...

David E. Weekly[SMTP:david@weekly.org] As for PKI being secure for 20,000 years, it sure as hell won't be if those million-qubit prototypes turn out to be worth their salt. Think more like 5-10 years. In fact, just about everything except for OTP solutions will be totally, totally fucked.

At 02:50 PM 10/16/2002 -0400, Trei, Peter wrote:

Not quite right. My understanding is that quantum computing can effectively halve the length of a symmettric key, but that does not take it down to zero. Thus, a 256 bit key would, in a QC world, be as secure as a 128 bit key today, which is to say, pretty good. It's the asymmetric algorithms which have problems.

Yeah. What we have to do for that is start thinking about ways to apply Kerberos and similar technologies to real-world problems besides the inside-an-organization ones they were originally designed for.

David E. Weekly[SMTP:david@weekly.org]

...

Which means that you should start thinking about using OTP *now* if you have secrets you'd like to keep past when an adversary of yours might have access to a quantum computer. ...

OTPs won't help a bit for that problem. They're fine for transmitting new data if you've already sent a pad, but they're useless for storing secrets, because you can only decrypt something if you've got the pad around, and you have to burn the pad after use. Storing the encrypted secret message on your regular computers while keeping the pad locked up in the safe is unlikely to be any more convenient than keeping the plaintext locked up in the safe. I suppose you could secret-share a one-time-pad, but you could just as easily secret-share the secret message.