[osterbit2]

I'm familiar with the implications of quantum computing on factorization and thus DEcryption but have heard very little about about quantum computing enabling ENcryption until the last paragraph of this article

("...Chuang expects to see quantum encryption methods that will inscribe sensitive data into the very states of atoms")

Very curious about current state of this research (relative to the current state of quantum decryption)--any experts in the room?

[ianopolous]

Not an expert on Quantum cryptography, but an ex particle physicist here. The basic idea is that using a quantum channel (sadly means new hardware, so not over tcp), eavesdropping becomes impossible without destroying the quantum state of the signal (guaranteed by the laws of Quantum Mechanics). If an eavesdropper intercepted a message, that would be detectable and you can drop that packet. Wikipedia has a good intro: https://en.wikipedia.org/wiki/Quantum_cryptography

[smaddox]

And yet, isn't it true that MITM attacks still work, as long as the MITM has the same hardware?

[roywiggins]

Theoretically, if you intercept in the middle, you destroy the pattern that you observe. This is a physical quantum effect, and will happen no matter what hardware you use

Since the intended use is key distribution, a MITM is fine as long as you can detect it reliably: you can keep sending new keys until one isn't eavesdropped upon, and then use that key.

[smaddox]

I'm not talking about eavesdropping, I'm talking full on MITM. Cut the connection and insert a middle man. Both sides think they're communicating with their intended target, but they're communicating with you. How does quantum crypto protect you from that?

[AnthonyMouse]

But how do you detect it reliably?

[q4h555qh5]

If someone intercepts the quantum key, it will modify it 25% of the time. If you randomly measure (and verify publicly with the sender) a fraction of your total key and find it unmodified, it means the rest of the key probably is too, up to a certain security factor. By starting with a longer key and measuring more of it (or doing privacy amplification, for example xor-ing multiple keys together), you can get as much security as you want. It also means the security is everlasting, meaning someone cannot retroactively break your key in 100 years using some mega-computer.

[baby]

I read elsewhere that this was completely untrue. I'm really confused on the issue.

[q4h555qh5]

Maybe it was for a particular implementation? Funny story: the first toy impletementation of Quantum Key Distribution used a device with rotating photon polarizers. Quantum Key Distribution is completely secure so on paper the device was too. However, you could actually hear the polarizers rotating in a way you could intercept the whole secret key... as long as you were not deaf!

[poizan42]

That's a really good example of a side-channel attack

[zmanian]

Cryptographers are generally not interested in using quantum physics to achieve secure communications

Cryptographers interested in encryption schemes that use mathematical structures that are not amenable to any known quantum algorithm. Lattices, Ring Learning With Error

Cryptographers are also interested in how Quantum Computers will scale to large sizes. It will be important to understand what the largest quantum computers that can practically be built are.

[q4h555qh5]

Quantum cryptography is still applied in some places. Switzerland is using quantum crypto below lake Geneva using optic fiber. Recently, China announced a quantum crypto satellite program.

[zmanian]

This has never made any sense to me. What is the threat model? In almost any case where you can use QKD, it would be cheaper to send a courier with locked/handcuffed brief case.

[DanBC]

Switzerland used it for elections.

https://www.newscientist.com/article/dn12786-quantum-cryptog...

[hulahoof]

Time is a cost

[whitegrape]

Nearly 40 years old, we actually have an algorithm that is not known to be vulnerable to quantum attacks: https://en.wikipedia.org/wiki/McEliece_cryptosystem Quantum computing is nothing to worry about. (Though I admit it is interesting to think about what sorts of encryption/decryption schemes are only feasible with a quantum computer.)

[AnthonyMouse]

The real problem is that quantum computers would break the forward secrecy algorithms we're using today. So if a practical quantum computer shows up tomorrow then we can start using different cryptography tomorrow, but evildoers will be able to decrypt everything we're sending today just by storing it and waiting for quantum computers.

Which is a pretty big "oh crap" that will catch a lot of people by surprise if quantum computers ever really happen.

[ReidZB]

Here's food for thought: What would be required to make a nontrivial fraction of TLS traffic on the web post-quantum secure? How much would it cost?

What about other legacy systems?

Actual, physical quantum computing is still in its infancy, so sure, it's hard to conjure up the wherewithal to worry. But nonetheless we have a long way to go before we can say the world is ready for real quantum attacks.

[q4h555qh5]

Quantum crypto is a large field. One aspect is Quantum Key Distribution (QKD). It opened the door to the whole field of quantum computing (it was discovered before Shor's algorithm).

QKD allows you to distribute a one-time pad while only sharing an authentification key. It is (on paper, if you don't count experimental flaws) theoretically-secure, meaning you can't break it or man-in-the-middle attack it even if you have infinite computational power (with 1-epsilon probability, epsilon being as close to 0 as we decide). In practice, most QKD systems can be hacked through hardware flaws.