
Post-quantum cryptography - drallison
https://en.wikipedia.org/wiki/Post-quantum_cryptography
======
nunyabuizness
Shameless plug: a few months back, I was going thru a coding bootcamp and for
a 2-day sprint (forgive me) I wrote a simple, entirely insecure Lamport-Merkle
digital signature algorithm implementation [0] in JavaScript based on the
"spec" outlined in the Wiki [1].

It uses nothing but Merkle trees and SHA-256 hashes, lacks documentation and
should be used by no one, but the code is pretty simple to follow [2] and I'd
appreciate any and all comments/criticisms in terms of implementation,
optimizations, usage requirements and API improvements:

[0] [https://github.com/sunny-g/Lamport-
Merkle.js](https://github.com/sunny-g/Lamport-Merkle.js) [1]
[https://en.wikipedia.org/wiki/Merkle_signature_scheme](https://en.wikipedia.org/wiki/Merkle_signature_scheme)
[2] [http://blog.sunnyg.io/2014/12/13/merkle-key-trees-and-
signat...](http://blog.sunnyg.io/2014/12/13/merkle-key-trees-and-signature-
scheme/)

------
ejcx
By the way, this is a pretty good intro to post-quantum crypto if you are more
mathy.

[http://pqcrypto.org/](http://pqcrypto.org/)

The NSA announced they will be transitioning to quantum resistant algorithm in
the "not to distant future".

[https://www.nsa.gov/ia/programs/suiteb_cryptography/index.sh...](https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml)

So this is something that may be getting a lot more press in the...not to
distant future.

------
beloch
Q: Why should we care about this? Why not deal with it when quantum computers
finally start cracking existing crypto?

A:

1\. It takes time to implement new methods. Would it be acceptable for there
to be a period of months or years during which we can't make credit card
transactions, etc.?

2\. Coded text of messages encoded using conventional cryptographic methods
can be intercepted, archived and then broken at a later date. If you make a
purchase today, somebody archives the coded exchange, and a quantum computer
capable of cracking the encryption used in that exchange becomes available
before your credit card expires, you've got a problem. You've got an even
bigger problem if you transmit information that remains sensitive for longer
than your credit card info.

As a general rule, don't use conventional encryption methods to transmit
information with long-term sensitivity (e.g. medical records, etc.).

~~~
tedunangst
> As a general rule, don't use conventional encryption methods to transmit
> information with long-term sensitivity (e.g. medical records, etc.).

So what do you suggest I use _today_ , given that I have a medical record here
and I need it over there?

~~~
altcognito
One time pads sent via some secure service is about all I can come up with.
This works provided you know who you are going to talk to and don't suddenly
run out of "pad". Sounds like an awful business model. I'm sure some
consultancy could sell it though.

~~~
darkmighty
Post-quantum crypto already exists afaik, the only issue is performance and
key sizes (I guess this supposes the of quantum difficulty of certain
problems).

~~~
wbl
It's not enough to have an algorithm. You need to get down to "what do these
bytes mean" and "what exactly do I do with them" and have that be implemented.
It's a considerably more painful process than you might think if you haven't
been exposed to IETF things.

------
nickpsecurity
I originally just told clients worried about this to use a split signature
between a top classical one, NTRU, and McEliece. Was always interested in the
Merkle Signatures, though, thinking they could be improved. To my delight,
there's been quite a bit of progress there including unlimited signatures. I
want more peer review before widespread deployment of them, though.

[https://www.schneier.com/blog/archives/2015/03/friday_squid_...](https://www.schneier.com/blog/archives/2015/03/friday_squid_bl_470.html#c6692293)

My niche, high assurance, has seen a lot of use of old, Merkle trees for
memory encryption and obfuscation. A few examples.

[https://www.schneier.com/blog/archives/2014/06/friday_squid_...](https://www.schneier.com/blog/archives/2014/06/friday_squid_bl_430.html#c6672924)

Note: Merkle seems to be one of the under-appreciated cryptographers of
history. His legacy might live on and get better than ever post-Quantum,
though. ;)

Personally, I think this is another spot where a mini-Manhattan Project worth
of brains should be put into. Specifically, finding more problems that can be
turned into good, asymmetric crypto. I'm sure there's already a list of
potential ones that a ridiculously hard to solve. Just need bright people
thinking hard on how to leverage them for key exchange at the least.

------
getdavidhiggins
No need for an algorithm when using Steganography and Deniable Cryptography. A
lot of the quantum-breakable debate pretty much ends with those two. They are
in-fact bulletproof and resistant to all attempts to uncover the message, if
done right, of course.

[https://en.wikipedia.org/wiki/Steganography](https://en.wikipedia.org/wiki/Steganography)

[https://en.wikipedia.org/wiki/Deniable_encryption](https://en.wikipedia.org/wiki/Deniable_encryption)

~~~
DanBC
> if done right, of course

That's a pretty big if.

Do you have any examples of steganography software tha you think does it
right?

------
echoneptune
Thing is, all these cryptography will still be beaten by phishing attacks as
long as we have humans as user and password field for authentication.

------
polysome
[https://github.com/polysome/vane](https://github.com/polysome/vane)

------
adkjhsskjdh
This is really a misnomer and should be called "post-Shor cryptography".

