First quantum gates in silicon

Robert J. Hansen rjh at sixdemonbag.org
Fri Oct 23 15:27:43 CEST 2015


> http://arstechnica.com/security/2015/10/nsa-advisory-sparks-concern-of-secret-advance-ushering-in-cryptoapocalypse/

Interesting.  It's worth remembering, though, that users who have a
50-year writ-in-stone absolute need for security are, by their very
nature, going to be paranoid gits.  :)

Imagine that you lived in 1965 and were responsible for composing
communications security standards that had to keep secrets safe until
2015.  How paranoid would you be?  It's easy to not be paranoid enough
(in the '80s, Ron Rivest doubted a 512-bit composite would ever be
factored; today, RSA-512 is a sad joke) and easy to be too paranoid ("we
must consider the possibility space aliens will appear with technology
beyond mortal ken").  Hitting the sweet spot is pretty hard.

If I was writing a 50-year standard today, I'd probably be concerned
about modest-sized quantum computers.  ECC is vulnerable to these; RSA,
DSA and Elgamal really aren't.  To efficiently solve discrete logs with
Shor's algorithm requires twice as many qubits as there are bits in the
number.  A 256-bit ECC key, providing ~128 shannons of uncertainty,
could be efficiently broken by a 512-qubit computer.  An RSA-3072 key,
providing ~128 shannons of uncertainty, would require a 6144-qubit
keybreaker.

This is all off the top of my head: it's been a long time since I've
looked at Shor's.  I may be off on my numbers.



More information about the Gnupg-users mailing list