Well it makes sense that AES will survive, its only a method of cryptology, not a type of key.
It also makes sense that shors algorithm makes all of the previosly mentioned keys obsolete, they all rely on the difficulty of factoring a very large prime number.
Did this person mention anything about the ElGamal cryptosystem? ElGamal relies on the difficulty of finding a discrete logarithm of a very large number, have you heard of any quantum algorithms that are able to determine discrete logarithms?
Kevin Martin
>not all forward-thinkers were gullible enough to fall for the "biologically determined sex" meme t. Bill Nye
Jason Morris
...
Jeremiah Russell
Security and privacy engineer here; I did my graduate research in cryptography.
An important distinction to be made is that between "quantum cryptography" and "quantum-safe cryptography." The former refers to the development of cryptographic algorithms based upon principles of quantum computing; the latter refers to the development of cryptographic primitives resistant to cryptanalysis making use of the power of quantum computing.
The first is both practical and useful insofar as the development of quantum links becomes inexpensive and widespread: for example the observer effect in QM gives us an extremely powerful (and useful) method for key exchange.
The latter is a bit fuzzier. Its usefulness is a function of how likely you believe quantum computing is to be viable at scale, and current practicality is hardly more than a guess. All of the "quantum-safe" algorithms we currently have are given this title based on nothing more than the fact that the associated hardness assumption dos not relate to factoring. We're not entirely certain of the classes of classically intractable problems which become tractable in the context of QC.
Eli Parker
Circadia 3301 thinks so.
John James
>To counteract this I imagine RSA or ECC keys could simply be scaled in key size. Check eprint.iacr.org/2017/351 They use an 1TB RSA key.
John King
ECC/DSA/DH/ECDHA and ElGamal all rely on discrete logarithms, also broken by shor.
>NTRU Ring learning with errors algorithms are better due to provable security reductions to known NP-hard problems such as SVP. You would probably want to look for New Hope instead.
Wyatt Thompson
>The first is both practical and useful and a scam
Adrian Powell
djb and his students replaced New Hope practical key lengths with his paper NTRU Prime (and then later "Streamlined NTRU Primeā) last year in which they didn't rely on the classic NTRU/Ring-LWE tradition of using cyclotomic rings which have performance issues. So you get the practical key length of New Hope + optimized crypto speeds that make lattice crypto usable.
The best hash-based sigs so far proposed for the post-quantum world is SPHINCS-256 because it is stateless, so they could prove it is secure against quantum resources.
Anybody here who doesn't know, Daniel Bernstein and Tanja Lange teamed up to make a post-quantum, crypto engineering department in the Netherlands at TU/e after he was given a multi million euro grant to start such a school. djb fled the US during Obama's tenure as King of USA as the NSA made opening any such school impossible according to him.
As a result, they're now churning out excellent papers every semester on analyzing post quantum algorithms and optimizing them, and he runs the biggest crypto bench/analysis team in the world so other researchers can send their implementations to them to be analyzed for free and collaborate.
tl;dr if you are at all considering a grad school for cryptography, try and get into TU/e either their math masters program or direct PhD track where you get first hand experience with these PQ algorithms and test beds.
Liam Martinez
They had organised 2017.pqcrypto.org/exec/ but I forgot to register to it because I am a huge baka ;_;
Wasn't aware of that paper before, thanks. I am thinking of applying to get into TU/e after I finish with my undergrad degree but I fear that it might be too hard for me.
