
How Classical Cryptography Will Survive Quantum Computers - dnetesn
http://nautil.us/blog/how-classical-cryptography-will-survive-quantum-computers
======
hannob
There's an important thing that the article fails to mention: Fighting
"Quantum with Quantum" might sound nice, but it's not only expensive, it
doesn't work.

The idea here is to use so-called Quantum Key Distribution where photons are
transmitted over a physical line and the laws of physics guarantee its
security.

But there's a problem (ok, there are many problems): Quantum Key Distribution
relies on an authenticated channel that is simply assumed to already exists.
How do you get that authenticated channel? Nobody knows.

(Apart from that QKD would be hugely expensive, wouldn't work over wifi or
mobile connections and would have pretty severe distance limits, which all
make a "Quantum Internet" a ridiculous enterprise - but the authenticated
channel really kills the whole thing as a solution for Quantum Computer
attacks.)

~~~
boomboomsubban
>Quantum Key Distribution relies on an authenticated channel that is simply
assumed to already exists. How do you get that authenticated channel

It does already exist, there are several quantum networks already. Though,
there are also signs that the first generation may have technological issues.
And the entire benefit is that using it will allow you to detect if the
channel is authenticated, it does nothing to ensure that it is.

~~~
ekiru
'hannob is referring to the reliance of QKD protocols on "an ordinary public
communications channel, assumed to be susceptible to eavesdropping but not to
the injection or alteration of messages." [0] This means that, unless your
authenticated channel itself cannot be broken using quantum computers, using
QKD with it will still not let you do secure post-quantum key exchange. If you
have a authenticated channel that can't be broken with quantum computers, how
did you implement that without either already having or arriving at a shared
secret? (If you already have a way of securely arriving at a shared secret,
then what do you need QKD for?)

[0]: at page 177 in [http://researcher.watson.ibm.com/researcher/files/us-
bennetc...](http://researcher.watson.ibm.com/researcher/files/us-
bennetc/BB84highest.pdf)

------
CoryG89
The article references a date in the future as if it has already happened:

> In April 2017, the National Institute of Standards and Technology followed
> suit, starting a public vetting process lasting 4 to 6 years.

~~~
npongratz
I was confused as well. Perhaps the writer was referring to the NIST's April
2016 Report on Post-Quantum Cryptography:

PDF:
[http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf](http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf)

April 2016 report announcement: [https://www.nist.gov/news-
events/news/2016/04/nist-kicks-eff...](https://www.nist.gov/news-
events/news/2016/04/nist-kicks-effort-defend-encrypted-data-quantum-computer-
threat)

Edit to add: In the above, I don't see mention of the public vetting process
(my search fu is probably weak today). I would be interested in seeing the
release of the ongoing commentary and proceedings.

------
tptacek
Two classes of PQ approaches getting a lot of attention right now:

1\. The lattice approaches: NTRU and particularly LWE, which is the simplest
of the PQ schemes to get your head around: LWE proposes a linear algebra
problem that could be trivially solved through elimination, perturbed with
errors that explosively increase the complexity of recovering the unknowns.

2\. Isogenies, which you can think of as higher-order curves, or as a way of
doing what we do today with elliptic curve _points_ using entire curves (and
the mappings between them) instead.

LWE was briefly deployed in Chrome as an experiment.

------
Ar-Curunir
This is a pretty good explanation of the state of lattice cryptography.

~~~
bdamm
It is, but also it ends on a rather dismal note, basically saying that lattice
cryptography is already cracked.

~~~
hannob
It says no such thing. It mentions that there was one lattice-based crypto
scheme developed internally by GCHQ that turned out to be not secure. But that
was an exotic scheme, you make it sound like the whole field of lattice-based
crypto is cracked. No such thing happened.

~~~
bdamm
That's a relief.

