Ask Slashdot: Post-Quantum Asymmetric Key Exchange? 262
First time accepted submitter LeDopore writes "Quantum computers might be coming. I'd estimate that there's a 10% chance RSA will be useless within 20 years. Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent. Are there any alternatives to RSA and ECC that are trustworthy and properly implemented? Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
Vulnerable in 20 years (Score:2)
Without overly snarking, 20 years is too long a time frame to care.
When we get down to 3 years take a "miniscule amount" of $100,000 (in "then dollars") and hire 30 mathematicians/cryptos/NSA types + 1 Slashdot Geek/1 Local Prodigy/2 Hotshots of the month/1 Sales guy/1 admin/1 Hotel Lodging rep and tell them to get cracking for 3 months. Problem solved.
Re:Vulnerable in 20 years (Score:4, Informative)
Re: (Score:2)
Almost anything commercial will certainly be sensitive in 20 years time and almost anything that relates to official records is absolutely guaranteed to be classified as sensitive in 20 years time. Absolutely nothing that is sensitive will be encrypted better than the common publicly-used standards available. If it's not in OpenSSL or some other widely-used library, nobody will use it.
I argued on this thread that essentially all encryption in common use should be kept to a minimum standard of safe for 50 ye
Re:Vulnerable in 20 years (Score:5, Insightful)
Well the person is an idiot. His estimation of 20 years is laughably naive.
My response to this statement is a quantum superposition of two thoughts:
A. I agree. A 20 year estimate is ludicrous. It's far too much time.
B. I agree. A 20 year estimate is ridiculous. It's far too short.
Re: (Score:2)
More practically, it presupposes that his traffic is being captured. To capture 100% of the traffic of the Internet exceeds all forms of storage.
Let's say that his traffic is being targeted right now, and 100% of his currently secret SSL/SSH traffic is being captured and madly attacked. The poster supposes that he/she wants 100yrs of privacy. The poster is a three letter agency, or similar. That agency can pay for its own problems and I suspect that there are back doors to RSA, and most forms of encryption
Re: (Score:2)
Correct me if I'm wrong, but backward travel seems to be currently judged as not possible. Quantum breaking of RSA may happen in 20yrs, but not to go back in time and break encrypted information. If you capture the info and bring it time-forward, then you can open it up, presuming you can crack the encryption keys.
Re: (Score:3)
20 years is too long to care true; but I see two points to his argument.
First, it's going to take time to roll out a replacement. How fresh does the data have to be for you to consider it worrying? If it takes 5 years to develop a consumer grade replacement and 5 years for it to become ubiquitous online all the sudden data recorded at the end of that window is only 10 years old at the hypothetical 20 year mark. Of course, that just raises the question, is there any asymmetric key encryption algorithm tha
Re:Vulnerable in 20 years (Score:4, Funny)
is there any asymmetric key encryption algorithm that can't be cracked with quantum computers?
Yes and no.
The answer won't collapse until we open the quantum computer box and look inside.
-
Re: (Score:3)
For a company to consider commercial secrets "secure", it should be aiming for around 50 years security, which is why Serpent and MARS were aiming for that sort of level during the AES contest. Government records, including census data, are also covered by a 50 year rule and should again be encrypted to that kind of standard. Highly classified material is usually put under a 100 year rule, assuming it is to ever be released at all. I'd consider a century to be adequate for most national secrets, there reall
Oblig. (Score:3, Insightful)
Get your most closely kept personal thought: .doc with a password lock. .rar with extraction precluded .rar because so far they ain’t impressed. .pgp and print the hex of it out,
put it in the Word
Stock it deep in the
by the ludicrous length and the strength of a reputedly
dictionary-attack-proof string of characters
(this, imperative to thwart all the disparagers
of privacy: the NSA and Homeland S).
You better PGP the
You better take the
scan that into a TIFF. Then, if you seek redoubt
for your data, scramble up the order of the pixels
with a one-time pad that describes the fun time had by the thick-soled-
boot-wearing stomper who danced to produce random
claptrap, all the intervals in between which, set in tandem
with the stomps themselves, begat a seed of math unguessable.
Ain’t no complaint about this cipher that’s redressable!
Best of all, your secret: nothing extant could extract it.
By 2025 a children’s Speak & Spell could crack it.
You can’t hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.
And future people do not give a damn about your shopping,
your Visa number SSL’d to Cherry-Popping
Hot Grampa Action websites that you visit,
nor password-protected partitions, no matter how illicit.
And this, it would seem, is your saving grace:
the amazing haste of people to forget your name, your face,
your litanous* list of indefensible indiscretions.
In fact, the only way that you could pray to make impression
on the era ahead is if, instead of being notable,
you make the data describing you undecodable
for script kiddies sifting in that relic called the internet
(seeking latches on treasure chests that they could wreck in seconds but didn’t yet
get a chance to cue up for disassembly)
to discover and crack the cover like a crème brûlée.
They’ll glance you over, I guess, and then for a bare moment
you’ll persist to exist; almost seems like you’re there, don’t it?
But you’re not. You’re here. Your name will fade as Front’s will,
‘less in the future they don’t know our cryptovariables still.
Now it’s an Enigma machine, a code yelled out at top volume
through a tin can with a thin string, and that ain’t all you
do to broadcast cleartext of your intentions.
Send an email to the government pledging your abstention
from vote fraud this time (next time: can’t promise).
See you don’t get a visit from the department of piranhas.
Be honest; you ain’t hacking those. It’d be too easy,
setting up the next president, pretending that you were through freezing
when you’re nothing but warming up: ‘to do’ list in your diary
(better keep for a long time — and the long time better be tiring
to the distribution of electrical brains
that are guessing every unsalted hash that ever came).
They got alien technology to make the rainbow tables with,
then in an afternoon of glancing at ‘em, secrets don’t resist
the loving coax of the mathematical calculation,
heart of your mystery sent free-fall into palpitations.
Computron will rise up in the dawn, a free agent.
Nobody knows the future now; gonna find out — be patient.
Re: (Score:2)
Sounds better than I thought it would:
https://www.youtube.com/watch?v=BA6kG-tOkBs [youtube.com]
Estimate on what grounds ? (Score:2)
Re: (Score:2)
what's old is new again (Score:4, Informative)
Non-issue to 99.9% of us (Score:5, Insightful)
Because the vast majority of us don't need to keep our data secure for the next century... Even for some of the most nefarious uses of crypto, merely lasting long enough to exceed the statute of limitations will suffice, and I'd put that as a serious fringe case.
Personally, I only use encryption for my financial documents and to make myself a more difficult target in the present (whether to identity thieves or the government or to my ISP trying to control my traffic). For the former, I consider basic access control (ie, keep it offline) as the first line of defense, and the encryption as a fallback; for the latter, if it takes even five minutes more effort than merely watching the wire, the crypto has done its job.
Even corporations don't tend to care about a scale longer than five years out (and that, only when they can even see past the next quarter)... Which leaves really only governments caring about how soon someone like Assange can find a way to embarrass the talking heads.
Re: (Score:3)
Re: (Score:2)
Plus all your current transactions, if you never changed your password on a line I wasn't watching.
Re: (Score:2)
A countercase exists for Memoirs, trade secrets, very sensitive (military) research, and data that is incredibly expensive to reproduce all qualify for 'more than 20 years' protection.
Twain wanted decades beyond the death of anyone involved in some of his memoirs. Nixon probably wouldn't have disagreed. Ditto RandomJoe's pron archive.
Companies like Coca Cola and manufacturers with proprietary manufacturing steps keep things proprietary expressly because that information's value might last longer than a pa
No expert but... (Score:4, Informative)
In previous discussions it has been pointed out that not all encryption algorithms are susceptible to quantum computers. If I remember right (I am sure someone has a reference that I don't) it only effects RSA and others that rely on the hardness of factoring discrete logarithms.
Anyway...only reference I can find, from wikipedia (http://en.wikipedia.org/wiki/Quantum_computers#Potential ):
Re: (Score:3)
hardness of factoring discrete logarithms.
For clarification, you are talking about two separate problems. One problem is integer factorization. In the case of RSA, encryption and decryption are done modulo some n = pq, where p and q are large prime integers. While n is public, p and q are private. If you know p, q, and a public key, you can compute the corresponding private key efficiently.
The other problem is computing discrete logarithms (sometimes over a finite field, as in ECC). RSA encrypts message m with a key e by computing c = m^e mod
Re: (Score:3)
Whats really interesting about your comment is that, thats exactly what I had seen before and was referencing when I was typing my earlier post. However, When i started hitting up wiki and looking for the reference I saw before, I saw several places where it was claimed that ECC was vulnerable to shor's algorithm, which surprised me (and made me edit that out of my comment before I posted) because it contradicted what I had seen before.
Re: (Score:2)
The basic math in the quoted section is wrong so I wouldn't trust anything it says. If you reduce the number of invocations by a factor of two then you lose one bit of security. To reduce the security level by half you would need to only use the square root of the number of invocations.
Re: (Score:2)
Um.... reducing the keyspace by 1 bit cuts the keyspace in half, it also cuts the time required to brute force in about half, since most of the time spent is in the invocations. How is that not reducing the security level in half? Maybe you are using a definition that I am not familiar with?
Re: (Score:2)
Um.... I have expanded every comment posted to this article so far, above and below, and yours is the only that contains the string "1978".
What kind of data? (Score:2)
I'm more interested in finding out what kind of data you're protecting that needs to remain private for a century. A century ago, telephones were new and uncommon in homes (a few million phones existed, but no transatlantic lines, there was no dialing -- calls were placed through manual exchanges where a switchboard operator manually connected the callers), there was no TV, there were no commercial radio broadcasts. Electricity to the home was uncommon except to the wealthy in urban areas.
I'd really like t
Re: (Score:2)
The keys to the DRM, of course.
Setec Astronomy (Score:2)
Crack my code bitches!
Not so worried about quantum (Score:5, Interesting)
I'm a bit more worried about someone who finally get's a eureka on factoring large numbers. Then the genie is out of the bottle, and no-one knows it. Heck it might already be cracked, and held as a state secret, only makes sense.
What would you do if you had a factoring algorithm that could factor a RSA number as fast as the generator could make them?
What would be the fallout?
Re: (Score:2)
I would probably inform some major banks, CC companies, etc and offer to withhold the secret for $10,000 a day up till 1 month. Then I'd go public and collect some of the prizes and scientific awards, retire and live a life of luxury never having to work again.
Re: (Score:2)
Re: (Score:2)
"What would you do..?"
Publish it as widely as possible, publically. As a secret it's worth killing over.
Re: (Score:2)
Tell the world. If I didn't it, no matter how bright, someone else is just around the corner, or possible doing it now.
So the only way to damage by rogue actors is to let everyone know it's there.
Or transfer all the banks money to some well armed country.
hard to say.
When everyone can crack secrets, there won't be any secrets.
Re: (Score:2)
Factoring is known to not be NP-complete. In fact, the complexity is known to be less than O(2^n), though larger than O(n^a) for any value of a.
GPG / PGP works for me (Score:2)
Re: (Score:2)
you anti onefishians.
20 years is extremely unlikely (Score:4, Informative)
Re: (Score:2)
Factoring 100 requires a 7bit quantum computer. We've successfully operated a 4 bit computer to factor 15. You really think it will take 20 years more to get those next 3 bits?
Re:20 years is extremely unlikely (Score:4, Interesting)
Re: (Score:2)
Bitch slapped with facts. well done.
Re: (Score:2)
15 happens to be an unfairly easy number to factor with a quantum computer.
Factoring 100 using Shor's algorithm really requires closer to 70 qbits.
Re: (Score:2)
Re: (Score:3)
Nothing to respond to. (Score:3)
This article should never have been posted. There's no facts to respond to. Linking to a wikipedia article that talks about the possibility of Quantum computing is not a topic for discussion. Where does the estimate of 20 years come from? What will Quantum computing be able to do in this imagined 20 years? How much will it cost?
Unless the submitter can give real answers to the above question, based on facts and not idle speculation, there's nothing to talk about.
Re: (Score:2)
All you're telling me is that you have yet to decrypt the summary, which is cleverly encrypted to look like a real summary, but contains clues that it's not realistically a real summary.
Re: (Score:3)
It is a real concern though. Quantum computers are by no means around the corner, but we're in serious trouble if someone manages to build a working quantum computer. So many of our important crypto protocols rely on RSA, DH, ECC-DH, etc. There actually are some pretty decent alternatives to the current used set of asymmetric algorithms, but getting those algorithms into standards (e.g., getting Ntru into the TLS cipher suite) is going to take time, and getting those updated standards implemented and dep
Easy... (Score:2)
SSH != crypto algorithm.
Things to keep in mind. (Score:5, Insightful)
You should keep in mind that although theoretically there may be efficient quantum algorithms for a variety of problems on which cryptographic schemes are based, in practice, the only one which has been found is factoring. So, yeah, RSA will become toast if we can get the number of qubits in a quantum computer up into the neighborhood of RSA key lengths (1024, 2048, 4096). But, exceedingly few of the other major cryptographic systems rely on factoring being hard. So, for example, Diffe-Hellman or El Gamal (both integer and elliptic curve versions for both) will probably not be appreciably easier to crack. So, there doesn't seem to be any serious reason to be worried about public key cryptography, just RSA. So changes to SSH are pretty straight-forward.
As for why people aren't worrying about it, my guess would be that most people don't follow quantum computing, and the few which do may have reason to wonder if we will ever actually reach the 1024 qubit size in a functioning quantum computer. A few years ago, I would've told people not to worry about it because I was following the state of the art and it was around 5 qubits and research had shown that under current models, you needed 9 qubits of output to reliably output 1 normal bit (if my memory is correct). So, we weren't even one 0.1% of the way to cracking RSA. These days, the number of qubits is higher, but it's still not clear how long it will be until we can actually functionally factor a 1024 bit number.
Ooops (Score:2)
I double-checked things after I wrote this, and I'm wrong. I didn't realize that Shor's algorithm could be used to solve discrete logarithm problems. So, the ECC versions of things are not affected, but the integer versions of El Gamal and Diffe-Hellman are.
ECC is still discrete logarithm (Score:3)
I double-checked things after I wrote this, and I'm wrong. I didn't realize that Shor's algorithm could be used to solve discrete logarithm problems. So, the ECC versions of things are not affected, but the integer versions of El Gamal and Diffe-Hellman are.
ECC is still the discrete logarithm problem, just applied to a group other than integers mod another integer.
Submitter, RTFA (Score:2)
Even though current publicly known experimental quantum computing is nowhere near powerful enough to attack real cryptosystems, many cryptographers are researching new algorithms, in case quantum computing becomes a threat in the future.
Did the submitter even read TFA? Everyone is happy with ssh and rsa because they work. People are working on encryption methods for when they don't. Nobody knows what's going to happen in the future but it's not here yet because there are no flying cars.
Re: (Score:2)
but we have robes people wear backwords!
the future is great..*weaps*
Well, (Score:2)
Chances are, anything that does need to be secured against such threats, already is. Anything that does not, is probably fine with RSA.
Barring gross incompetence.
probably (Score:5, Insightful)
Re: (Score:2)
Mod parent up. Just because an attack exists in theory does not mean that a potential attacker has the incentives or resources to do it.
You can't hide secrets from the future with math (Score:5, Interesting)
Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent.
If I may, I would like to quote the MC Frontalot song, "Secrets From The Future":
You can't hide secrets from the future
with math, you can try, but I'll bet that in the future
they laugh at the half-assed schemes and algorithms
amassed to enforce cryptographs in the past.
The rest of the song does a pretty good job of explaining exactly how absurd the entire concept of keeping data private, long-term (like, say, a century as suggested, or even twenty years when RSA is theorized to fall), entirely using encryption algorithms. Brings up points like how nobody's going to care about things like your shopping habits (as embarrassing as they may be), credit card transactions from cards expired twenty years previous, sensitive SSH streams decades old, etc. And that it's a moot point anyway, as it's impossible to predict technology out that far, so it's more than a bit futile to count on math to protect things on a time scale like that.
Best of all, your secret: nothing extant could extract it
By 2025 a children's Speak & Spell could crack it.
Re: (Score:2)
That's what popped into my head as well.
There are good algorithms (Score:2)
One-Time Pad (Score:2)
Your only option for keeping data secret for 100 years is use one-time pad of really good, truly random data and keep it secure until the instant you no longer need to retrieve the data, then completely destroy it. Once it's completely destroyed, then it's even safe from two guys with blowtorches going to work on your knees. On the other hand, now you don't have anything you can say to save your knees! So it may be a matter of defining priorities for you.
If somebody with massive resources is seriously commi
Re: (Score:2)
If people know what you did, then your knees no longer matter to them.
Re: (Score:2)
I'm just going to encrypt my knees. Seems like the solution to everything.
Re: (Score:2)
If someone is willing to torture you for a secret, it stands to reason that they will torture you for any reason at all.
In other words: if someone is willing to bring force to bear, that doesn't let validly propose social contracts. "Do not negotiate with terrorists" comes to mind.
What world do you live in? (Score:4, Informative)
Maybe I'm just paranoid, but I pretty much assume that every algorithm that we have now could well be effectively useless in 20 years. And I would never presume to think any of them even has a chance of lasting 100 years, or even close to that.
Computers will get faster. Weakness will be found in algorithms. Any other number of things that no can predict might happen. It would be silly to assume things encrypted today, left untouched, would be safe in 20 years and completely naive to have even a sliver of hope they'd be safe in 100, quantum computers or not.
The Quantum Menace? (Score:2)
hahaha.
Creating messages that can be decrypted more then one way; one of which is used to the key from a book only known to the actor pretty mush solves that.
For the rest of us, I'm not sure when it will become cost effective to implement.
Bullshit, as usual (Score:2)
Here is the relevant quote from Bruce Schneier:
A quantum computer will reduce the complexity of an attack by a factor of a
square root. So it will effectively halve the keyspace; that's all.
-- Posted by: Bruce Schneier at August 18, 2011 8:34 AM
Nothing at all to worry about. Doubling the key-space quadruples
usage effort and is not really a problem.
THE INTERNET IS NOT SECURE (Score:2)
Why are you sending sensitive data over a network that can ship your packets blithely through any router on the planet?
Encryption? Are you kidding?
One Time Pad (Score:2)
To fix this, we abandon public/private key entirely.
Instead, your bank, or Facebook, or any entity that you do business with sends you a USB storage stick with 16 GB of random OTP (One Time Pad). This can be sent through postal mail or by secure courier or exchanged in person.
Once you've sent and received 16 GB of data you need to get a new OTP.
There should be no way to break OTP encryption except by having a copy of the OTP or if the OTP was generated by non-random methods, or if the attacker was ne
As a former QC researcher: (Score:2)
I am not worried. Unless there is an unexpected breakthrough there will be no QC able to factorize anything beyond 2^30 in 20 years.
I suppose we'll muddle through (Score:2)
If you've got something so secret that it has to remain secret for a century or more, then you're just going to have to re-encrypt it periodically as requirements change.
Or you can simply rely on the fact that after about 20 years, no one will be able to read the data stored on that USB stick anyway without some seriously ancient, clunky equipment that's so full of tin hairs and accumulated smoke and coffee breath that the error-correcting code slows it to a crawl and prevents even quantum-style brute force
Re:Fine. You find an asymmetric primitive (Score:5, Informative)
ECC is AFAIK theoretically vulnerable (i.e. while there aren't KNOWN quantum gate implementations of ECC, there are no good reasons to think it is unfeasible).
McEliece and the Lattice-based stuff are promising, they just hadn't be as inspected as RSA yet...
Re: (Score:3)
They not being as inspected as RSA is a rational reason for not using them, and not using them is a rational reason for not inspecting them. Thus, I forsee that they stay less inspected than the RSA until we discover some importan weakness on RSA, then that fact won't matter anymore. Notice that I'm not complaining about that, this is a reasonable way of handling things, and nobody is getting hurt.
Now, to answer the original question. People are ignoring quantum computing because it is not even on the horiz
Re:Fine. You find an asymmetric primitive (Score:4, Interesting)
Lockheed installed a 128bit quantum computer this year
http://www.forbes.com/sites/alexknapp/2011/10/31/lockheed-martin-installs-quantum-computer/ [forbes.com]
I have no idea of the specifics, but it sounds as if they have a working version.
Re:Fine. You find an asymmetric primitive (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
This doesn't help with one of the most common uses of asymmetric keys, which is secure initial key exchange...
Re: (Score:3)
Re:There's one uncrackable method (Score:5, Funny)
It's one time pads, all the way down!
Re: (Score:2)
Blaaaaaaugh!
Re: (Score:3)
Tis obvious. There must be one one time pad to rule them all.
Re: (Score:2)
This doesn't help with one of the most common uses of asymmetric keys, which is secure initial key exchange...
You could probably build the one-time pad into the initial message and then use the data stream itself to continue the one-time pad on. It does leave you vulnerable to anyone that receives that initial message, but would probably be otherwise unbreakable unless you start repeating a lot of data in the data stream - but then, even a true one time pad would then be vulnerable too.
Re: (Score:3)
A one time pad allows you to encrypt one bit of plaintext per bit of key. If you use that plaintext to communicate a new key, you gain precisely nothing.
You're not quite following what I am suggesting, which is along the following:
The only big issue with the above is when the message being sent is larger than the message received. However, that could be resolved by buffering the old me
Re: (Score:2)
This doesn't help with one of the most common uses of asymmetric keys, which is secure initial key exchange...
The only secure initial key exchange that will ever exist is IN PERSON, BY HAND. And even then you have to be cautious.
No matter how complicated (either logistically or mathematically) you make your handshakes, EVERYTHING about encryption boils down to a key sharing problem.
Re: (Score:2)
You forgot data retention. Didn't you hear? They record everything you send through the net. Now we know why.
Re: (Score:3, Insightful)
To elaborate asymmetric key exchange involves passing a key in the clear to setup the secure channel. How does a one-time pad help you securely exchange that key in the clear? Or did you just make your idiotic post hoping to get modded up for trying to sound smarter than you are?
Re: (Score:2)
Well, if you have a one time pad, you don't have to exchange your key in the clear, for one thing.
Re: (Score:2)
The only time that a one-time pad works, is if you have a secure channel at one point in time, but need to send the data at a later time over an unsecure channel. So if you want to start going to your bank in person once a month to pick up a DVD worth of random data
Re: (Score:2)
Having already exchanged large one time pads solves the key exchange problem, forever.
Re: (Score:2)
I'm saying that you don't swap keys in the clear if your data is so important that it needs to be secure 20 years from now. Clear?
Re: (Score:2)
And how is a one-time pad going to help for asymmetric key exchange?
You just might have to go symmetric if you care that much about your data.
Re:Sky isn't falling (Score:5, Insightful)
Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
Because the sky isn't falling, chicken little?
I use SSH to keep someone from snooping my password, or hijacking my session to take over my servers.
I'm not so worried that someone is recording all of my SSH streams for future use in the hope that Quantum Computing becomes a reality and they can decode the stream and see that I typed "sudo service apache2 restart".
Re:Sky isn't falling (Score:5, Funny)
Clearly you know more than you're letting on since that's the exact command I ran over SSH on my server an hour ago!
I guess SSH is insecure after all, since you were able to break it so easily and post a line from my super secret command line session on Slashdot.
Re: (Score:3)
You admit you use sudo instead of logging as root. Wise move. Nobody believes it, but wise move.
Re: (Score:2)
I don't think the attacker is so much interested in the "sudo service apache2 restart" command but rather the response to the password prompt immediately following...
Re:Sky isn't falling (Score:5, Insightful)
I don't think the attacker is so much interested in the "sudo service apache2 restart" command but rather the response to the password prompt immediately following...
If he can break the RSA key exchange to get to the symmetric key encrypting my session, he can already log in as me, he doesn't need the password. But unless he gets his quantum computer within the next 90 days, I'll have already changed the password.
Re: (Score:2)
I'll do exactly that just so I can laugh at you for not issuing "sudo apachectl graceful" instead. :-)
Re: (Score:2)
Re: (Score:2)
Ohhhh, watch the battle. RIAA vs NSA.
Whoever loses. We win.
Re: (Score:2)
They always find a compromise that combines the least desirable elements of each.
Re: (Score:2)
Re:ECC is not voulerable (Score:5, Informative)
There is no known attack on ECC using quantum computers.
This should not have been modded up, because it is blatantly false. The security of ECC relies on the presumed hardness of the discrete logarithm problem (in elliptic curves over finite fields). But Shor's algorithm can solve the discrete logarithm problem in ANY finite group (assuming you have an efficient way of operating on the group elements).
Re: (Score:3)
Posting as AC, huh? Are you an NTRU Cryptosystems employee?
Here's a paper [internet2.edu] that surveys a number of quantum resistant cryptosystems. "NTRUEncrypt has also been found to be vulnerable to chosen ciphertext attacks based on decryption failuress [18, 21, 31, 38], but a padding scheme [30], which has provable security against these attacks, has been developed." "A comparatively greater number of problems have been found in NTRU-based signature schemes." "In 2006, it was shown by Nguyen that the unperturbed NT