One time pads

[Sam Ritchie]

    ACTUALLY, quantum computing does more than just halve the effective key
length. With classical computing, the resources required to attack a given
key grow exponentially with key length. (a 128-bit key has 2^128
possibilities, 129 has 2^129, etc. etc. you all know this...)
    With quantum computing, however, the complexity of an attack grows only
polynomially. Hence a MUCH MUCH more agreeable time frame for brute force
attacks. Good stuff, eh?
~SAM

> From: "Trei, Peter" <ptrei at rsasecurity.com>
> Date: Wed, 16 Oct 2002 14:50:03 -0400
> To: David Howe <DaveHowe at gmx.co.uk>, "Email List: Cypherpunks"
> <cypherpunks at lne.com>, "'David E. Weekly'" <david at weekly.org>
> Subject: RE: One time pads
> 
>> David E. Weekly[SMTP:david at weekly.org]
>> 
>> Naive question here, but what if you made multiple one time pads (XORing
>> them all together to get your "true key") and then sent the different pads
>> via different mechanisms (one via FedEx, one via secure courier, one via
>> your best friend)? Unless *all* were compromised, the combined key would
>> still be secure.
>> 
>> As for PKI being secure for 20,000 years, it sure as hell won't be if
>> those
>> million-qubit prototypes turn out to be worth their salt. Think more like
>> 5-10 years. In fact, just about everything except for OTP solutions will
>> be
>> totally, totally fucked. Which means that you should start thinking about
>> using OTP *now* if you have secrets you'd like to keep past when an
>> adversary of yours might have access to a quantum computer. I'd put 50
>> years
>> as an upper bound on that, 5 years as a lower.
>> 
>> -d
>> 
> Not quite right. My understanding is that quantum
> computing can effectively halve the length of a
> symmettric key, but that does not take it down to zero.
> 
> Thus, a 256 bit key would, in a QC world, be as secure
> as a 128 bit key today, which is to say, pretty good.
> 
> It's the asymmetric algorithms which have problems.
> 
> Peter