[Cryptography] Has quantum cryptanalysis actually achieved anything?

Jerry Leichter leichter at lrw.com
Tue Mar 11 16:58:39 EDT 2025 

>>> What the switch to PQC is doing is throwing away all of that evolution over
>>> time and starting again with a new set of bugs, mistakes, errors,
>>> cryptalanytical attacks, and problems that we can spend the next 30-40 years
>>> trying to fix.  It's a major net loss for security to defend against an attack
>>> that no-one has been able to demonstrate exists.  We may as well try and
>>> implement Colin O'Flynn's Time Travel Resistant Cryptography (TTRC) while
>>> we're at it, in case someone invents a time machine.
> 
> For certain use cases that do not require very low latency or are not
> cpu compute bound we can employ wrapping. For example we encode an inner
> block with some PQC scheme (or multiple) and then wrap it with EC?
Block ciphers like AES - and symmetric cryptography in general - are not particularly vulnerable to quantum computer attacks.  (The best attack known on such algorithms use Grover's algorithm, which turns brute force search from O(N) to O(SQRT(N)), where N would be 2^n for an n-bit key.  So it reduces your security level by 1 bit.)

Where you mainly want to use quantum-safe algorithms is for public key cryptography and, especially, for key exchange.

> Could it not be argued that this would at least be more secure than just
> pure EC crypto? If there are any undiscoverd vulnerabilities within the
> PQC the attacker at least needs to push through our battle hardened
> current crypto to attempt to exploit the inner vulnerability.
Nesting signatures or public key encryptions inside of each other can be tricky.  While it might seem the result is at least as secure as the stronger algorithm, you'd want to prove that - there have been results that show otherwise, tough the details escape me.

I don't see how you would wrap key exchange algorithms.  You could probably run two key algorithms, one with each algorithm, then combine the two keys with a secure hash function.  Kind of expensive if you do it frequently as for a forward security ratchet.
                                                        -- Jerry

More information about the cryptography mailing list