GPG's vulnerability to quantum cryptography

Michael Anders micha137 at
Wed May 14 09:47:11 CEST 2014

> GPG encrypted data (using RSA) can be collected today and easily decrypted
> after 50-100 years using a quantum computer. See:

Well let's see. Usually in a new technology, once you are really going
to apply it in the real world, new problems not thought of before are
going to pop up. (Think of fusion energy from the tokamak, which is
always predicted to be here in 20 years from "now" - since more than 40

> For this reason, what I do today is share long keys with people I know *in
> person*. We then use regular AES-256 to encrypt/decrypt our messages back
> and forth. Every 6 months we meet in person to renew our keys. (To be more
> secure, we actually create the keys in portions via in-person at different
> places, OTR, SMS, landline phone, mobile phone, and snail mail.)
> AES-256 is not vulnerable to quantum cryptography as RSA is, so we feel
> much safer this way.
There is another quantum algorithm called Grovers Algorithm that would
reduce the effort to crack 256 bit key AES to the effort necessary to
crack 128 bit key AES. 
Since the well known agency from Baltimore uses its influence to have
crypto standards coast close to the limit of the brute-forceable, 128
bit AES will be insecure not too far in the future.
So if you are worried about the quantum computer, using AES as is
directly won't help you a lot. You'd also need symmetric algorithms with
at least 512 bit keys and at least 256 bit block size to retain the same
security margin as in the pre quantum computer era. Large block and key
size algorithms surely do exist.

50 years from now, I'm going to be 105. So if I 'll be alive then, I'll
be grateful to be able to ask quantum computer equipped Baltimore for
help on recovering my old secrets which might have slipped from my
memory by then ;-)

More information about the Gnupg-users mailing list