Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [post-quantum-cryptography]

This tag refers to public-key algorithms based on problems that quantum computers can't solve efficiently. Existing algorithms such as RSA, Diffie-Hellman, and ECDSA are known to be breakable using Shor's algorithm on quantum computers. Symmetric-key algorithms generally don't fall under this category.

This tag refers to public-key algorithms based on problems that quantum computers can't solve efficiently. Existing algorithms such as RSA, Diffie-Hellman, and ECDSA are known to be breakable using Shor's algorithm on quantum computers.

Currently, the only standardized public-key encryption algorithm is NTRU (by IEEE), and the only standardized digital signature schemes are XMSS and LMS (specs published by IETF, hardware implementations approved by NIST).

Symmetric-key algorithms generally don't fall under this category.

832 questions
62
votes
4 answers

Polynomial-time Quantum Algorithms for Lattice Problems

A new paper, by Yilei Chen, whose title is Quantum Algorithms for Lattice Problems (https://eprint.iacr.org/2024/555) appeared on eprint and it claims to solve hard lattice problems, such as the approximate (gap) shortest vector problem…
Hilder Vitor Lima Pereira
  • 7,476
  • 1
  • 25
  • 45
54
votes
10 answers

Now that quantum computers have been out for a while, has RSA been cracked?

D-wave systems has released a commercially viable quantum computer. This means in theory, that all asymmetric encryption algorithms — such as RSA — are now useless due to the speed at which quantum computers can factor. Has RSA been cracked yet? If…
bbosak
  • 961
  • 1
  • 6
  • 9
47
votes
2 answers

Is AES-128 quantum safe?

I've been reading lately some contradicting messages with regards to the quantum-safe resistance of AES128. First, there are blog posts by Ericsson people like these ones: Can quantum attackers break AES-128? No. NIST estimates that a quantum…
Jimakos
  • 795
  • 1
  • 5
  • 11
44
votes
4 answers

Are cryptographic hash functions quantum secure?

I was reading a paper related to post quantum cryptography. It says that RSA, ECC and ElGamal encryption schemes would be obsolete with the advent of quantum computers. But the hash functions can still be secure. I don't understand how one can…
user38956
43
votes
3 answers

Is AES-256 a post-quantum secure cipher or not?

We know Grover's algorithm speedup brute-force attacks two times faster in block ciphers (e.g brute-forcing 128-bit keys take $2^{64}$ operations, not $2^{128}$). That explains why we are using 256-bit keys to encrypt top secrets. But latest…
AES256
  • 447
  • 1
  • 4
  • 4
36
votes
5 answers

What security do Cryptographic Sponges offer against generic quantum attacks?

In the face of non-quantum attacker, Keccak[r=1088,c=512] with 512 bits of output provides: Collision resistance up to $2^{256}$ operations Preimage resistance up to $2^{256}$ operations Second preimage resistance up to $2^{256}$ operations In…
Nakedible
  • 1,460
  • 11
  • 15
34
votes
1 answer

Proof for the SHA3 claim that 256 bit security is "post-quantum sufficient"?

On page 14 of "Keccak and the SHA-3 Standardization" (February 6, 2013) it says: Instantiation of a sponge function the permutation KECCAK-f 7 permutations: b → {25,50,100,200,400,800,1600} Security-speed trade-offs using the same permutation,…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
33
votes
3 answers

New quantum attack on lattices (or Shor strikes again)?

Lior Eldar and Peter W. Shor published a paper on arXiv.org in which they present a new quantum algorithm against a variant of BDD. They claim that their new algorithm can efficiently solve the following problem: Given a lattice $L$, a vector $v$,…
mephisto
  • 2,968
  • 20
  • 29
30
votes
4 answers

Assuming a 1024qb quantum computer, how long to brute force 1024bit RSA, 256bit AES and 512bit SHA512

Assuming in the future there was a functioning 1024 qubit quantum supercomputer and it could run Shor's algorithm or Grover's algorithm to crack encryption very quickly. I'm interested in how the number of qubits translates to performance…
user7827
  • 301
  • 1
  • 3
  • 4
28
votes
5 answers

What is the post-quantum cryptography alternative to Diffie-Hellman?

Post-quantum cryptography concentrates on cryptographic algorithms that remain secure in the face of large scale quantum computers. In general, the main focus seems to be on public-key encryption algorithms and public-key signature algorithms - but…
Nakedible
  • 1,460
  • 11
  • 15
26
votes
7 answers

Does Terra Quantum AG break AES and Hash Algorithms?

According to this Bloomberg article: A Swiss Company Says It Found Weakness That Imperils Encryption Terra Quantum AG has a team of about 80 quantum physicists, cryptographers and mathematicians, who are based in Switzerland, Russia, Finland and…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
26
votes
2 answers

Which elliptic curves are quantum resistant?

If I want to learn about quantum resistant crytography what are the best resources? Which type of elliptic curves should I be studying?
Imagin Ation
  • 369
  • 1
  • 3
  • 5
24
votes
4 answers

How will Cryptography be changed by Quantum Computing?

I realise this isn't a 'yes or no' question, and I apologise for asking something that could be seen as a discussion thread, but I had to ask. I'm currently doing an EPQ in CS (specifically how QC will change Cryptography). I'm trying to gather up…
Cameron Allan
  • 261
  • 2
  • 3
22
votes
1 answer

How many qubits are required to break RSA 2048 or 4096 with a universal quantum computer?

So in the news this week, IBM have created a universal quantum computer with 5 fully functional qubits. Logic and Moore's law dictates they will be able to scale this up to a lot more qubits within a few years. With Shor's algorithm, elliptic curve…
ite
  • 231
  • 1
  • 2
  • 5
21
votes
1 answer

Quantum complexity of LWE

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that solves LWE in polynomial time, it will imply that…
Rick
  • 1,305
  • 8
  • 17
1
2 3
55 56