13

Due to growing concerns over the threat of quantum computing to asymmetric cryptography (RSA, ECC, etc), a number of "quantum resistant" replacements have been proposed (SPHINCS, McBits, and many more). How are these cryptosystems proven (or argued) to be secure in the presence of quantum computers?

Are the schemes only proven secure against some finite set of quantum algorithms (Shor's algorithm, Grover's algorithm, etc), or are they proven secure against all quantum algorithms possible in some theoretical model of quantum computing?

Tim McLean
  • 2,914
  • 1
  • 16
  • 26

1 Answers1

7

This is in principle similar as how "normal" cryptosystems are proven. With some algorithms we can reduce them to some "hard problem", but we do not know that those problems are actually hard to solve. Only that we cannot solve them efficiently. For example, the Diffie-Hellman problem is not even known to be NP-hard, never mind the whole issue of P vs. NP.

Similarly, we know some problems that Shor's algorithm accelerates. Post-quantum algorithms avoid these and make use of problems to which Shor's algorithm does not offer an easy solution. However, that does not mean there is no other algorithm that solves them, or even that there is no way to use Shor's for them. (E.g. it is possible that the hidden subgroup problem in non-abelian groups can somehow be reduced to the HSP in abelian groups.)

In the end it is similar as with symmetric algorithms. They are not so much proved secure, but become proven after facing years of cryptanalysis.

Community
  • 1
otus
  • 32,462
  • 5
  • 75
  • 167