Hello, I'll react to multiple questions and statements from multiple people.
> A figure I heard was that qc can cut search time for symmetric key merely in > half, whereas its can cut time for asymmetric key by orders of magnitude. No. For symmetric key, it does not halve the time. It works like halving key length. It is asymptotic improvement. With classical computer adding one bit doubles time for brute-force. With QC, adding *two* bits doubles time for probabilistic brute-force. See Grover's algorithm as I mentioned above. For asymmetric cryptography, “orders of magnitude” can be true, but it does not express that it is asymptotic improvement – you can resolve some problems in *polynomial* time. But there are some ciphers that are believed to be quantum-resistant, meaning that there is no such known attack. > in Qubes, the signature confirmation happens in dom0 or in the sys-net? Dom0 updates are verified in dom0, template updates are verified in templates. But that's not important if your adversary can factorize release signing key. > Doubling up the key length seems like an interesting prospect, but has the > potential risk to fail in the future by quantum computing Why? Doubling key size is a asymptotic countermeasurement. Moreover, for bruteforce (but not necessarily for other types of attack), Grover's algorithm has been proven to be optimal, i.e., you can't go asymptotically bettter. Unless a QC can perform many many many more operations in the same time and at the same cost, it should suffice. Unless there is some extra breakthrough. Remember, virtually no cryptographic scheme has been proven to be secure (except some like SSSS and Vernam cipher – but those have limited applicability), so, someone might theoretically break AES tomorrow. We just rely on the fact many that people have failed with this, so this is unlikely. But this is a theoretical issue even without QC. > I've wondered for a good while if splitting up an symmetric encrypted file in > multiple of parts, say for example minimum two parts, and send one over the > internet, and carry the other on yourself in person, that if only one part is > stolen (for example someone steal your laptop with sensitive competitive > business trade secrets), then it's still uncrackable? Usually no, unless you use a scheme specially designed for that. You might be interested in secret sharing, which is even more powerful concept. > Wait, hold on, your last line, regarding that "some" asymmetric encryption is > believed to be secure against future quantum computing? Is it possible to > elaborate on that? For example, see https://en.m.wikipedia.org/wiki/NTRU . > Also if this turns out to indeed be quantum crack proof, whould it be > feasible to use these for what we currently use symmetric encryption for? You could, but I see no reason for that. QC makes bruteforce considerably easier, but it is still considerably hard. With a proper key size, symmetric crypto will be still faster and have probably smaller keys for comparable security level. For asymmetric ciphers, bruteforce is usually not much considered, because they are usually better attacks. But Grover's algorithm should be applicable even for asymmetric ciphers. It however does not make much sense (at least not without modifications), because they have much larger keys. > Also, correct me if I'm wrong, but aren't there here two exponential effects, > one ontop of the other? Which may be overlooked by us too. I mean, imagine > the scale-ability of doubling the Qubits every day, it's not linier, it's > exponential. But the Qubits themselves are exponential too. AFAIU, this is a common misconception. Well, you need exponentially growing space for emulating QC on classic computer. But you don't get exponentially faster computer. You get a computer with more memory. Such computer can process larger tasks, e.g., factorize larger numbers. But once you have enough memory, adding more qubits make AFAIU no improvement. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c85ee7e-b7a2-4f25-be68-022132c517fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
