[Others]

To address just one of your points, quantum computation is not a silver bullet. It does not work the way one might think it works. Not many researchers are saying that they will replace classical computers, and for good reason. For many, or even most, computational tasks there is no way to get a large quantum speedup. (And classical computers have had a lot more R&D put into them.) Although easy integer factoring will break quite a few popular crypto schemes, like RSA, the risks of quantum computers are heavily overplayed. For example, I don't believe there is any known quantum attack against AES, which is a good start in a post-quantum world. (I can't think of an asymmetric encryption scheme that I'm sure is resistant to quantum attacks off the top of my head, since I'm no expert, but I'm positive some do exist.)

[gizmo686]

The (provably) best "general purpose" quantum algorithm is Grover's algorithm. The problem it solves is as follows:

Given an arbitrary function f(x), and a desired output k, find the unique input z such that f(z)=k.

We can see that using classical computers, this problem is O(n), where n is the size of the domain of f. However, Grover's algorithm can solve this problem in O(sqrt(n)). It has been shown that O(sqrt(n)) is the best possible solution to this problem on a quantum computer.

This means that quantum computers effectively halve the key-size for a brute force attack (and probably most other types), but doing any better than this would require exploiting some structure of the cryptosystem you are trying to break. To my knowledge, no such structure has been demonstrated for any major symmetric encryption algorithms.

[Others]

That's really interesting! I have only a passing education in quantum computers, which is why my comment is so devoid of detail... I really should learn more.

[marcosdumay]

Wait, it has been proved that QP != EXP?

That's great! Do you have any pointers?

EDIT: Wikipedia has pointers. It's not exactly what I thought at first. The paper: http://www.cs.berkeley.edu/~vazirani/pubs/bbbv.ps

[sdevlin]

AES (and other symmetric ciphers) are vulnerable to Grover's algorithm (https://en.wikipedia.org/wiki/Grover%27s_algorithm), which effectively cuts key sizes in half. AES-128 would be reduced to 64-bit security. This isn't a big problem in practice, since we can just switch to 256-bit ciphers like AES-256 and ChaCha20.

Public-key schemes based on factoring and discrete logarithms are undone by Shor's algorithm (https://en.wikipedia.org/wiki/Shor%27s_algorithm), but there are asymmetric systems not known to be vulnerable to quantum algorithms. They are less mature, but researchers are working it.

There's some good high-level information at http://pqcrypto.org/ and in this paper: http://pqcrypto.eu/docs/initial-recommendations.pdf.

[derefr]

Another way to explain this is that quantum computing would be the perfect answer to some extremely-naive kinds of cryptography, reducing the decryption time-complexity quite harshly (though not all the way to O(N) as one might expect)—but modern, practical cryptography does things fairly differently than spherical-cow cryptography.

For example, if cryptography basically consisted of taking a set of plaintext "blocks" and a key, permuting the key separately and deterministically for each block in O(1) time, expanding the key into a one-time pad again in O(1) time, and XORing each block with its respective pad—then you could use a quantum computer to quickly search the keyspace for a key that decrypts the blocks into something sensible according to some heuristic. You can make a quantum algorithm that "searches" a static keyspace, given that you can map a particular ciphertext block to particular plaintext block in O(1) time—this mapping effectively becomes a "projection" of the keyspace, and the quantum computer searches that.

The problem with this approach is that, in reality, subkeys in a "stream" aren't generated independently per-block (as happens in the much-derided "ECB mode" of block ciphers), but rather are generated serially by feeding in the previous subkey in a chained operation; and that each cipherblock is then created by "expanding" the subkey through a CSPRNG, which itself uses iterated hashing.

You can't make a quantum algorithm that searches a keyspace, given an encryption algorithm that is defined recursively or "statefully" on its input stream. There's no such thing as a "quantum for-loop" that magically makes an O(N)-step process into a single linear projection of the keyspace—and without this, there's nothing to usefully search through.

[benkuykendall]

Yeah, we have some public key schemes that are conjectured to be resistant to quantum attacks. This one in particular is fun because of the connection to machine learning. (https://en.wikipedia.org/wiki/Learning_with_errors)

Basically, it uses the result that it should be 'hard' to learn a linear function with sufficient noise rate to create a cryptosystem.

[lkowalcz]

Also note that most homomorphic encryption schemes proposed so far are based on LWE and are therefore also conjectured to be resistant to quantum attacks.