Re: [SAGE] Long lived, cheap data storage

[Dan Riley <dsr@mail.lns.cornell.edu>]

Brad Knowles <brad@shub-internet.org> writes:
> My understanding is that you can now buy commercial quantum crypto
> systems (from three different sources no less), and quantum
> cryptography throws out the window everything we ever knew about
> classicial cryptography.

The commercially available systems I'm aware of are quantum key
distribution, not quantum computing.  Quantum key distribution doesn't
help decode other people's messages (QKD is computationally trivial).

> What used to be an exponential factor increase in time when we
> increase our key size by a single bit, now becomes a linear factor
> increase in time (well, for all intents and purposes).
> 
> In other words, all classical cryptography is pretty much useless in
> the face of quantum cryptography.

As a theoretical matter, there is a fair amount of debate over whether
there is anything like Shor's algorithm that generalizes to
cryptosystems beyond RSA.  In particular, I am not aware of any
quantum computing algorithm equivalent to Shor's for any symmetric
crypto like AES.

As a practical matter, the publicly disclosed state of the art for
quantum computing is around 15 qubits, which is a long, long way from
a practical attack on any real, deployed encryption system.

> So, what is your threat model?  Can they afford to buy a computer with
> a commercial quantum cryptography system?  If so, then they can read
> anything you've got there, and relatively easily.

If they can afford to waste money on quantum cryptography, they can
most likely afford far more practical real world attacks...

-dan