
SHA3-256 is quantum-proof, should last BEELLIONS of years - jonbaer
http://www.theregister.co.uk/2016/10/18/sha3256_good_for_beelions_of_years_say_boffins/
======
hannob
The article is super misleading.

First of all it's no secret that quantum attacks aren't a big problem for hash
functions, there's "only" a need to switch to longer outputs. The major impact
of quantum computers will be shor's algorithm, which affects public key
algorithms.

But it seems the author of this article also didn't really understand the
paper linked. It only looks at preimage attacks. We generally expect hash
functions to be resistant to collision attacks, which is a much stronger
statement.

And here things aren't that rosy. 256 bit algs have by design only 128 bit of
collision resistance. Grover's alg reduces that to 64 bit, which is not
comfortably secure. Granted, one would need a pretty big cluster of quantum
computers to practically break that, but if you go postquantum you should
probably better go to 512 bit algs.

However none of that changes with this new paper.

~~~
acqq
As far as I understand, actually both the hashes and symmetric ciphers will
continue to work "after quantum" and "just" increasing the number of bits can
be enough to keep them secure. And the whole cryptography can be (re)based on
these two? Which doesn't sound too bad, just that some of the now used systems
will have to be replaced.

But first we have to see how many qubits can technically be kept functioning.
Anybody knows the current record? Is it better than March 2016:

[http://www.scottaaronson.com/blog/?p=2673](http://www.scottaaronson.com/blog/?p=2673)

"Briefly, the new work uses Kitaev’s version of Shor’s factoring algorithm,
running on an ion-trap quantum computer with five calcium ions, to prove that,
with at least 90% confidence, 15 equals 3×5."

"In any case, regardless of how long it takes until we can factor enormous
numbers like 91, congratulations to the MIT and Innsbruck groups on what’s
certainly progress toward scalable ion-trap QC!"

It's not 91 bits, it's 91 as the number, that is, 7 bits as a goal, 4 bits
(for the number 15) in the successful demonstration.

~~~
JohnStrange
AES as standard has only up to 256 bit keys, and I haven't followed closely
what was going on in crypto lately.

Which secure 512 or 1024 bit symmetric encryption algorithm should I use to be
'quantum proof'?

~~~
acqq
As far as I know, if you just use symmetric AES 256 it shouldn't be a problem
for a while. The potential (I repeat that, see Aaronson's post I linked to
earlier) problem is "just" the use of the public keys.

And combining the lower-bit algorithms into the bigger ones is relatively
easy, as an example from the 56-bit DES a 3DES with security of around 112
bits was made and (is still) used:

[https://en.wikipedia.org/wiki/Triple_DES](https://en.wikipedia.org/wiki/Triple_DES)

edit: re: the early collisions with 64-bits etc: If I understand, the problem
happens only when the soon-enough rekeying doesn't:

[https://sweet32.info/](https://sweet32.info/)

I agree it's better to avoid these altogether.

~~~
CiPHPerCoder
But don't use 3DES, since the DES block size is 64 bits and you get collisions
(e.g. in CBC mode) after 2^32 blocks.

------
M_Grey
It must be nice, to be able to just say whatever you like, make any claim,
with the only requirement being clicks. A little soul-crushing, horribly
ignorant and dishonest, but relaxing at least.

------
happyslobro
That's a pretty bold statement. A billion years should be enough time to
convert the entire galaxy into computronium and deploy all over it. Mind you,
the author probably won't be around by then. Probably.

~~~
bluejekyll
The article does imply that the sha's can't be cracked for those crazy time
periods, though it seems to constrain that to the next generation of quantum
computers. It's not stating that at no point in the next billions of years
will a different computing platform come along that is capable of doing it.
String computing, anyone?

------
Bud
The main basis for the computation seems to be this:

"The paper notes: “The main difficulty is that the coherence time of physical
qubits is finite. Noise in the physical system will eventually corrupt the
state of any long computation.”"

However, just yesterday, I read that new research had once again lengthened
the qubit coherence time, this time by a factor of ten. A little quick
googling reveals that this time is growing. Rapidly.

~~~
acqq
[https://eprint.iacr.org/2016/992.pdf](https://eprint.iacr.org/2016/992.pdf)

"While our cost model ties us to a particular quantum architecture, we segment
our analysis into several layers so that the impact of a different assumptions
at any particular level can be readily evaluated."

"Our estimates are by no means a lower bound, as they are based on a series of
assumptions. First, we optimized our T-count by optimizing each component of
the SHA oracle individually, which of course is not optimal. Dedicated
optimization schemes may achieve better results. Second, we considered a
surface code fault-tolerant implementation, as such a scheme looks the most
promising at present. However it may be the case that other quantum error
correcting schemes perform better. Finally, we considered an optimistic per-
gate error rate of about 10^5, which is the limit of current quantum hardware.
This number will probably be improved in the future. Improving any of the
issues listed above will certainly result in a better estimate and a lower
number of operations, however the decrease in the number of bits of security
will likely be limited."

Which remains huge for these hashes. In short:

"Diffie-Hellman key exchange, RSA encryption, and RSA signatures will all need
to be replaced before quantum computers are available. _The situation is less
dire for hash functions and symmetric ciphers._ "

------
kzrdude
I'm assuming this article was posted here for laughs.

------
cmdrfred
If you had the ability to quickly get the plaintext from a hash, dont you have
the greatest compression algorithm on earth? Just hash that 10 gig file, send
the hash, and have the other machine "break" it. Collisions notwithstanding of
course.

------
kelvin0
Sounds like this famous (although disputed): "640K ought to be enough for
anybody."

