[19616] in cryptography@c2.net mail archive
Re: quantum chip built
daemon@ATHENA.MIT.EDU (John Denker)
Fri Jan 13 10:55:35 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 13 Jan 2006 10:17:55 -0500
From: John Denker <jsd@av8n.com>
To: alex@alten.org
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
cryptography@metzdowd.com
In-Reply-To: <20060112041636.B5863EE2AA@ws6-1.us4.outblaze.com>
alex@alten.org wrote:
> From what I understand simple quantum computers can easily brute-force attack RSA keys or other
> types of PK keys.
My understanding is that quantum computers cannot "easily" do anything.
As the saying goes:
"We can factor the number 15 with quantum computers. We can also
factor the number 15 with a dog trained to bark three times."
--- Robert Harley, 5/12/01, Sci.crypt.
Scaling up a quantum computer to handle numbers much larger than 15 will
not be done "easily".
> Is ECC at risk too? And are we at risk in 10, 20 or 30 years from now?
I can't say for sure. There /might/ be a radical breakthrough in
quantum cryptanalysis tomorrow. But I doubt it. There is a comparably
small likelihood of a breakthrough in _classical_ (i.e. non-quantum)
cryptanalysis tomorrow.
To put this in context: In the world there are incomparably more RSA
keys that are vulnerable to classical cryptanalytic attack than are
vulnerable to quantum attack. As a specific example, a 30-digit RSA
key could be easily brute-forced by classical methods, but will not
be vulnerable to quantum-computer chips for many years. (Of course
I exclude the case where you attach a quantum-computer chip to the
front of your PC using crazy glue and market the combination as a
quantum computer.)
To put cryptanalysis in context: A person skilled in the art should
be able to create RSA keys and/or ECC keys with a 10-year lifetime
such that the risk of mathematical cryptanalysis is negligible compared
to the risk of "practical" cryptanalysis, e.g. bribery, rubber-hose
techniques, etc. applied to authorized keyholders. I'm not saying
the risk is zero, just negligible compared to other risks.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
