

Post-quantum crytography and TLS and other applications - msirp

At what point do we seriously start evaluating the use of post-quantum crypto for normal applications, such as TLS?<p>Now that we know there are certain government agencies that plan on storing encrypted data for future cryptanalysis [1], I&#x27;m starting to think there should be some thought put into this? AES is secure (at least AES256), but not RSA&#x2F;EC. At least in theory, doesn&#x27;t that mean TLS in its current state, as well as various other applications relying on the same concepts, is effectively useless?<p>[1] http:&#x2F;&#x2F;www.guardian.co.uk&#x2F;world&#x2F;interactive&#x2F;2013&#x2F;jun&#x2F;20&#x2F;exhibit-b-nsa-procedures-document
======
tptacek
There are two widespread misconceptions about quantum attacks on cryptography.
The first, which you avoid, is that it's devastating to _all_ cryptography;
quantum attacks make some brute force searches faster, which would be a reason
to consider AES256 rather than AES128, but do not directly threaten typical
block cipher cores.

The second misconception is that quantum attacks ruin all public-key
encryption. But that's also not true. What's actually true is that the most
widespread public-key algorithms are mathematically _very_ straightforward and
are thus maximally exposed to quantum algorithmic advances. That implicates
RSA, the classical DLP algorithms like DH, ElG, and DSA, and most probably
their EC variants.

But there are many public-key algorithms that are not as mathematically
straightforward as RSA or DH. McEliece is an example of a public-key system
that uses binary error correction codes as a trapdoor function; lattice crypto
uses the closest vector problem instead. These systems are all pq-crypto
candidates.

It's likely that if the day comes where, say, quantum IFP solutions can start
addressing numbers larger than 21, we could swap RSA out of TLS for a pq
public key system.

In the meantime, moving aggressively to pq public key is silly. We have a hard
time just getting sites to use TLS at all, let alone TLS with forward secrecy.
The post-quantum candidates we have now are significantly slower than RSA. A
push for pq crypto today would harm security more than help it.

