
An example of quantum-hard classically-implementable asymmetric crypto - api
http://en.wikipedia.org/wiki/NTRU
======
tptacek
This is currently a well-studied problem in cryptography.

NTRU is one of many post-quantum (pq) candidates. Other ones include McEliece,
a very old (1978) asy system that uses error-correcting codes but was beaten
in the market by RSA's shorter secure keys, and Lamport-Diffie, which uses
hash functions.

Here's a good talk:

<http://cr.yp.to/talks/2008.10.18/slides.pdf>

------
api
None of these look ready for prime time, but the fact that it's possible is a
great sign. It means the age of asymmetric crypto and all it entails won't end
with practical QC. (Which is still a ways off...)

Of course if QC does appear and these algos are still not ready, an intermedia
stopgap would be to use RSA, DSA, or ECC with very, very big keys, since as
far as I understand it Shor's algorithm must be run over a single block.
(Correct me if I'm wrong.)

~~~
adrianbg
What do you mean by "block"? A limit on the number of entangled qubits?

------
im3w1l
What is the probability that someone developed/will soon develop good enough
quantum computers for breaking RSA, ECC in secrecy?

~~~
cantos
[Edit: misread the question. This answer is about how close we might be to
breaking these cryptosystems on classical, not quantum, computers]

Publicly accessible progress on factoring and discrete log have essentially
employed variations on single idea and hundreds of papers have been written on
the topic. It is one of the most common Phd thesis topics in math. Yet still
there has been no significant new ideas since 1994. I think that Arjen Lenstra
has said that he believes there will be no further progress with this approach
and new ideas are needed. However, there's not even a hint of where to begin.
Likewise there has never been a single promising idea for an attack on ECC.

But this lack of progress in academia may be a self fulfilling prophecy in
some sense. It is not possible to get funding to just attempt to break
cryptographic protocols, at least not without already having a breakthrough
result. If a government decided to go all out trying to break a protocol that
would create an environment more conducive to making progress.

~~~
api
I thought ECC was vulnerable to Shor's algorithm. Of course we probably don't
have QCs good enough to actually do it even for "toy" key sizes, let alone for
the 256 bit or higher key sizes that are commonly used.

~~~
cantos
Yes you're right that ECC is vulnerable to Shor. I answered a different
question then the one that was asked.

------
krickle
These have facinated me for a while. I wish there was a nice open source
implementation of the McEliece cryptosystem to try out.

~~~
tptacek
Write one! Use any language. You'll probably learn a ton. McEliece looks like
a particularly fun one to do, and its building blocks have a lot of other uses
(unlike RSA).

------
DennisP
This looks like it might be an interesting attack (though I'm not competent to
judge, plus it's paywalled):
[http://link.springer.com/article/10.1007%2Fs00145-008-9031-0...](http://link.springer.com/article/10.1007%2Fs00145-008-9031-0?LI=true)

And here's a pdf intro to lattice-based crypto:
<http://www.cims.nyu.edu/~regev/papers/pqc.pdf>

------
uvdiv
Patented, naturally.

~~~
xenophonf
Crypto is probably one of the few types of software patents that I'd support.
It's non-obvious in the extreme, and patenting a cryptosystem might be a good
way to open it for public review.

~~~
betterunix
When last I checked, we were not supposed to have patents on math. Now, we can
argue endlessly about whether or not that covers all software, but if public
key crypto is not math then I am not really sure what is...

~~~
DennisP
Sadly, RSA was patented. The patent expired in 2000.

~~~
betterunix
I know, and it is worse than that. Over a hundred patents on ECC techniques,
at least five on identity based encryption, and even patents on fully
homomorphic encryption despite the fact that FHE is still years from
practicality (including at least one patent on FHE that was granted _before
Gentry even showed that FHE is possible_ ).

It is, simply put, a monumental failure on the part of patent examiners.

------
gwern
<http://en.wikipedia.org/wiki/Post-quantum_cryptography>

