Re:crypto-coins? by mikeiver1 · 2018-05-19 12:15 · Score: 1
  
  I doubt it. I suspect this to be the rantings of a company head and board that have missed the starting gun on a technology and are looking to put the break on so they can play catch up to those that are years ahead. Think Microsoft and the web as an example.
20. Re:crypto-coins? by lhunath · 2018-05-19 12:19 · Score: 2
  
  Please update your response. QC does not break encryption. It breaks factoring performance. That means, all it breaks is private key discovery from a public key. It does not break the encryption performed with those keys (though obviously, discovering a private key trivially is a problem), and it does NOT BREAK SYMMETRIC ENCRYPTION, which is by far the most common and most robust encryption in use today. It's vital we stop the spread of misinformation. Start with yourself.
  
  --
  ``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
21. Re: crypto-coins? by phantomfive · 2018-05-19 12:37 · Score: 1
  
  No, it has nothing to do with 'at rest' or smoking around.' Elliptical curve cryptography is heavily relied on in bitcoin, so bit coin will be in trouble.
  
  --
  "First they came for the slanderers and i said nothing."
22. Re:crypto-coins? by ledow · 2018-05-19 14:34 · Score: 1
  
  The transaction signing algorithm can be swapped out in an ordinary update. That's been done before and will be done again.
  But Bitcoining mining relies on proof-of-work, using hashing-to-create-a-hash-of-zeroes, and it's pretty fundamental. I'm sure that other proofs-of-work are allowed but they would need pretty drastic changes to the way that all Bitcoin miners operate or are optimised, whereas transaction signing wouldn't as they are much rarer calculations only necessary for verification of the ledger, not billions-upon-billions of proof-of-work calculations.
23. Re:crypto-coins? by Kjella · 2018-05-19 14:41 · Score: 1
  
  - you "build a circuit" that performs the same encryption that was used (e.g. AES
  - by some magic of physics, it instantaneously determines the only possible inputs that could have ever formed that answer.
  That's a load of bollocks. A block cipher works by "remapping" a block of plaintext into ciphertext. So for a 128 bit cipher you have 2^128 possible keys and 2^128 possible plaintexts that produce 2^128 ciphertexts. So for any one ciphertext there's 2^128 equally valid key/data combos that produce that ciphertext, not one. I suppose it's possible that quantum computers could be used for a known plaintext attack by figuring out what key converts this plaintext into that ciphertext, but I haven't heard of it. Just factorization of private keys which is relevant to a lot of internet communication but not for example full disk encryption or password protected archives.
  
  --
  Live today, because you never know what tomorrow brings
24. Re:crypto-coins? by swillden · 2018-05-19 16:00 · Score: 4, Informative
  
  To be clearer: Quantum computers break things based on number factoring, eg. certificate signing.
  It doesn't break block ciphers like AES.
  It might break blockchain, yes, but, like, who cares?
  Quantum computing does weaken both symmetric ciphers like AES and hashing algorithms which are the basis of blockchains (though many blockchains also make use of asymmetric digital signatures which are more deeply affected). Specifically, Grover's Algorith is a quantum algorithm that can find the input that provides a given output for any algorithm with at most sqrt(N) applications of the algorithm. This means that with sufficiently-good quantum computers, you can find a 128-bit AES key for a known plaintext/ciphertest pair in 2^64 steps, which just might be feasible. Similarly, given a 160-bit hash, like SHA-1, you can find a pre-image for a given hash value in 2^80 steps.
  Of course, if you use AES-256, Gover's algorithm will find you an answer in 2^128th steps, which is almost certainly forever out of reach Similarly for SHA-2 256. This assumes that Grover's algorithm is the best way to attack these sorts of primitives with a quantum computer, of course. We may discover other approaches that are less general, but better.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
25. Re:crypto-coins? by NicknameUnavailable · 2018-05-19 16:01 · Score: 1
  
  You're a moron, there are no extant post-quantum cryptocoins.
26. Re:crypto-coins? by swillden · 2018-05-19 16:05 · Score: 2
  
  Quantum-computers attacking conventional encryption works like this: - you "build a circuit" that performs the same encryption that was used (e.g. AES, ECC, etc.)... As such, QC defeats traditional encryption entirely.
  This is incorrect. Shor's algorithm promises one-step breaks of asymmetric algorithms (RSA, ECC), but it does not work on symmetric ciphers like AES or (as you correctly say) hash functions. However, Grover's algorithm, does work on symmetric ciphers and hash functions. Not as well; given an N-bit search space, Grover's algorithm requires sqrt(N) steps. Still that puts AES-128 at risk of sufficiently large and efficient quantum computers. AES-256 is pretty safe, though, barring some other quantum algorithm that is more effective.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
27. Re:crypto-coins? by javaman235 · 2018-05-19 16:46 · Score: 1
  
  Thank you! I was reading up on this at IBM (have great tutorial, and super cool composer to learn it.) The stuff is mind blowing, and the reality is what it's limits are are unknown...It's a new fundamental layer to computing. So imagining what brilliant cryptanalysts have done with Turing machines, what might they eventually be able to do with this new dimension of possibilities? You can't pretend to know and put limits on it beforehand.
  
  --
  -The art of programming is the pursuit of absolute simplicity.
28. Re:crypto-coins? by Joce640k · 2018-05-19 20:13 · Score: 2
  
  Quantum computers can potentially reduce the amount of operations by the square root of the search space. So if you have a 64 bit key, it's now a 32 bit keyspace you have to search through.
  Only for known-plaintext attacks.
  
  --
  No sig today...
29. Re:crypto-coins? by religionofpeas · 2018-05-19 20:45 · Score: 1
  
  Quantum computing isn't going to kill bitcoin. It just requires upgrading the protocols.
30. Re:crypto-coins? by thegarbz · 2018-05-19 21:17 · Score: 5, Insightful
  
  It might break blockchain, yes, but, like, who cares?
  I care. The sooner we can break blockchain the sooner we can stop the insane amount of wasted energy we are pouring into this retarded tulip and go back to reducing the world's energy consumption like we were doing before this stupidity infected us.
31. Re:crypto-coins? by MrL0G1C · 2018-05-19 21:31 · Score: 1
  
  Surely the square root of NOW is still NOW.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
32. Re:crypto-coins? by religionofpeas · 2018-05-19 21:47 · Score: 1
  
  But Bitcoining mining relies on proof-of-work, using hashing-to-create-a-hash-of-zeroes, and it's pretty fundamental
  For bitcoin hashing, quantum computing (with currently known algorithms) only offer a limited increase in performance. And even if exploited, you'd still have to weigh the complexity of the quantum computer and its power consumption against the very well optimized current solutions. Even after the first demonstration prototype, it would take years before it's simple and cheap enough to use for practical mining.
33. Re:crypto-coins? by Archtech · 2018-05-19 22:21 · Score: 1
  
  Some people do seem to have great difficulty in uttering the words, "You're right". Some kind of mental block...
  
  --
  I am sure that there are many other solipsists out there.
34. Re: crypto-coins? by phantomfive · 2018-05-20 02:31 · Score: 1
  
  The proof of work (mining) in bitcoin is SHA-256.
  
  --
  "First they came for the slanderers and i said nothing."
35. Re:crypto-coins? by tepples · 2018-05-20 03:45 · Score: 1
  
  Only for known-plaintext attacks.
  Is <!DOCTYPE HTML><html><head> enough known plaintext to know that you have the right key for a given message?
36. Re:crypto-coins? by tepples · 2018-05-20 03:50 · Score: 1
  
  it does NOT BREAK SYMMETRIC ENCRYPTION, which is by far the most common and most robust encryption in use today.
  How do you think keys for symmetric encryption are negotiated?
37. Re:crypto-coins? by sexconker · 2018-05-20 05:25 · Score: 1
  
  LOL you're agreeing with the AC, you clown.
38. Re:crypto-coins? by sexconker · 2018-05-20 05:33 · Score: 1
  
  In an ideal situation they aren't "negotiated", but are established over a secure channel in advance.
  Using an insecure medium to perform secure communications is absurd.
  Attempting the secure that medium with math that has not been proven to be "one way" (hint - it's fucking not, no useful function is) is equally absurd.
39. Re: crypto-coins? by sexconker · 2018-05-20 05:37 · Score: 1
  
  And the AC above you pointed out exactly that.
  Block generation is safe. Your wallets are not.
  Of course, they can simply change the algorithm protecting the transactions, and thus your wallet's balance.
40. Re:crypto-coins? by Joce640k · 2018-05-20 06:14 · Score: 1
  
  The sqrt(N) thing only works for known plaintext attacks.
  If the message is salted with a random number then it becomes much more difficult.
  
  --
  No sig today...
41. Re:crypto-coins? by lsatenstein · 2018-05-20 07:21 · Score: 1
  
  Even if the algorithm was not symmetric, we do not require the public key to generate the private key. Just test with multiple streams of private test keys until the private key is discovered. You do not have to test the entire stream of data, just enough to know if it's a hit or a miss.
  What has to be done is to generate a key space. Consider a NxNxNxN set of encryption ¼ key parts. Randomly select from the array, a set of 4 indices to be used to construct a key for this particular stream of data. Create the encryption key using the index into the NxNxNxN table. It can be a header in the stream of data sent separately as a meta data file. Add a salt value, and do not specify which index is for which dimension. Four bytes of indices would allow 256^4 choices, followed by a permutation or encryption of the bytes containing the indices.
  A lot can be done to algorithms to prevent quantum computing from solving the key problem in real time. Also, what can be done is to intersperse false data with the encrypted data. The Quantum computer key-table generator could create a new table every few minutes.
  The flaw in the ointment is having access to the program(s) that generate the key-table array, the encryption program and the decryption program, as well as some mutually shared private data.
  We are approaching the speed of light with Quantum computing. Mans brain works at twice that.
  
  --
  Leslie Satenstein Montreal Quebec Canada
42. Re: crypto-coins? by phantomfive · 2018-05-20 11:31 · Score: 1
  
  And the AC above you pointed out exactly that: [The proof of work (mining) in bitcoin is SHA-256]. Block generation is safe.
  No, SHA-256 is vulnerable to quantum computing attacks. Or are you saying it isn't vulnerable?
  
  Of course, they can simply change the algorithm protecting the transactions, and thus your wallet's balance.
  No, 'they' can't do this. (Wallets aren't a real thing, only transactions are. Wallets are an abstraction used to make things easier for users, but the blockchain is just a list of transactions.) Only the person with the key can unlock a transaction to spend it again. If SHA-256 is broken, then anyone can unlock the transaction.
  
  --
  "First they came for the slanderers and i said nothing."
43. Re:crypto-coins? by swillden · 2018-05-20 13:27 · Score: 1
  
  The sqrt(N) thing only works for known plaintext attacks.
  If the message is salted with a random number then it becomes much more difficult.
  If a cipher is vulnerable to a known plaintext attack, it's utterly broken and unusable. This is how cryptographers see it, and for very good reasons.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
44. Re: crypto-coins? by Brockmire · 2018-05-20 15:15 · Score: 1
  
  Original submitter is Satoshi.
45. Re:crypto-coins? by jpaine619 · 2018-05-20 15:45 · Score: 1
  
  I care. The sooner we can break blockchain the sooner we can stop the insane amount of wasted energy we are pouring into this retarded tulip and go back to reducing the world's energy consumption like we were doing before this stupidity infected us.
  This statement is idiotic. Reducing energy consumption is a stupid goal. The goal should be to reduce or even eliminate the pollution caused by energy consumption and to make the consumption more efficient.
  If I go out and buy 20 solar panels, hook them up to an air conditioner and attempt to cool down the Mohave Desert, there is no net negative effect on the Earth, yet I have increased the net energy consumption. Consuming energy is not our problem.. The waste of energy and the pollution caused by generating it is a problem.
  Demand for energy will always increase.
46. Re:crypto-coins? by thegarbz · 2018-05-20 22:30 · Score: 1
  
  This statement is idiotic. Reducing energy consumption is a stupid goal.
  Oh I assume you live in one of those planets with infinite resources. Congratulations. Also the rest of your statement is equally stupid since perfect pollution free systems don't exist and therefore shouldn't be the only target of improvements.
  
  Demand for energy will always increase.
  This is the only idiotic statement in the entire thread so far. Demand for energy is dependent on efficiency we achieve while reaching our goals. Go buy an electric car, your energy usage will almost quarter without any talk of pollution. My parents just installed a heatpump in their house. Expect their energy usage to be decimated this winter when they aren't running bar heaters everywhere. I insulated my house and replaced the seals around my doors last winter. My gas usage plummeted as a result.
  Demand for energy only will always increase if you're insistent on wasting energy on stupid endeavours, like mining imaginary items of value for financial speculators.
  Speaking of pollution... https://slashdot.org/story/18/...
47. Re:crypto-coins? by thegarbz · 2018-05-20 22:34 · Score: 1
  
  Sound money is most definitely important. Bitcoin isn't it, and there's no requirement for said money to be digital.
  
  And no, before you comment, government issued digital money is not sound
  Put your tinfoil hat back on. There's nothing more "sound" than the thing which forms the basis of what has ultimately brought our current society to the place it is today. Government issued fiat currencies are the very definition of "sound" unless you think our current society is in non functioning chaos and disarray due to the US Dollar being regulated by an authority. If you think that, ... Put your tinfoil hat back on.
48. Re: crypto-coins? by Bob+the+Super+Hamste · 2018-05-21 00:40 · Score: 1
  
  EC crypto is even easier to crack using quantum computers than RSA is.
  
  --
  Time to offend someone
49. Re:crypto-coins? by Joce640k · 2018-05-21 02:51 · Score: 1
  
  Even for 128 bit crypto: sqrt(2^128) is still a very big number.
  It's possible to brute force 2^64 using vast amounts of conventional computers but conventional computers are cheap/small/easy to power. I doubt anybody will be running anything like the same number of quantum computers in parallel. Not even sqrt(conventional).
  and, b) It hasn't yet been demonstrated that Quantum computers can be programmed to efficiently crack conventional crypto. It's actually very unlikely that they can - quantum algorithms are very limited in what they can do.
  b) We already have 256 bit block ciphers. sqrt(2^256) is impossible even on a Quantum computer.
  
  --
  No sig today...
50. Re:crypto-coins? by Bob+the+Super+Hamste · 2018-05-21 02:54 · Score: 1
  
  While quantum computers don't break symmetric key ciphers like AES they do offer a massive speed up by using Grover's Algorithm. So instead of having a problem with difficulty of 2^n you have a problem with a difficulty of 2^(n/2) with symmetric key crypto. Because quantum computers have been the next new hotness for many years now and with Grover's Algorithm being know the AES competition had the foresight to realize that the next generation cipher would likely need to resist it so instead of going with 128 bits they wanted a 256 bit option. So AES256 on a quantum computer is as difficult to break as AES128 is on a classical computer. So even on an ideal quantum computer cracking an AES256 encrypted message would require a large fraction of a large nation state's total annual energy production instead of having stellar mass energy level requirements on a classical computer.
  
  The problem come in because using Shor's Algorithm on a quantum computer absolutely destroys asymmetric key encryption like RSA. It also does the same to all problems based off of discrete logarithms, factorization, and elliptical curves. So basically all of the commonly used public key options. It does appear however that there is a solution available that is resistant to quantum computers called lattice base cryptography which I still need to spend time on understanding but looks promising.
  
  --
  Time to offend someone
51. Re:crypto-coins? by Joce640k · 2018-05-21 02:57 · Score: 1
  
  If a cipher is vulnerable to a known plaintext attack, it's utterly broken and unusable. This is how cryptographers see it, and for very good reasons.
  And c) All algorithms are vulnerable to known plaintext attacks - even one-time-pads (which are the only provably secure crypto).
  
  --
  No sig today...
52. Re:crypto-coins? by Bob+the+Super+Hamste · 2018-05-21 02:59 · Score: 1
  
  The answer would be yes given that the block size for AES is 128 bits as those 27 characters gives you over 1.5 blocks.
  
  --
  Time to offend someone
53. Re:crypto-coins? by swillden · 2018-05-21 04:11 · Score: 1
  
  Here you've simply restated what I said originally.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
54. Re:crypto-coins? by swillden · 2018-05-21 04:30 · Score: 1
  
  If a cipher is vulnerable to a known plaintext attack, it's utterly broken and unusable. This is how cryptographers see it, and for very good reasons.
  And c) All algorithms are vulnerable to known plaintext attacks - even one-time-pads (which are the only provably secure crypto).
  The sort of vulnerability we're discussing here is recovery of the key from some number of known plaintext/ciphertext pairs. Yes, any block cipher is "vulnerable" in the sense that given sufficient computing capacity and known plaintext and paired ciphertext exceeding the unicity distance, the key can be recovered. But cryptographers don't consider this a vulnerability unless the amount of computing capacity required is significantly less than brute force search of the key space.
  Given sufficiently-fast quantum computers Grover's Algorithm does enable the recovery of 128-bit AES keys in significantly less time than would be required for a brute force search of the key space. Whether sufficiently-fast quantum computers will ever exist is unknown. Similarly, it's unknown whether quantum algorithms better than Grover's will be devices for attacking AES.
  As for one-time pads, assuming the keystream satisfies the requirements of a one-time pad, it is not possible to recover a different part of the keystream from observations of arbitrarily-large amounts of known plaintext and corresponding. Obviously you can recover the part of the keystream used for encrypting the known plaintext, but that does you no good since it will never be reused.
  Really, in order to be considered any good, a block cipher plus chaining mode must satisfy IND-CCA2 (and therefore also IND-CCA1 and IND-CPA). See https://en.wikipedia.org/wiki/... if you're not familiar with these standard cryptographic security models.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
55. Re:crypto-coins? by KingBenny · 2018-05-22 02:23 · Score: 1
  
  so would a 12 monkey virus to eradicate 7 billion sapient parasites, now that would save some energy there. I don't know about IBM, but i only know there was once a firm who sponsored the nazis, basically funding world war 2, seemed like a good idea at the time probably, also some dude who claimed there was "a market for maybe five or six computers in the world" and something about never having a pc in every home (let alone an iThing in every pocket ... with quantum computing should come 'quantum encryption' ? i bet cypherpunks are having wet dreams about that every night right now already who would have access to this anyway ? say IBM does and suddenly all the worlds crypto is gone ? where would the finger go ... or actually if you consider guessing the digit code for a digipass to be higher chance than winning the lottery and people do almost every week (the latter) , what does that mean for all the old world then ? And actually does anybody know because i havent seen a quantum computer yet, about the only practical thing i read is the chinese duplicating data exactly from here to the moon and back (or information as they call it in the physzers world i think) and some russian dude who (already) was working out a total quantum-encryption system i thnk it's a magic word like "blockchain" which is about what ? ten years old now ? but its a magic word atm so quantum computing most likely is too seeing is believing, demonstration if you please IBM (and if you please no more sponsoring world wars ... if you please, thanks)
  
  --
  Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
56. Re:crypto-coins? by ledow · 2018-05-22 10:17 · Score: 1
  
  Not without a MUCH MUCH MUCH larger quantum computer.
  We combat existing brute-force by requiring too much TIME to test all the possibilities.
  Under QC, you'll combat brute-force by requiring a quantum computer of such impractical size that it would be infeasible (it's very hard to make a large QC that isn't susceptible to noise and quantum decoherence).
  It's quite easy to make a prime-factorisation QC... in 2001, IBM built 7 qubits - enough to factor the number 15. It then took 12 years to advance the technology sufficient to factor the number 21. 2018's record so far is a 72 qubit machine.
  By the time we get to factorising primes of the size used in encryption, it is instantaneous game-over for all standard cryptography. But it's a way off. At the point, we'll be glad of any increase in complexity that happens, and hashes are one way of providing that extra complexity. (Because the problem can't just be broken down into bits - you have to have an entirely coherent system to solve the problem).
  And the way to combat that is to introduce so much complexity in the required machine that it becomes infeasible to construct (or even power!). We're talking literally millions of qubits.
  Sure, 50 years from now we might all have a million-qubit computer in our pocket. But at the moment, post-quantum stuff is about making it so infeasibly expensive, impractical and difficult to make the machine capable of "instantly working out the answer" that you're safe.
57. Re:crypto-coins? by ledow · 2018-05-22 10:21 · Score: 1
  
  P.S. For Shor's algorithm: "For a 1000-bit number, this implies a need for about 10,000 qubits without error correction." - to give you an idea of what it would take to (probabilistically, not perfectly) factor one number.
  Now imagine what it takes to crack a bog-standard SSL key, say. Most websites are already using encryption which will need a quantum computer 100-1000 times larger than anything that currently exists.
RSA and other signatures by CanEHdian · 2018-05-19 09:40 · Score: 1

...and how about private keys? Especially in the console world, that would come in quite handy so paying for quantum computer time via crowdfunding to discover Sony's, Nintendo's, etc. private signing keys could become a thing.

--
When the copyright term is "forever minus a day", live every day like it's the last.
1. Re:RSA and other signatures by Carewolf · 2018-05-19 20:27 · Score: 1
  
  ...and how about private keys? Especially in the console world, that would come in quite handy so paying for quantum computer time via crowdfunding to discover Sony's, Nintendo's, etc. private signing keys could become a thing.
  The encryption only gets easier to break, not trivial. We would only have to double the number of bits.
2. Re:RSA and other signatures by skids · 2018-05-20 06:50 · Score: 1
  
  We would only have to double the number of bits.
  That's for a different class of problem. QC is a much bigger threat to all widely deployed asymmetric key exchange schemes and public key systems. Basically this means any conversation that is recorded now may be decrypted later, since almost nothing uses offline-pre-shared keys these days... that model just does not fit how the world wants to use cryptography.
  Pilot implementations of the new post-quantum key exchanges (kex) are already starting to become available e.g. as strongswan plugins, but they might be a bit premature as implementations... I'd like to see more cryptographers who know their shit sign off on the lightweight forms of RLWE-kex before it gets deployed alone as a kex. Until then it would probably be better to also performs a non-qc-safe kex and xor the two, in case there is a flaw in it.
  
  --
  Someone had to do it.
Crypto-coins by Troed · 2018-05-19 09:41 · Score: 1

"does this also mean that remaining crypto-coins can be instantly discovered?"
No, that's not how the minting of new coins work, at all.
There are theoretical issues where someone might learn your private key from seeing a transaction, but they're mitigated for all new addresses and usage.
https://en.bitcoin.it/wiki/Qua...

--
it's in my head
Re:Quick someone warn IBM by ledow · 2018-05-19 09:45 · Score: 1

Cool.
So all your web browsers and disk encryption programs have got a quantum-safe algorithm in them already, then, and you're using it, right? So that your data is safe for the changeover they're talking about.
I think you'll find this is IBM warning that they - as a company trying to build quantum computers at the moment - see them coming in the next five years, which means we should have moved 5 years ago.
It's a warning that is going unheeded.
No. Elliptic curves are not quantum-safe.
What we have already, you can take and massively increase the key size but that doesn't make the TIME spent any less. It just makes the QC that cracks them "larger" and thus harder to build. Increasing AES / etc. keysize will give us a couple of years past someone making a viable QC. After that we have... what? Nothing in place, certainly nothing commodity, certainly nothing that an ordinary user can use.
Kinda like fusion.... by jythie · 2018-05-19 09:48 · Score: 4, Insightful

I am thinking back to the saying 'AI, like fusion, has been 10 years away for 30 years now'. I think that quote was from the 60s or 70s, so add a few decades. The earth shattering predictions for quantum computers have been around for a while and they are always 'just about to be realized', but even today it is cheaper to emulate quantum computers on traditional machines than to actually build and use them. It is questionable, given advances in traditional semi-conductors, if it will EVER be cheaper to use quantum computing, even for the tasks it is best suited for.
Elliptic Curve Cryptography? by Dwedit · 2018-05-19 09:49 · Score: 3, Interesting

Wasn't elliptic curve cryptography supposed to be resistant to quantum computers?
1. Re:Elliptic Curve Cryptography? by OldMugwump · 2018-05-19 10:38 · Score: 1
  
  From what I've read (I'm no expert), elliptic curve crypto was a scheme invented by NSA to weaken standardized crypto systems.
  
  --
  "Shoot, a fella could have a pretty good weekend in Vegas with all that stuff."
2. Re:Elliptic Curve Cryptography? by Anonymous Coward · 2018-05-20 02:01 · Score: 1
  
  Elliptic curve cryptography uses a different type of mathematical problem than RSA, thereby allowing the use of much smaller keys for and equivalent level of security. For example, if a 128 bit AES symmetric key is to be exchanged securely, RSA requires 3072 bits of security to protect it whereas ECC requires only 256 bits. This is also useful in situations such as IoT and non-contact smart card where the channel of communication is inherently limited due to connection speed, bandwidth or available power. This is all prime curve ECC as well, whereas binary curve ECC can have additional advantages in most practical applications from a power and implementation perspective.
  What you're referring to is the NIST recommended curves being insecure and not recommended for use by some security experts. There was a weakness in DUAL_EC_DRBG, but I think these are mostly overblown concerns for all practical purposes.
  At this point, if you're really concerned about Shor's Algorithm and a quantum computer with a sufficient number of coherent qubits cracking ECC, RSA and the like, you should already be moving to post-quantum crypto algorithms. Go to pqcrypto.org. Just beware that this is still an emerging field, that not enough vetting has been performed on the proposed post-quantum crypto algorithms, and that you could inadvertently place your information at greater risk than currently-established algorithms.
Both by dilvish_the_damned · 2018-05-19 10:02 · Score: 5, Funny

The original submission raises another possibility. "What I wonder is, if encryption can be 'instantly broken,' does this also mean that remaining crypto-coins can be instantly discovered?"
Yes and No.

--
I think you underestimate just how much I just dont care.
Regarding crypto coins by Anonymous Coward · 2018-05-19 10:05 · Score: 2, Interesting

Yes, quantum computers will eventually allow people to crack the private keys for most cryptocurrency wallets. However, some projects are already working to address this. The best example is Quantum Resistant Ledger (QRL), which is redesigned from the ground up to use quantum proof crypto algorithms. Look it up, they have a lot of info on exactly HOW quantum computers will affect cryptocurrencies, and other related data.
Alt encryption owned by IBM by DalM · 2018-05-19 10:07 · Score: 4, Insightful

Of course the alternate encryption like that which IBM recommend happens to be owned by IBM. Better buy in now!
Answer: lattice-based crypto around since 80's... by Idisagree · 2018-05-19 10:08 · Score: 3, Informative

Article is very light on evidence of any new form of successful attack so it's a bit premature to advise the sky is falling just yet!
Better encryption methods are always being worked on and we will phase out the old encryption methods when they become stale and move onto more resistant types.
As it so happens there are already some constructions (and they have been around for some time) that can be used such as Ring-LWE and NTRU which have been shown to hold up against classic and Quantum based attacks.
I'm going back to my bowl of cereal now.
Re:Quick someone warn IBM by FrankSchwab · 2018-05-19 10:10 · Score: 1

I believe that QC will only attack the "large number" asymmetric algorithms - RSA, ECC, etc. I believe that symmetric algorithms such as AES aren't as susceptible to QC attacks - Grover's Algorithm cuts the effective key length in half (AES-128 could be brute forced by a QC as though it had a 64 bit key; AES-256 effectively eliminates that problem).
Of course, without the asymmetric algorithms it's really tough to set up a secure session, especially with a server that you don't know.

--
And the worms ate into his brain.
Re:IBM salesbros and hindu slackers are not going by vtcodger · 2018-05-19 10:14 · Score: 4, Interesting

Probably wrong on the details
But that's slightly different than dead wrong.
It does emphasize what we all sort of know. Encryption that is good enough today will probably be not good enough in a few -- five, ten, fifteen -- years. Which suggests that all your email and metadata that you and others have stashed in encrypted stores may be decodable if you (and they) keep the stores around too long.
And it doesn't matter what technology makes the data readable. Quantum computing, brute force, some clever algorithm, some flaw in common encryption algorithms or the software implementing them. Your secrets may not remain secret.
That's probably not a good thing.

--
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Blah Blah Blah They've Been Saying That for Years by Anonymous Coward · 2018-05-19 10:18 · Score: 1

Quantum computing has been long on promises and short on delivery for decades now. If you can break our encryption in less time than it takes to make a cup of coffee then show us the money. How about a public demonstration where in 15 minutes or less you break the private keys of all of the big certificate authorities and issue yourself fake certificates for Google, Apple, Facebook and Netflix signed with those cracked private keys?
The solution is easy, folks .. by CaptainDork · 2018-05-19 10:29 · Score: 2

... when quantum computing is capable of breaking current encryption, that same computer will be providing unbreakable encryption.For example:

. A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett.0031-9007 https://doi.org/10.1103/PhysRe... 67, 661–663 (1991). Google ScholarCrossref, CAS

--
It little behooves the best of us to comment on the rest of us.
1. Re:The solution is easy, folks .. by Nemyst · 2018-05-19 10:44 · Score: 1
  
  Problem with that logic is that you won't be able to transition to the new encryption scheme smoothly. There's invariably going to be a gap period where quantum computers able to break current encryption are available but quantum encryption isn't yet widespread. Knowing the industry and how many people will readily skimp on IT for a few bucks more profit, I expect it'd take years to make such a transition.
2. Re:The solution is easy, folks .. by CaptainDork · 2018-05-19 12:23 · Score: 1
  
  Chicken or egg ...
  The key (pun intended) is "current encryption."
  There are problems, particularly theoretical math, that quantum computers can't solve.
  Encryption will be moving in that direction.
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:The solution is easy, folks .. by iggymanz · 2018-05-19 13:36 · Score: 1
  
  nope, no one knows what that would be.
  that's why the statement of "alternatives" in summary about is hilarious, it is not known what alternatives at present, or if any of them, would be resistant to quantum cracking.
  Instead those agencies that can afford a quantum computer will be cracking communications, finances, etc.
  Maybe they'll make it illegal for us to own quantum computer, only governments get to play. Similar things have been done before, such as "encryptions x,y, and z are munitions"
4. Re:The solution is easy, folks .. by CaptainDork · 2018-05-20 03:01 · Score: 1
  
  Kinda like it's illegal for us to own Stingrays, NSA and CIA hacking tools, you mean?
  
  --
  It little behooves the best of us to comment on the rest of us.
5. Re:The solution is easy, folks .. by iggymanz · 2018-05-21 03:44 · Score: 1
  
  DVD copying software was illegal. a certain number in your possession was illegal (used to copy DVD)
Question by quonset · 2018-05-19 10:41 · Score: 1

If quantum computing will be able to break encryption, why can't quantum computing be used to create better encryption?
Re:Maybe... big maybe by Nemyst · 2018-05-19 10:42 · Score: 1

Uh, you must've missed the proof of concept quantum computers which used Shor's algorithm to factor large numbers, which is the only requisite step to break traditional asymmetrical encryption like RSA. The proof worked with 21 as a "large" number, but since it's been shown to work, the rest is just scaling up.

The scaling up is probably going to take longer than five years, but on the other hand we are not aware of what the NSA is doing in secret. Funding is the big deal there and that's one thing they're not short on.
Really! by Artem+S.+Tashkinov · 2018-05-19 10:43 · Score: 1

Quantum computers will solve current encryption algorithms as soon as we solve general AI. Oh, wait ...
Re:Still NP != P. by Nemyst · 2018-05-19 10:45 · Score: 1

Shor's algorithm allows factorization of numbers large enough that the keys would become uselessly big. It'd be much more efficient to just move to a new encryption scheme which isn't vulnerable.
Re: the mini-mash (It caught on in a flash) by Anonymous Coward · 2018-05-19 11:20 · Score: 1

I was working in the lab late one night
When my eyes beheld an eerie sight
For my johntheripper from his script began to daemonize
And suddenly to my surprise
He did the hash
He did the mini-mash
The mini-mash
It was a server farm smash
He did the hash
It caught on in a flash
He did the hash
He did the mini-mash
...
Re:Still NP != P. by BitterOak · 2018-05-19 11:25 · Score: 1

Quantum computation doesn't guarantee NP = P.
The question of whether or not P=NP is not really relevant in the realm quantum computing, because concepts such as P-space, NP-space, etc. are defined in terms of classical computing, i.e. how many steps would a Turing machine take to solve a problem, and in particular what is the growth law of the number of steps with respect to the size of the input. Quantum computers are completely outside the realm of Turning machines. Talking about P vs. NP in the context of quantum computers would be like talking about the congestion on the Interstate to someone flying a plane.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Re:Answer: lattice-based crypto around since 80's. by phantomfive · 2018-05-19 11:37 · Score: 1

There's a book about post-quantum cryptography, and also conferences. There is plenty of research on the topic, and cryptography will be fine, just computationally more expensive (since our current block ciphers were chosen to be as computationally simple as possible).

--
"First they came for the slanderers and i said nothing."
Re:This is the technically correct response. by Garridan · 2018-05-19 11:51 · Score: 1

Yeah, it's underhanded marketing to get people excited about their extremely lame quantum computing efforts. Amusingly transparent, for how quickly people drag D-Wave here.
Re:IBM salesbros and hindu slackers are not going by nine-times · 2018-05-19 11:52 · Score: 1

Which suggests that all your email and metadata that you and others have stashed in encrypted stores may be decodable if you (and they) keep the stores around too long.
Worse than that: We're constantly putting sensitive information out in public because, "Hey, it's encrypted. Even if someone intercepts this or downloads this, it'll take them billions of years to crack the encryption." If someone has scooped that data up now, they might be able to get access to a whole lot of information that people thought was safe.
On the other hand, most of us can take some solace in the volume of data on the Internet. It'd be challenging just to "scoop that data up" and store it all. Then once it's all decrypted, someone would still need to sort through it all, looking for juicy secrets. After 10 years, a lot of those juicy secrets won't be relevant.
Still, people will justify having data in the open because "it'll take billions of years to crack it". If that "billions of years" just got cut down to "5 years", that's a little scary.
No news by manu0601 · 2018-05-19 12:05 · Score: 2

It has been known for years that quantum computers will break RSA using the Shor algorithm.
The interesting question, which is not answered in TFA, is: what algorithms are resistant to quantum computers? Do we have some available in TLSv1.3?
Crypto coin apocalyse by Gandoron · 2018-05-19 12:15 · Score: 1

The OP is missing some key aspects of blockchain POW mining. The coins are not under millions of rocks where they could be instantly mined. Each block can only be mined one at a time. The block is just a bunch of transactions (or state changes in smart contracts) that need to be processed by the distributed system. In fact, the coin reward is just a clever mechanism to incentivize nodes to process these blocks.
With quantum it might be possible to mine each block very quickly, instead of the average 10 minutes we have now, however any chain would just fork to us a new system. As other commenters have pointed out, the real issue is the asymmetric keys that controls the use authentication and wallets. With quantum you would effectively be able to access anyone's wallet, deriving their private key through quantum brute force. Not to mention HTTPS etc. The fact that blockchain is an immutable ledger (and generally public) is an even bigger issue.
There are various ciphers that are considered quantum resistant. Most real time systems like HTTPS will likely switch to them. However pre-shared traditionally encrypted data (or wallets) could be a major issue.
-G
1. Re: Crypto coin apocalyse by Bing+Tsher+E · 2018-05-19 13:34 · Score: 1
  
  The fact that blockchain is an immutable ledger (and generally public) is an even bigger issue.
  So the government can simply grab everybody by the throat who has been doing shady stuff with cryptocurrency, because the evidence needed to convict is all nicely laid out in order.
IBM is known as by zaphirplane · 2018-05-19 12:21 · Score: 4, Insightful

The company that sheds jobs, non stop revenue door and off shoring jobs
Their insights are marketing equivalent of click bait
1. Re: IBM is known as by Bing+Tsher+E · 2018-05-19 13:36 · Score: 1
  
  What you mean is that the ole boys back in the machine room don't like them too well.
Ideal quantum computer factors in polynomial time by raymorris · 2018-05-19 13:52 · Score: 4, Interesting

More accurate would be be "if an ideal (perfect) quantum computer existed, with enough cubits, it could break some types of encryption in a reasonable time".
Ideal quantum computers don't exist, and never will. An open question how near actual, physical quantum computers will get to this theoretical perfect machine. It's kinda like doing physics approximations and starting with "ignoring air resistance and friction ...". Well yes, if there were no friction we could build machines that do a lot of things which can't actually be done, because in the real world there is friction.
In a universe that only exists in textbooks, a universe of ideal machines, ideal quantum computers could factor numbers in polynomial time. Not instantly, but it wouldn't take a billion years like it would with classical computers.
Some of the cryptographic algorithms we use today get their strength from the difficulty of factoring certain types of large numbers. Those algorithms would need to be replaced if quantum computers developed sufficiently.
Already, we deprecate cryptographic algorithms every couple of years. Part of my job is checking https, ipsec, and other systems to see that they are configured to use strong algorithms. I have to update our list of currently accepted algorithms a couple times per year. The designers of these protocols were smart in that the designed the protocols to support any algorithm you want. For example, TLS defines that "key exchange" messages should be exchanged, but doesn't define what type of key exchange. It could be RSA key exchange, it could be Diffie-Hellman, it could be elliptic curve Diffie-Hellman, or supersingular elliptic curve Diffie-Hellman. TLS (aka SSL) doesn't know or care. Classical Diffie-Hellman can be replaced with supersingular DH without changing anything about TLS.
wait and see by e**(i+pi)-1 · 2018-05-19 14:59 · Score: 1

aArvind Krishna might be an important person but he is hardly in the position to make such bold predictions (he wrote one paper on cryptology from 1990). But setting this aside, even giants in mathematics got it completely wrong when dealing with scalability or predicting the future in research. Quantum computing might theoretically break through complexity barriers but this has not been demonstrated yet. There could be fundamental problems when trying to scale things up. Theoretically things look always easy. Laplace argued that the future of events can be computed in principle by knowing the positions and momenta of particles. Laplace could refer to Newton's laws which justify this theoretically. But there were not only practical but fundamental objections, even for a small number of particles as errors grow exponenbtially (and then of course just because of quantum mechanics). Similarly, there could be fundamental problems when trying to break the complexity barrier (evenso theoretically, algorithms like Shor's work), maybe because of decoherence problems. If some engineers start to factor integers fast using quantum computing, then one can start worrying, until then it is just fancy advertisement. Come back with such claims if a quantum computer can factor the first integer not factored yet by traditionial computers. There are currently bigger problems to worry about, like CPU's with design flaws.
Re:IBM salesbros and hindu slackers are not going by triffid_98 · 2018-05-19 15:16 · Score: 1

Worse than that: We're constantly putting sensitive information out in public because, "Hey, it's encrypted. Even if someone intercepts this or downloads this, it'll take them billions of years to crack the encryption."

Unless you're say...Equifax and putting everyone's names, social security numbers and full financial history out in public due to gross negligence I'd say that's 90% correct. Thank you ever so much United States government for doing exactly nothing about it, along with all previous (less) major data breaches you did exactly nothing about. You've made me feel as confident about our digital future as I did after watching the movie Terminator.
Re:Believe it when I see it by HornWumpus · 2018-05-19 15:34 · Score: 1

If the NSA had one, they'd be sure to show it to random ACs first.

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Wrong. Wrong. Wrong. by thePsychologist · 2018-05-19 19:32 · Score: 1

Quantum computers have the potential to break some types of public key encryption like discrete log (Elgamal) and RSA because of Shor's algorithm, assuming that a large enough quantum computer can even be built.
However, there are public-key systems like lattice problem and code-based cryptography that quantum computing researchers have made virtually NO progress on in the decades since Shor published his algorithm. Various systems have a few problems, like large plaintext to ciphertext message expansion, but otherwise are pretty damn good. And, because PK crypto is used mainly to exchange keys for symmetric ciphers like AES, that problem isn't even that important.
The main threat quantum computers pose would be the possibility of decrypting stuff that was encrypted AND intercepted today using RSA/Elgamal to exchange AES keys, assuming that an attacker has a bunch of sufficient intercepted traffic sitting around somewhere. Which, I admit is a little scary.

--
"What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
Re:Ideal quantum computer factors in polynomial ti by Anonymous Coward · 2018-05-19 19:32 · Score: 1

with enough cubits
What an old-fashioned unit of measure!
"move to alternate forms of encryption now" by CustomSolvers2 · 2018-05-19 19:48 · Score: 1

So, you are saying that all the encryption will be broken and your solution is to move to something else?! Even without having to analyse the implications/sensibility of that first statement, anyone saying such a thing should be completely aware about its meaning. Encryption refers to virtually any way to hide information. The only alternative to encryption is immediately understandable information. On the other hand, the underlying premise to that first statement (being able to almost immediately decrypt anything) is certainly quite incompatible with any form of encryption.

Yesterday, I did a programming interview completely focused on technical aspects, but not too deep and the interviewer seemed nice and understanding. After writing the code to solve a fairly easy problem, the interviewer asked me about the time/space complexity. I said that I was understanding what he was expecting (big-O), but that I would prefer a different approach; due to my background and to how most of my programming learning happened (at work, during the last quite a few years), I don't rely on those concepts intuitively. I explained him that my algorithm was slightly inefficient, but much more modular; also that, even under extreme conditions, the proposed problem was too simplistic to provoke any time/memory problems. To not mention that I relied on specific functionalities of the given programming language whose memory/time impact should also be weighted, what wasn't precisely a simple matter (other than via my relevant experience with that language). Long story short, I said that rather than blindly applying certain generic ideas, I brought my experience (what was precisely being assessed there) into picture and made a decision by accounting for different aspects. He said me that everything sounded fine, but that he wanted his answer. What he finally seemed to get via "do you mean that it is directly related to...?" Did he ignore all what I said and try to fit it within the answer which he was expecting? Logically, I understand that he was probably following a some instructions, but this isn't relevant for the point I am trying to make.

How are the two previous paragraphs related you might wonder? Both refer to what, IMHO, is misusing theoretical abstractions (or, at least, not maximising all what they might bring). Personally, I tend to have a quite practical approach to almost anything, but also understand the utility of more generic methodologies mainly in certain contexts and for certain people. What I cannot defend is people forgetting about the actual point of the given abstraction (helping understand) and elevating it to some kind of ultimate truth; much less when dealing with knowledgeable enough individuals (blind application of what is assumed to always work is usually the resource of people with limited knowledge). The only goal which any scientific-like field or person should pursue is the truth, objective correction, proper understanding of what actually is. If you stop caring about that goal and, rather than improving your understanding and knowledge, focus on making sure that whatever assumption has to be true, you would move from scientific-like to religious-like, even to fanatic-like.

--
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
1. Re:"move to alternate forms of encryption now" by John+Da'+Baddest · 2018-05-20 18:29 · Score: 1
  
  Sometimes the test is simply whether you can simply stick to the topic and discuss accordingly, even if you have cause and preference to "go meta" and show that (to you), said topic is less relevant.
2. Re:"move to alternate forms of encryption now" by CustomSolvers2 · 2018-05-20 20:22 · Score: 1
  
  Sometimes the test is simply whether you can simply stick to the topic and discuss accordingly
  I see two problems with that statement. Firstly, you wrongly assume that delivering the exact behaviour that you (perhaps wrongly) expect indicates (in)capability, not mere disagreement or perhaps inapplicability in the given situation (e.g., the assumed-to-be-simple topic was actually more complex) or perhaps limitations in the assessment of the interviewer/test. This kind of prejudice-based understanding is unfortunately too common in the programming skill assessment world, what doesn't sound ideal to me in any scenario and much less when dealing with senior positions. And that brings me to the second issue: expecting "simply stick to" from anyone even slightly experienced in an even slightly complex field seems ridiculous. Perhaps for kids/teens that might be the best thing, but beyond high school any teaching/assessment methodology aspiring to "simply stick to" doesn't sound right. It is certainly completely incompatible with what I would accept on a working environment: I am hired to understand, create, fix whatever, not to comply with abstract/clueless expectations. My work is pretty much the opposite to anything on the lines of what that statement suggests. A company (knowledgeably or ignorantly, it doesn't matter) looking for that kind of people has nothing to do with me.
  
  I see lots of problems with most of (online) programming assessing methodologies: expecting canned knowledge/results, interpreting the reliance on ridiculous restrictions as a way to prove something (rather than as a way to force candidates to learn how to adapt themselves to that assessing system, even to trick it), seriously thinking that a set of ridiculous prejudices/expectations can allow people with virtually no knowledge on that field to assess expert knowledge (?!), etc. I have also been seeing some evolution on this front, every day I find more alternatives which reduce arbitrary restrictions, consider actually knowledgeable inputs (not the abstract conclusions of a set of assumptions) and, in general, care more about allowing candidates to really show what they can/are willing to deliver and analyse that information accordingly. Bear in mind that I am not the only person thinking like this; in fact, most of people in my position tend to have a quite bad opinion of skill assessments, HR policies, etc., in the sense of being very unreliable even arbitrary, kind of weird right? As a rough estimate, I would say that, out of every 10 assessing processes in which I have taken part, an average of 0-2 of them have got an accurate enough idea about me (and just talking about the technical side!); and in these 0-2 cases I have been dealing with other experienced programmers, with wide enough problems and lots of freedom actually allowing me to show something. These 0-2 acceptations/rejections were reasonable, all the other ones weren't (loses for the given companies, skill assessing/HR departments, not for me). BTW, the specific assessing methodology which I am mentioning here has been going quite well so far; I have still to get feedback from that last test, but in principle everything seems OK.
  
  --
  Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
3. Re:"move to alternate forms of encryption now" by CustomSolvers2 · 2018-05-21 19:29 · Score: 1
  
  This kind of prejudice-based understanding
  In case that my point wasn't completely clear, I meant people blindly assuming that, when event A happens, it has to mean that B is true, even though many other options are possible. Although this is relatively common for everyone in a quite a few scenarios, sensible and knowledgeable people (or, at least, those whose actions affect others) should almost never rely on this kind of approaches as the primary source for any important decision. In the current context (determining whether someone has certain expert knowledge whose empirical validation is extremely easily), this seems to make even less sense. Why unreliably guessing whether A implies B, when you (I mean another expert) can accurately determine whether B applies or not right away? I didn't mean generic prejudices (because of my race, gender, age, etc.) which I have never seen as a justification for anything happening to me (or simply included them within plain stupidity).
  
  --
  Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Warning: Consultants at Work by cormandy · 2018-05-19 20:23 · Score: 2

"Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now," Please contact IBM Professional Services for further assistance in this matter.
Darknet by TJHook3r · 2018-05-19 22:55 · Score: 1

In the near future, encryption for darknet transactions, bitcoin usage etc will be cracked. I wonder what will happen with the intel for thousands/millions of drug users who otherwise pose no threat to society?
Lol! My brain does that by raymorris · 2018-05-19 23:34 · Score: 2

If the quantum computer is 300 cubits in length, 50 cubits in width and 30 cubits in height - well then it's Noah's ark.
Qubits, of course. My brain does that - I spell well and all, but I tend to write homophones, words that sound identical, because I think audibly.
It's even worse than fusion... by ffkom · 2018-05-20 00:43 · Score: 1

We know for sure that converting matter into energy by nuclear fusion works fine - both the sun and hydrogen bombs are certain proof of that.

For "quantum computing", on the other hand, there is no proof yet that they are ever going to perform any better than conventional computers. It is currently just a theory based on a model that predicts such.

I for one still don't believe that quantum computers will perform better at anything but emulating themselves than conventional computers - much like the analog computers of the 1960s were good at a very narrow field of tasks, but not quite for generic computations.
1. Re:It's even worse than fusion... by jythie · 2018-05-20 03:34 · Score: 1
  
  Think about fusion not in terms of working or not, but instead if it preforms in a more economic manner than other power sources. Fusion and quantum computing both currently 'work' in that the underlying mechanics have been demonstrated to happen in the real world, but neither scales well enough to work better than competing technologies. That is what I was trying to get at, at least ^_^ I do not think anyone (at least in the field) believes quantum computers will ever replace conventional ones for general computing. But I question if they will ever even be better than conventional computers at the narrow range of tasks they are 'better' at. Analog computers are a great example of this. In theory they can be far better than digital ones at a whole bunch of problems, but the economics of digital computers has made it so cheap to throw general purpose processors at the problems that it is almost always better to go with some kind of system on a chip than build an analog solution.
Wrong on so many levels by FeelGood314 · 2018-05-20 02:40 · Score: 1

Quantum computers can solve two problems that can affect modern encryption. They force us to double the length of a hash for the same security and they can solve the period of a function. The first application obviously affects hash functions, the second eventually leads to breaking RSA, discrete log type asymmetric functions and many elliptic curve primitives. However they don't make any of this instantaneous. SHA-256 is still safe and the amount of work to massage RSA, Diffie-Hellman and other current schemes into something that a quantum computer can solve is still difficult. So even if your quantum computer were instant, the classical computing is going to take time.

Bitcoin is also safe. You need a public key before you can let loose your quantum computer to try and find a wallets private key but the public keys in bitcoin are only stored as hashes until money is spent the first time from a wallet. So you can only start attacking a wallet once its transaction is broadcast into the network. You would then have to find the private key before the valid transaction was included in the block chain.

Your communications today however are not safe. Someone recording the initial hand shake of a TLS session would in the future be able to figure out what AES key was agreed upon and then be able to read your communication. Anything you digitally sign today will have to be resigned by you before the 10 years expire if you still want to be able to prove you signed it.
1. Re:Wrong on so many levels by John+Da'+Baddest · 2018-05-20 18:31 · Score: 1
  
  So one preventative defense mechanism now is - have lots and lots of encrypted conversations, including many deceptive nonsense discussions, such that future decryptors still face the challenge of determining which ones were real in the first place.
Is already bypassed by nehumanuscrede · 2018-05-20 03:22 · Score: 1

You donâ(TM)t need to break encryption when we have the likes of the FBI and NSA doing everything they can to implement backdoors or subtley weakening the algorithms themselves.
Compromised software, active trojans and keyloggers, ISP level malware injection, etc means you canâ(TM)t trust anything network connected as it is.
When the day finally arrives, only the old school methods like the OTP via paper and pencil will remain secure.
Sometimes absurd is least bad by tepples · 2018-05-21 02:49 · Score: 1

In an ideal situation they aren't "negotiated", but are established over a secure channel in advance.
The world is not ideal, and sometimes what may initially look absurd turns out to be the least bad. For example, over what secure channel would you recommend that Slashdot offer to establish a symmetric key between your browser and its server over which to send your credentials when signing in as sexconker?
Prediction by DarthVain · 2018-05-22 05:46 · Score: 1

At the rate in which quantum computing is progressing, I'd bet that things like crypto-coins will implode just fine on their own long before they have to worry about quantum computing causing a problem...