[Cryptography] Post Quantum Crypto

Philipp Gühring pg at futureware.at
Thu Nov 12 19:14:58 EST 2015


Hi,

> We can't deny that you have a sense of timing,

The timing has been an interesting thing in this project, yes.
In the beginning, when I realized the state-of-the art of quantum
computers, I was shocked and ashamed that I had not taken quantum
computers seriously back in the days when I was caring about the security
of a certification authority, and I had the feeling that the nearly the
whole crypto community had completely missed the opportunity to develop
sustainable algorithms in time, and to design proper public key migration
mechanisms. After I had developed solutions for the (from my point of
view) big migration problems, I cooled down again, thinking that I had
solved the big migration puzzle, and that my migration scenario just has
to be implemented now, but we have now a plan and a good chance to survive
the cryptocalypse.
It felt like solved and ticked off to me.
When I read the announcement of Quantum-Safe Suite-A/B, I wondered why it
seems to have taken them one year to find and read my papers, and it made
clear to me that they currently aren´t 10 years ahead of us.
And in the end, if my friend hadn´t come back to me and clearly argued
that it´s time to publish it now, I wouldn´t have sat down and written it
all up, and I hadn´t sent that email. So it actually wasn´t my sense of
timing. But I am used to develop things years before the market is ready
for them.


> see this posting on the eprint archive concerning Post Quantum Key
> exchange
> (http://eprint.iacr.org/2015/1092).
> Last week I also read a position paper from Michele Mosca about crypto
> in a
> post quantum world (http://eprint.iacr.org/2015/1075).

Thanks for the links. I think I will have to invest quite some time again
to get up-to-date.

> While I think work in post quantum crypto is valuable I take issue with
> the
> estimation of how close we are from de crypotapocalypse I don't really
> see
> any substanciated arguments in your or Michele's statements.
> According to you we're are 3 away, while Michele's horizon is around
> 2030.
> Who's right matter because the policy we chose are not going to be the
> same.

Ok, it seems, I shortened that too much.
What I was thinking about back then was the likelyhood of a capable
quantum computer to be buildable within 5 years, not the specific point of
time when a quantum computer will be actually built (which is much harder
to guess). I started with the 5 years assumption, and thought about how
realistic that could be. I didn´t tried to guess how long it will actually
take. And I thought about the likelyhood of the public being told about
the existance of the first Shor-capable large-scale quantum computer.
So I wasn´t saying that a quantum computer is 5 years away, but that I saw
it likely that it might be buildable in 5 years.
Some more reasoning about the timeframe:
I studied the D-Wave architecture, and found that the current architecture
is fundamentally a 2-dimensional architecture, and it scales accordingly.
So I expected 1-2 further steps where the amount of qubits can be doubled,
but then I expect a decline in the growth rate, since the chip will get
too big. (they are at 1000-2000 qubits now, so the slowdown of growth
should start now) Within 5 years, I think I expected about 5000 qubits, if
I remember correctly. And I expected that growth beyond 10000 qubits will
be hard, similar to the hardness of CPU speeds above 4GHz.
I assumed that an attacker has the budget of a three-letter-agency, and
owns a chip fab with the best processes available, and has access to
not-yet-published research of most of the quantum computer researchers,
and has full access to D-Wave technology.

In 2014, D-Wave gave the comment that they could develop a Shor-capable
quantum computer if they wanted (and I had to change my predictions), but
they obviously don´t want to, since the Return-on-Investment likely has to
be done with the sale of 1 single computer, and given that it´s much
cheaper to break into nearly every computer on the planet, than to do such
an investment, which will also rapidly loose it´s value, it´s an extremely
tough business-case.

By the way, has anyone set up a quantum-computer honeypot yet?

Best regards,
Philipp Gühring



More information about the cryptography mailing list