Quantum Computer Not Ready To Break Public Key Encryption For At Least 10 Years, Some Experts Say

physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.

Re:10 Years == nonexistent security margin

[guruevi]

10 years to break today's encryption. We have more modern ciphers that will become used in the next few years that are resistant to the current theoretical models of quantum-computing based attacks.

Also, quantum computing still has trouble of scale with larger keys, I assume that we'll see the next 10 years require 4096 or 8192 bit keys as scalable rental CPU and GPU becomes more powerful.

And people really have to stop planning to have the same security model for the next 10 years in the future. Upgrades and long term support are becoming a necessity.

Depends on relevant lifetime of messages

Whether or not people should be switching to encryption methods today that will be resistant to decrypting by quantum computers in thee future depends on the expected relevance of those messages in the future. If you assume that no message sent today will be relevant 10 years from now, then there is no hurry to update encryption methods. On the other hand, if you need to ensure that an encrypted message sent today or in the near future remains unreadable 10 years from now, then maybe you should be researching and changing methods today.

Re:How long do you want that document to be secure

[necro81]

To quote from Cryptonomicon:

Randy ... has pointed out to Avi, in an encrypted e-mail message, that if every particle of matter in the universe could be used to construct one single cosmic supercomputer, and this computer was put to work trying to break a 4096-bit encryption key, it would take longer than the lifespan of the universe.

"Using today's technology," Avi shot back, "that is true. But what about quantum computers? And what if new mathematical techniques are developed that can simplify the factoring of large prime numbers?"

"How long do you want these messages to remain secret?" Randy asked, in his last message before leaving San Francisco. "Five years? Ten years? Twenty-five years?"

After he got to the hotel this afternoon, Randy decrypted and read Avi's answer. It is still hanging in front of his eyes, like the after image of a strobe:
I want them to remain secret for as long as men are capable of evil.

Re:10?

[sjames]

AES is currently broken in a cryptographic sense

That cries out for a citation much as a man lost in the desert for a week cries out for water. As far as I know, the very best known attacks of AES256 reduce it to an effective 253 bits. That is FAR from broken in any sense.

To say it's broken is like saying you can break a 2x4 with your bare hands as long as it came from a diseased tree and you saw 90% of the way through it first.