
Quantum Attack on Public-Key Algorithm - jonbaer
https://www.schneier.com/blog/archives/2014/12/quantum_attack_.html
======
tptacek
The subtext of Schneier's post is that a lattice encryption scheme was found
vulnerable to a QC algorithm, which is meaningful because lattice encryption
schemes are seen as a promising post-quantum crypto scheme --- that is, a
scheme that would, unlike RSA (IFP), DH (DLP) and ECC (ECDLP), remain secure
even if it becomes feasible to deploy large-scale quantum computers.

Two things worth knowing:

* There are multiple hard lattice problems in number theory (the paper refers to one of them in the conclusion). And other lattice schemes have been found vulnerable, to non-quantum attacks.

* There are multiple hard problems not involving integer lattices that are believed to be hard for quantum computers. McEliece, for instance, is another well-known candidate for post-quantum public key crypto, and it's based on linear codes, not lattices. Lamport signatures[1] realize public key crypto purely from hash functions (which aren't hugely weakened by QC.) A good intro to these issues:

[http://pqcrypto.org/www.springer.com/cda/content/document/cd...](http://pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf)

Nick Weaver's "what if all trapdoors are vulnerable to QC" comment seems a
little premature.

_[1]:[http://en.wikipedia.org/wiki/Lamport_signature](http://en.wikipedia.org/wiki/Lamport_signature)
_

------
jamoes
Lattice-based public key schemes are designed to be quantum resistant. So this
is a troubling development, because it might indicate that other lattice-based
public key schemes are vulnerable to similar attacks. It might be very
difficult or even impossible to create quantum-proof public key schemes.

Fortunately, though, a quantum-proof signature scheme (meaning no encryption
or decryption, just signing) has already been developed: Lamport Signatures.
These rely on the security if hash algorithms (such as SHA256), which are not
weakened by the existence of quantum computing.

~~~
api
If PKC turned out to be almost impossible post-QC, boy would that ever change
the world of computing, networking, pretty much everything. It would mean
everything would have to run on pre-shared secret keys.

It would also be the absolute end of Bitcoin and derivatives, at least as far
as I know.

~~~
tptacek
Practical quantum cryptanalysis is already the end of Bitcoin, which relies on
ECC algorithms that will fall to QC.

(Maybe you're making the broader statement, that if QC turns out to make all
forms of public key crypto insecure, regardless of the hard problem they're
based on, then it won't even be possible to design a working alternative to
Bitcoin.)

~~~
sysk
Public keys are only stored as a hash in the blockchain though (assuming no
address re-use). Is RIPEMD-160 vulnerable to QC?

~~~
martinko
Addresses that have been sent from will be vulnerable because their public key
will be displayed in the outgoing transaction. One-use addresses will not be
vulnerable, as their public keys are indeed stored only as hashes in the
blockchain, but the algorithm is not only RIPE, but something like
SHA256(RIPEMD-160(SHA256(Public_Key))). I dont know about RIPE, but sha256
should be QC resistant. Thus if you do not reuse addresses you should be safe
against QC.

------
amckenna
I wonder how the attack would fair against other Lattice-based schemes such as
NTRU, which was recently open sourced.

[https://en.wikipedia.org/wiki/NTRU](https://en.wikipedia.org/wiki/NTRU)

[https://github.com/NTRUOpenSourceProject/ntru-
crypto](https://github.com/NTRUOpenSourceProject/ntru-crypto)

------
zkhalique
Wait, so can quantum computers now crack public key cryptography, or not?

~~~
gliese1337
Only if we can actually build general purpose quantum computers. The news here
is that a new quantum algorithm has been developed to attack public key
cryptography; other quantum algorithms that attack certain kinds of
cryptography were already known. None of them matter practically until we have
computers that can actually run them, which we don't, but the discovery of
_another_ new attack algorithm means that developing such computers would be a
slightly bigger deal than we thought it was before.

~~~
apendleton
This one is also noteworthy because the algorithm it attacks was developed
specifically with resistance to quantum attacks in mind, unlike the breed of
public-key crypto currently in use, which is widely known to be vulnerable to
quantum attacks.

~~~
tptacek
That may be true of Soliloquy, but I'm not sure it's the case that lattice
problems were originally researched as an antidote to QC. Lattice theory has
applicability to cryptography in general, so it's natural that people explored
its suitability as a crypto primitive.

I don't think it's reasonable to draw the conclusion from this paper that
"cryptographers set out to foil QC and in this case failed". One derivative
scheme in a broad class of lattice crypto designs fell, that's all.

Lattice crypto has very strong post-quantum crypto marketing, because of NTRU.

