24

I realise this isn't a 'yes or no' question, and I apologise for asking something that could be seen as a discussion thread, but I had to ask.

I'm currently doing an EPQ in CS (specifically how QC will change Cryptography). I'm trying to gather up topics to cover, and so far I've scribbled down -

Effects -

  1. National security, classical cryptographic methods (RSA, DSA, AES-256). Including Shor's algorithm.

  2. Communications

  3. Online services, e.g. BitCoin.

How would we counter this (not sure how better to phrase this) -

  1. Lattice-based

  2. Multivariate

  3. Hash-based signatures

  4. Code-based cryptography

Is there anything else you'd recommend me including (as well as the above), or anything in the above you don't think I should include?

Honestly, the list above is a rough, first draft the main bulk of it... so don't it as gospel.

Best regards,

Cameron.

Cameron Allan
  • 261
  • 2
  • 3

4 Answers4

13

Current symmetric cryptography and hashes are actually believed to be reasonably secure against quantum computing. Quantum computers solve some problems much faster than the best known classical algorithms, but the best known quantum attack against AES is effectively "try all the keys." In a quantum computer, the time taken to solve a general search problem (such as "find the AES key that gives a reasonable message") scales slower than for a classical computer; this would effectively turn an n-bit key into an n/2-bit key. Fortunately, that would leave AES-256 with an effectively 128-bit key against a quantum attacker, which is still believed unfeasible to crack. Similar considerations apply to hashes. You'd want to increase key lengths and the like, but you could fairly reasonably do that.

The main issue is actually asymmetric cryptography. Unlike symmetric crypto and hashes, asymmetric algorithms have extreme levels of mathematical structure -- they're based on the difficulty of a single hard problem. The two main problems used for this can be solved extremely quickly on a quantum computer; if you tried to increase key lengths to make it take a long time there, it'd take an infeasibly long amount of time for the legitimate user on a classical computer to use the long keys. However, this is something of a historical accident: there's no reason asymmetric crypto has to be easily breakable by a quantum computer, it's just that the most commonly used ones happen to be easily breakable by one. Others may not be; post-quantum cryptography is an active research area, and people are working on algorithms that rely on problems not believed to be efficiently solvable by quantum computers.

cpast
  • 3,652
  • 1
  • 16
  • 28
10

Grover's Algorithm would allow searching an unsorted database with N entries in $O(\sqrt{N})$ time rather than in the usual $O(N)$ time.

For AES-256 it currently takes an average of $n/2$ guesses to break, i.e. $2^{255}$. However with quantum computing this can be done in $2^{128}$ time, which is very much faster. And on top of that that's only brute force for AES-256, with the cleverer attacks it can be broken faster still.

$2^{128}$ is still sufficiently slow by a long way. However, AES-256 has a much larger keyspace then standards like DES(fastest classical attack: $2^{39}–2^{43}$, already pretty bad), 3DES or even the smaller keyspace AES-128. These would be broken or become much nearer to broken because of QC.

So we'd probably find a move towards larger key-space standards like AES-256. Which is just what happens anyway with Moore's law (better computers) forcing us off DES already, so maybe QC isn't that groundbreaking. What you need to do is what we always do, which is to find the right balance between performance of our systems and the time to takes to break it, it's just that the balance will shift.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
Nathan
  • 406
  • 3
  • 10
6

Factoring and RSA is some of the problems that we know a quantum computer should be able to solve efficiently. I.e., yes, RSA would potentially be broken.

However, a quantum computer does not necessarily make all modern cryptography obsolete. For symmetric primitives, such as AES, it is not even known that a quantum computer would make a big difference. So the main challenge is with public-key cryptography. In this area, we do already know of a handful of candidates for post-quantum cryptography which are not based on problems that can be solved efficiently on a quantum computer.

For example lattice based cryptography is one of those candidates that shows a lot of promise. Lattice based crypto is based on lattice problems that are fundamentally different from problems such as factoring, and therefore is not known to be efficiently solvable on a quantum computer. Last I checked the main problem with such systems is that the underlying hardness assumptions are not as well tested as, e.g., RSA so it is hard tell exactly for which parameters the systems can be considered secure.

If you are interested in post-quantum cryptography you might enjoy the book Post Quantum Cryptography which deals with a number of different candidates, such as lattice-, hash- and code- based. The book is from 2009, so it might be a little dated, but I think the material should still be relevant.

Guut Boy
  • 2,907
  • 18
  • 25
3

in summary :

  • for "symmetric" ciphers a 256bit key is fine for QC. attention AES-256 doesn't mean AES with 256 bit blocks ! its about key. AES-256 block size is less secure than AES-128 bit blocks (refer to wikipedia)

  • for "asymmetric" ciphers its not ready yet , all current ciphers have their problems (some have security problems, some have implementation problems) and we need some time and attention to fix

jhfrontz
  • 113
  • 1
  • 2
  • 7
mary
  • 1,071
  • 3
  • 11
  • 13