Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No classical functions as they exist now without added strengthening will be able to secure secrets against QC for long. OTOH, classical computing is reaching the limits of Moore's law, so barring process and fab cost reductions, CC ASIC costs will approach stability. If one wants to secure secrets without traditional digital logic (CC), it would get pricey, awkward and/or slow. I think we'll have to gradually keep looking more closely at cost to crack functions (i.e., GPU, ASIC, classical and q computation) much closer, in the spirit of scrypt and argon2. Zillions of rounds (is adding orders of magnitude in existing implementations) of AES or SHA3 maybe the tradeoff needed to thwart QC collisions / breakage with reasonable attacker costs & timeframe goals.


Isn't AES-256 safe from quantum computers? I thought it was mainly assymmetric encryption that's completely breakable with quantum computers.


That's correct. Quantum computers can effectively halve the key size of symmetric encryption, but 128 bits is still secure, and we could always go to 512-bit keys.


Not if your key is sent in the clear protected by asymmetric encryption.


However, in practice modern systems do ephemeral DH key agreement. Now, Shor's algorithm can be brought to bear on DH as well, but it ratchets up your costs because now you're attacking every single connection individually.

Suppose, miraculously, that you have a Quantum Computer which breaks any modern assymetric crypto for $1M in one hour. That's very impressive, but you won't use it to snoop on somebody's Google searches, that's $1M and an hour per search. "Big booobs", an hour and $1M later, "Big boobs" (ah, that first one was a typo), another hour, another $1M, "Bigger boobs". Not practical.

You _could_ attack the signature algorithm, allowing you to sign messages "as Google" and MITM connections but that's an active attack so it will have very poor deniability. Not a problem if you're the SVR or Mossad, deniability was never part of your mandate anyway, but awkward for the NSA or GCHQ whose governments prefer not to admit what they're up to. And lack of deniability is very awkward if you're organised crooks, that's going to get you banged up.


Right, which is why you'd cut out asymmetric step if possible (obviously not for the general HTTPS case, but okay for backups) or replace the asymmetric step with quantum-safe asymmetric crypto. What confused me was that the parent post was worried about scaling up AES to become quantum-safe, which is unnecessary. It's already safe.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: