QC is a potential threat for both symmetric and asymmetric cryptography, just the symmetric cryptography is threatened quite a bit more. And even asymmetric cryptography is important for QubesOS security because of update signatures.
Symmetric cryptography is threatened by Grover's algorithm. The algorithm can perform bruteforce search in N elements in O(sqrt(N)) time. In other words, it reduces O(2^n) time to O(2^(n/2)) time. What's great: There is some proof that this algorithm is optimal (probably under assumption that P≠NP). So, just using double-length keys should be sufficient. This could justify AES256 instead AES128. Doubling the key length could be an issue for password, but if you use a memory-intensive key derivation function, it might be infeasible to run it on quantum computers for some time. Asymmetric crypto usually (always?) relies on problems that are believed to be easier than NP. Some of them (integer factorization and discrete logarithm problem) can be solved in polynomial time on QC (they belong to BQP class), which would be a real threat for cryptography like RSA and ECC. There are some “QC-proof” asymmetric schemes that are believed to be secure against QC. But those aren't widely used yet. It could be useful to use them together with some old schemes like RSA or ECC. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba81205c-adfb-416a-8b70-27b01aa2b80c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
