Is quantum cryptography practical or is it no good?

>>9052995
Yes.

>>9053026
25

>>9052995
It's a scam for free funding, invalid phds, and money washing.
https://blog.cr.yp.to/20160516-quantum.html

>>9052995
the quantum computing is only probabilistic, it is not deterministic. This means no 1-to-1 answers, only likely answers and less likely answers.

Quantum cryptography in the sense of breaking standard cryptography is good. A Q-computer cannot break an encryption key, but it can tell you where it is likely to be found, allowing you to begin brute forcing in the most likely number range.

As far as encryption goes, I dont believe we have the technology (or even an idea) of how to proceed. The very act of reading a quantum state changes it's value meaning we will need to devise some sort of tricky method to actually use it for encryption

>>9055216
Some pretty good seminar videos here on real not scifi post-quantum crypto if anybody is interested
https://2017.pqcrypto.org/school/schedule.html

Indeed the "Quantum Cryptography" is a gigantic scam

>>9055264
>Indeed the "Quantum Cryptography" is a gigantic scam
Non-quantum physicist here and yes, this is what I thought as well.

Q-computers seem good for encryption breaking by giving you a 'number neighbrohood' that an encryption key could lie in, but dont seem all that good for actually encrypting.

I hear they could be used for key exchange though, owing to the fact their state gets changed upon observation, meaning they could be used to share a key between person 1 and 2 and as soon as person 2 views the key its state is changed meaning nobody else can view the key

>>9053026
10/10

/thread

>>9055299
Wrong link, djb explains QKD snakeoil here (both the implementation and even the theory itself is bogus) https://twitter.com/hashbreaker/status/689115480267816960

>>9055299
Maybe, maybe not.

Q computing can only tell you the general area where the key lies, it cant tell you what the key actually is.

To counteract this I imagine RSA or ECC keys could simply be scaled in key size.

I would think that given an arbitrarily large RSA or ECC key value, even if a Q computer tells you where to start looking it may still take you millions of years to find the actual key.

Although whether having key sizes this large (megabytes in size?) is practically applicable is another story altogether.

>>9055277
>Non-quantum physicist here
What the fuck does that mean? Any actual physicist knows and uses quantum mechanics, even if it doesn't directly apply to your research area (which is pretty unusual nowadays).

t. Actual PhD physicist

>>9055318
>Im dont understand why people use the term quantum physicist
Looks like they really awarded a PhD to a winner this time

>>9055330
Literally all modern trained physicist are quantum physicists

>>9055335
then you understand the usage of the term now?

>>9055318
>Any actual physicist knows and uses quantum mechanics, even if it doesn't directly apply to your research area
not all physicists were gullible enough to fall for the "quantum" meme

>>9055357
>not all biologists were gullible enough to fall for the "evolution" meme
t. Ken Ham

Not all astrologers were gullible enough to fall for the 'round earth' meme

not all mathematicians were gullible enough to fall for the "real numbers" meme

t. all-seeing leprechaun

Not all historians were gullible enough to fall for the 'Einstein invented the mass-equivalence principle" meme

>>9055316
djb wrote a book outlining how RSA, DSA, ECDSA, ECC, HECC, class groups ect are all dead in a post quantum world in that they will be trivial to run Shor's or Grover's algorithm on but McEliece (code based) NTRU (lattice based) HFE (Multivariate) and even AES will generally survive

>>9055390
Well it makes sense that AES will survive, its only a method of cryptology, not a type of key.

It also makes sense that shors algorithm makes all of the previosly mentioned keys obsolete, they all rely on the difficulty of factoring a very large prime number.

Did this person mention anything about the ElGamal cryptosystem? ElGamal relies on the difficulty of finding a discrete logarithm of a very large number, have you heard of any quantum algorithms that are able to determine discrete logarithms?

>>9055374
>not all forward-thinkers were gullible enough to fall for the "biologically determined sex" meme
t. Bill Nye

File: exploding sides funny.jpg (152KB, 715x1538px) Image search: [Google]

152KB, 715x1538px

>>9055653

Security and privacy engineer here; I did my graduate research in cryptography.

An important distinction to be made is that between "quantum cryptography" and "quantum-safe cryptography." The former refers to the development of cryptographic algorithms based upon principles of quantum computing; the latter refers to the development of cryptographic primitives resistant to cryptanalysis making use of the power of quantum computing.

The first is both practical and useful insofar as the development of quantum links becomes inexpensive and widespread: for example the observer effect in QM gives us an extremely powerful (and useful) method for key exchange.

The latter is a bit fuzzier. Its usefulness is a function of how likely you believe quantum computing is to be viable at scale, and current practicality is hardly more than a guess. All of the "quantum-safe" algorithms we currently have are given this title based on nothing more than the fact that the associated hardness assumption dos not relate to factoring. We're not entirely certain of the classes of classically intractable problems which become tractable in the context of QC.

>>9052995
Circadia 3301 thinks so.

>>9055316
>To counteract this I imagine RSA or ECC keys could simply be scaled in key size.
Check https://eprint.iacr.org/2017/351
They use an 1TB RSA key.

>>9055601
ECC/DSA/DH/ECDHA and ElGamal all rely on discrete logarithms, also broken by shor.

>>9055390
Don't forget Hash-based signatures as well as this thing https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange.

>NTRU
Ring learning with errors algorithms are better due to provable security reductions to known NP-hard problems such as SVP.
You would probably want to look for New Hope instead.

>>9055699
>The first is both practical and useful
and a scam

>>9056631
djb and his students replaced New Hope practical key lengths with his paper NTRU Prime (and then later "Streamlined NTRU Prime”) last year in which they didn't rely on the classic NTRU/Ring-LWE tradition of using cyclotomic rings which have performance issues. So you get the practical key length of New Hope + optimized crypto speeds that make lattice crypto usable.

The best hash-based sigs so far proposed for the post-quantum world is SPHINCS-256 because it is stateless, so they could prove it is secure against quantum resources.

Anybody here who doesn't know, Daniel Bernstein and Tanja Lange teamed up to make a post-quantum, crypto engineering department in the Netherlands at TU/e after he was given a multi million euro grant to start such a school. djb fled the US during Obama's tenure as King of USA as the NSA made opening any such school impossible according to him.

As a result, they're now churning out excellent papers every semester on analyzing post quantum algorithms and optimizing them, and he runs the biggest crypto bench/analysis team in the world so other researchers can send their implementations to them to be analyzed for free and collaborate.

tl;dr if you are at all considering a grad school for cryptography, try and get into TU/e either their math masters program or direct PhD track where you get first hand experience with these PQ algorithms and test beds.

>>9057651
They had organised https://2017.pqcrypto.org/exec/ but I forgot to register to it because I am a huge baka ;_;

Wasn't aware of that paper before, thanks. I am thinking of applying to get into TU/e after I finish with my undergrad degree but I fear that it might be too hard for me.