Hacker News new | past | comments | ask | show | jobs | submit login

It has nothing to do with "reversing" hashes. The attacker would use the quantum computer to determine the CA's private key (e.g. by factoring the RSA modulus using Shor's Algorithm), and would then be able to sign any hash they want. No need to attack the hash function; in fact hashes remain secure under quantum computing.



> in fact hashes remain secure under quantum computing.

Hashes will see their security cut in half, in terms of the effort needed to find a pre-image. (EDIT: security in bits = log of #evaluations needed)

E.g. finding a SHA256 pre-image, which amounts to a search over a space of 2^256 candidates, can be sped up using Grover's algorithm, to roughly 2^128 hash evaluations.


That's not half. Its square root of n. By cutting effort in half of 2^n you get only 2^(n-1).


The effective number of bits of entropy are cut in half.


Well he said "in terms of the effort needed to find a pre-image". For that effort won't be half.


That's true, but it's easy to fix by using longer hashes (e.g. SHA-512). RSA and ECC are broken beyond hope.


Hashcash, the proof of work system employed by Bitcoin with hash function SHA256, is also vulnerable. Where a current mining chip might search a space of 6e13 nonces in 10mins, a quantum computer employing Grover's algorithm might be able to search a space of 1e18 nonces, even with much fewer circuits and slower cycle time (although in Bitcoin this is complicated by having limited nonce entropy in the header)

Note that the potential for speedup is due to the extremely small time needed for a single proof attempt. A PoW that only allowed a hundred proof attempts in the block interval time would hardly be vulnerable.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: