**Quantum computers** are ...

TODO

TODO

See this page: https://ianix.com/pqcrypto/pqcrypto-deployment.htmlβ

TODO

**Quantum computing** is a model of computing based on the quantum physics, which works differently than classical computers and can do things that classical computers canβt, such
as breaking RSA and ECC efficiently. **Quantum computers** are not "faster computers" and they are not all-powerful and cannot do any computing job faster. Quantum computers are very efficient for certain problems and quite weak for others.

It is well known in computer science that **quantum computers will break some cryptographic algorithms**, especially the public-key cryptosystems like **RSA**, **ECC** and **ECDSA** that rely on the **IFP** (integer factorization problem), the **DLP** (discrete logarithms problem) and the **ECDLP** (elliptic-curve discrete logarithm problem). Quantum algorithms will not be the end of cryptography, because:

Only some cryptosystems are

**quantum-unsafe**(like RSA, DHKE, ECC, ECDSA and ECDH).Some cryptosystems are

**quantum-safe**and will be only slightly affected (like cryptographic hashes, MAC algorithms and symmetric key ciphers).

Let's discuss this in details.

Most cryptographic **hashes** (like SHA2, SHA3, BLAKE2), **MAC** algorithms (like HMAC and CMAK), **key-derivation functions** (bcrypt, Scrypt, Argon2) are basically **quantum-safe** (only slightly affected by quantum computing).

Use 384-bits or more to be quantum-safe (256-bits should be enough for long time)

**Symmetric ciphers** (like AES-256, Twofish-256) are **quantum-safe**.

Use 256-bits or more as key length (don't use 128-bit AES)

Most popular **public-key cryptosystems** (like RSA, DSA, ECDSA, EdDSA, DHKE, ECDH, ElGamal) are **quantum-broken**!

Most

**digital signature**algorithms (like RSA, ECDSA, EdDSA) are**quantum-broken**!**Quantum-safe signature**algorithms and public-key cryptosystems are already developed (e.g. lattice-based or hash-based signatures), but are not massively used, because of longer keys and longer signatures than ECC.

See https://en.wikipedia.org/wiki/Post-quantum_cryptographyβ

...

Quantum-Resistant Crypto Algorithms

...

...

A **k**-bit number can be factored in time of order **O(k^3)** using a quantum computer of **5k+1 qubits** (using Shor's algorithm).

256-bit number (e.g. Bitcoin public key) can be factorized using 1281 qubits in 72*256^3 quantum operations.

~ 1.2 billion operations == ~ less than 1 second using good machine

ECDSA, DSA, RSA, ElGamal, DHKE, ECDH cryptosystems are all quantum-broken

Conclusion: publishing the signed transactions (like Ethereum does) is not quantum safe -> avoid revealing the ECC public key

Cryptographic **hashes** (like SHA2, SHA3, BLAKE2) are considered **quantum-safe**:

On traditional computer, finding a collision for 256-bit hash takes β2^256 steps (using the

**birthday attack**) -> SHA256 has 2^128 crypto-strengthQuantum computers might find hash collisions in β2^256 operations (see the BHT algorithm), but this is disputed (see [Bernstein 2009] - http://cr.yp.to/hash/collisioncost-20090823.pdfβ

On theory it might take 2^85 quantum operations to find SHA256 / SHA3-256 collision, but in practice it may cost significantly more.

Conclusion: SHA256 / SHA3-256 are most probably quantum-safe

SHA384, SHA512 and SHA3-384, SHA3-512 are quantum-safe

...

...

Most symmetric ciphers (like AES and ChaCha20) are quantum-safe:

Quantum era will

**double the key size**of the symmetric ciphers, see http://cr.yp.to/codes/grovercode-20100303.pdfβ

AES-256 in the post-quantum era is like AES-128 before

128-bits or less symmetric ciphers are quantum-attackable

Conclusion: 256-bit symmetric ciphers are generally quantum safe

AES-256, ChaCha20-256, Twofish-256, Camellia-256 are considered quantum-safe

...

Quantum-Safe key agreement: https://en.wikipedia.org/wiki/CECPQ1β

βhttps://ianix.com/pqcrypto/pqcrypto-deployment.htmlβ

βhttps://pqcrypto.orgβ

Post-quantum signature scheme XMSS:

JS XMSS - https://www.npmjs.com/package/xmssβ

Post-quantum key agreement schemes McEliece and NewHope

Post-quantum signatures and key agreements (XMSS, McEliece, NewHope): https://github.com/randombit/botanβ

QC-MDPC and libPQC are quantum-broken: https://eprint.iacr.org/2016/858.pdfβ

...

...

...

**GLYPH** signatures (lattice-based Ring-LWE Lattice, Ring-LWE, Ring Learning with Errors)

Implementation in Go: https://github.com/AidosKuneen/glyphβ

**BLISS** - http://bliss.di.ens.frβ

Implementation in Go: https://github.com/HcashOrg/bliss/blob/master/demo_test.goβ

**NewHope**

Go implementation: https://github.com/Yawning/newhopeβ

Python implementation: https://github.com/scottwn/PyNewHopeβ

Python implementation: https://github.com/anupsv/NewHope-Key-Exchangeβ

**XMSS**

Python implementation: https://github.com/theQRL/QRL/blob/master/src/qrl/crypto/xmss.pyβ

**NTRU**: NTRUEncrypt and NTRUSign

PICNIC - https://github.com/Microsoft/Picnicβ

Rainbow: https://github.com/bcgit/bc-java/tree/master/core/src/main/java/org/bouncycastle/pqc/crypto/rainbowβ

...

The quantum-safe cryptography is still emerging, not mature, and still not widely supported by the most crypto-libraries and tools like Web browsers, OpenSSL, OpenSSH, etc. This is a list of well developed quantum crypto algorithm libraries:

**liboqs**(Open Quantum Safe) - https://github.com/open-quantum-safe/liboqsβ**Bouncy Castle PQC**- https://github.com/bcgit/bc-java/tree/master/core/src/main/java/org/bouncycastle/pqc/cryptoβ

βhttps://github.com/sphincs/pyspxβ

βhttps://pypi.org/project/PySPXβ