I don't believe Quantum Computing will ever threaten Bitcoin

[Voland.V]

QKD
-snip-

This method is not for the average user with a device connected to a wifi point. This is for special organizations.

It's for the average user. If the average user is connecting to wifi, to the internet, then they can connect to an unhackable quantum internet, too. There is a lot of work going on in this area, using the fundamental properties of quantum mechanics to create an inherently unhackable network. It's not just the Chinese, take Europe's Quantum Internet Alliance as another example - a summary of their work is here... and there's a more mainstream-friendly article here.

----------------------
Yes everything is correct.
Quantum Internet, more correctly called photon.
This is a network section having either physical optical fiber, or photons can be transmitted via "air", within sight. It is this version of the quantum-photon Internet "over the air" that has been successfully tested in the United States, it seems back in 1987. Then they transmitted 300 meters a signal from the roof of one building to the roof of another. Then they experienced photon amplifiers, and it seems to be successful.
This is an old, well-known, tested technology, based on fundamental knowledge of physics at the level of secondary general education.

Yes, no one will attack you in the photon communication channel, there is no sense. Your wifi, your device will attack, everything is as usual. Just like it is doing now.
In addition, the photon Internet, in the case of a Wifi access point, does not save you from phishing (81% of all attacks), nor from a person in the middle, or from the danger of quantum computing of your key information.

There is no way to do without a new post-quantum cryptography.
Therefore, I think that this method is not for us, ordinary users, moreover, it will not give anything if you have a wifi next. But for special organizations - what you need.

The tasks that this Internet performs in the foreseeable future are limited to the task of transmitting the secret key for symmetric systems, without using asymmetric ones.
Such an Internet, or rather a section of the Internet, since we have to use either Wi-Fi, or the 3,4,5G Internet, does not solve the problem of a system of trust in your public key. With all the ensuing consequences.
What's bad about this is that the user is even more careless.
Yes, we also forgot the attacks on the server side of the network.
In addition, we, everyday users of cryptography are always using in our interests, not negotiating us everything that they know.
So, there are interesting facts about the dangers of cryptography on elliptic curves. And on this cryptography our blockchain is based (more precisely, its digital signature). If there is interest in what we are not being negotiated with, you can read my post dated December 04: https://bitcointalk.org/index.php?topic=5204368.40

You need to be careful about all offers, especially in the field of digital security. Our safety is only in our hands.

[Voland.V]

At the link above, in a post dated December 04, the question is described:

"This material reasonably answers important 2 questions:

1. Is cryptography on elliptic curves so safe as we think?

2. Are quantum computations really dangerous for
modern public key cryptosystems?"

https://bitcointalk.org/index.php?topic=5204368.40

[Cnut237]

There is no way to do without a new post-quantum cryptography.

Some approaches to post-quantum cryptography do show huge promise, I'll agree with that, as we've covered on previous pages.

I was trying to make the distinction between post-quantum cryptography which uses classical approaches, and quantum cryptography, which exploits the inherent 'unhackability' of quantum mechanics. Significant progress is being made in QC as well as in PQC.

The difference is between PQC being theoretically unhackable because of complex and esoteric maths, and QC being fundamentally unhackable because of the underlying laws of physics. Both approaches have merit, but the discussion is always around PQC. I thought it was time that QC had a voice, too.

[TechPriest]

Why not find out a technology that can prevent us from the attacks of QC? If QC and other things were imagined and have become truth now, there must be something that can abolish their twitches and burst the bubble before it becomes too big to stop you from breathing.

Approaching it where the problem is QC (theory only) it should be answered by the same powerful thing, QC. It’s like fighting fire with fire, but everything is digital.
We are not there yet where it’s applicable already.

I would not so optimistic about QC. The main problem of their realization, is the problem of symmetry. FT transformations (its composition of Fredkin gate and Toffoli gate) will destroy quantum entanglement in bosons. "raw" fermions can't be used for QC too because, if we have more than 3 qubits, than their result vector will be 0, so we can't calculate anything with it.

As i read last time, scientists want to use "fermionic lattices" . But it will be really hard to impelement it in real technology, because it much harder to control such "lattice". In "lattice" you need to control n states in n qubits, but in "raw" QC without such lattices it would be enough to control just 2 states in n qubits.

And for "ECDSA hack" we need thousands of qubits (and now have just a 50 qubits, after 40 year of QC research start).

my understanding is that ECDSA will eventually be vulnerable to quantum computers. SHA-256 not so much.

You're right. But let us be more specific:
Every public key cryptography is vunerable to quantum computing due to Shor's algorithm (for integer factorization and discrete logarithm). SHA 256 is not vunerable in meaning that there is not any quantum algorithm which breaks it fast. But it's vunerable in meaning that quantum computers may be incomparably powerful (in million times) compared to today's computer.

Also, it's interesting that we don't have any quantum computer for now (and i doubt that we will have one, with all it's "magical" capabilities) but we already have post quantum RSA

[Voland.V]

You are mistaken if you think that ESDSA can be wrecked only by exhaustive search (brute force attack). This is a common misconception, which is supported by the majority.
And if I allow myself to object.

In the sense that there are other dangers in this area of ​​cryptography.
The danger of cryptography on elliptic curves lies in the elliptic curves themselves. They have collisions. That is why, back in 2015, the NSA (USA) opposed this type of cryptography, despite the fact that it had previously campaigned only for this cryptography. And after 2015, she again returned to the old SAR system. And this despite the very long key length relative to the ECC keys.
Let's do it in order.

1. Collisions of elliptic curves themselves.
The National Institute of Standards and Technology (USA) NIST is involved in the development of standards and specifications. The problem is that some classes of elliptic curves are weak. Specialists have a question, where do the random generating values ​​for the elliptic curves of standardized NIST come from? Answer: unfortunately, we do not know. These values ​​have no justification.

For this reason, the following question arises: is it possible that NIST detected a “significantly larger” class of weak elliptic curves than is commonly believed, tried various possible variants of generating values ​​and found vulnerabilities and is silent? After all, such finds can be used for "their own purposes", these are holes in the security system.

I do not have an answer to this question either, but this is a logical and important question. We know that NIST has at least successfully standardized a vulnerable random number generator (a generator that, oddly enough, is based on the same elliptic curves).

Perhaps he successfully standardized many other weak elliptic curves?
How to check it?
No way.

For example, there are standard NIST curves based on numbers, verifiable random, of understandable origin:
- random numbers for MD5 (hashing algorithm) are obtained from the sine of integers;
- random numbers for Blowfish (a symmetric block encryption algorithm with a variable key length) are obtained from the first numbers of Pi;
- random numbers for RC5 (a block cipher with a variable number of rounds, a variable length of a key and a block) are obtained from the "Euler number" and the golden ratio numbers.
It is important to understand that “verifiable random” and “protected” are not synonyms, but here we at least understand their origin.

2. The situation around this system is very ambiguous.
I do not want to repeat a very large text with verifiable facts. But if you are not afraid, then you can read how it was and check the information.
I described this in my post on December 04, there are 2 posts from one number, read the second, topic:
--------------------
This material reasonably answers important 2 questions:
1. Is cryptography on elliptic curves so safe as we think?
2. Are quantum computations really dangerous for
modern public key cryptosystems?
..............................
Link: https://bitcointalk.org/index.php?topic=5204368.40

3. What gives us the expected quantum Internet?
It would be correct to call it photonic. Photons can be transmitted not only via fiber optic cable, but also "over the air." Which was tested successfully in the last century.
But, this technology is applicable only to special organizations, in the option "only photon interent". We, in everyday life, will have to use sections of wifi or 3-5G to the fiber optic section. And this means all the problems - come back, phishing, attacks on devices, a person in the middle, etc.

Moreover, quantum Internet is needed only for the safe transfer of a symmetric key, in the absence of a post-quantum cryptosystem with a pair of keys. Symmetric cryptography is able to create a closed communication channel, safe, easier, more practical, cheaper than the proposed technology of quantum Internet.

For this reason, post-quantum cryptography cannot be dispensed with, especially in the post-quantum world.

[Cnut237]

3. What gives us the expected quantum Internet?
It would be correct to call it photonic. Photons can be transmitted not only via fiber optic cable, but also "over the air." Which was tested successfully in the last century.
But, this technology is applicable only to special organizations, in the option "only photon interent". We, in everyday life, will have to use sections of wifi or 3-5G to the fiber optic section. And this means all the problems - come back, phishing, attacks on devices, a person in the middle, etc.

It depends what we are sending over traditional hackable channels. Thinking in classical terms, you send the entire communication through that route, and so you introduce vulnerabilites. But using a quantum approach, it doesn't have to be that way. Quantum entanglement offers a solution - if the entangled photons are sent one to each party, sender and recipient, then the sender can make their photon interact with the data they want to transmit. This measurement alters the entangled photon at the other end as well - transmission of information via this method is Einstein's famous 'spooky action at a distance', a.k.a. quantum teleportation. The thing that is then sent through the classical channel is only the result of the measurment, the interaction between the sender's entangled photon and the information they wish to transmit. Anyone who hacks this message gains nothing, as it is meaningless by itself.

However once the legitimate recipient receives this information, they can then decode the message, because they have the other photon. It is fundamentally unhackable because only sender and recipient have the entangled photons, and because the laws of quantum mechanics mean that any act of measurement, which includes any attempt at hacking or eavesdropping at either the sender's or the recipients' end, alters the state of the entangled photon at the other end, too.

It's this sort of approach that makes me think that quantum cryptography (as opposed to post-quantum cryptography) has a lot of merit. Lattices and elliptic curves and so forth are not fundamentally unhackable due to laws of nature, whereas processes exploiting the laws of quantum mechanics are - or at least can be.

There will of course be huge technical challenges in implementing a quantum-cryptography approach... but work is underway, not just by the Chinese but also at QuTech in the Netherlands (where they are trying out quantum teleportation, as in the link I gave previously).

Here's a diagram giving a brief summary of how quantum entanglement can lead to an unhackable solution (again from my previous link). The pictures are perhaps more eloquent than my chaotic rambling:

[Voland.V]

3. What gives us the expected quantum Internet?
It would be correct to call it photonic. Photons can be transmitted not only via fiber optic cable, but also "over the air." Which was tested successfully in the last century.
But, this technology is applicable only to special organizations, in the option "only photon interent". We, in everyday life, will have to use sections of wifi or 3-5G to the fiber optic section. And this means all the problems - come back, phishing, attacks on devices, a person in the middle, etc.

It depends what we are sending over traditional hackable channels. Thinking in classical terms, you send the entire communication through that route, and so you introduce vulnerabilites. But using a quantum approach, it doesn't have to be that way. Quantum entanglement offers a solution - if the entangled photons are sent one to each party, sender and recipient, then the sender can make their photon interact with the data they want to transmit. This measurement alters the entangled photon at the other end as well - transmission of information via this method is Einstein's famous 'spooky action at a distance', a.k.a. quantum teleportation. The thing that is then sent through the classical channel is only the result of the measurment, the interaction between the sender's entangled photon and the information they wish to transmit. Anyone who hacks this message gains nothing, as it is meaningless by itself.

However once the legitimate recipient receives this information, they can then decode the message, because they have the other photon. It is fundamentally unhackable because only sender and recipient have the entangled photons, and because the laws of quantum mechanics mean that any act of measurement, which includes any attempt at hacking or eavesdropping at either the sender's or the recipients' end, alters the state of the entangled photon at the other end, too.

It's this sort of approach that makes me think that quantum cryptography (as opposed to post-quantum cryptography) has a lot of merit. Lattices and elliptic curves and so forth are not fundamentally unhackable due to laws of nature, whereas processes exploiting the laws of quantum mechanics are - or at least can be.

There will of course be huge technical challenges in implementing a quantum-cryptography approach... but work is underway, not just by the Chinese but also at QuTech in the Netherlands (where they are trying out quantum teleportation, as in the link I gave previously).

Here's a diagram giving a brief summary of how quantum entanglement can lead to an unhackable solution (again from my previous link). The pictures are perhaps more eloquent than my chaotic rambling:

---------------------------------
You probably know more than me.

Explain how you can have a photon associated with the transmitted, if you are not connected directly to the photon transmission channel?

If you, more precisely your device, are the locator in the same “photon” system with the transmitting device, then physics will work.

And if you hold in your hand a smartphone that is connected to the Internet via 3,4,5-G, then how will you have a coupled photon?

In addition, it is such an expensive pleasure that quantum cryptography (photon transmission), as far as I know, is needed only in order to exchange the same private keys in this way to use a symmetric encryption system. For the reason that the symmetric AES-256 is not opened by any quantum computer, because in the symmetric key any variant of a key of two to the power of 256 is possible.

And in asymmetric - far from it. For example, in RCA, a key length of 15,300 bits is equal in strength to a 256-bit key in AES.

I do not discuss elliptic cryptography - it is probably hacked for a long time and completely not by exhaustive search, but by cryptanalysis and the presence of vulnerabilities in the elliptic curves themselves.
In serious organizations, it is prohibited for use.

If in a symmetric AES system you increase the key by 2 times (256-512), then the load on the computer will increase by about 2 times.

If you increase the key by 2 times in RCA, then the load will increase by 8 times with a key length of 1024 bits - 2048 bits.

Therefore, in quantum cryptography - it makes no sense. There is a post-quantum AES system, and all she needs is to exchange keys without using dangerous asymmetric cryptography.

Therefore, if you have a smartphone with Wi-Fi, then no quantum Internet will help you, only post-quantum cryptography.

[Cnut237]

You probably know more than me.

I know a little about quantum mechanics, and next to nothing about cryptography.

Explain how you can have a photon associated with the transmitted, if you are not connected directly to the photon transmission channel?

And if you hold in your hand a smartphone that is connected to the Internet via 3,4,5-G, then how will you have a coupled photon?

Micius has demonstrated QKD wirelessly via satellite. There have been demonstrations using traditional fibre-optic lines, but the entangled state is more vulnerable to collapse using this approach, so satellite may be the better option.

A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. If in the Micius example you can communicate with the satellite, then you can receive the photon.

They aim to have a global quantum network in place by 2030. I have no opinion on whether or not 2030 is realistic.

If in a symmetric AES system you increase the key by 2 times (256-512), then the load on the computer will increase by about 2 times.
If you increase the key by 2 times in RCA, then the load will increase by 8 times with a key length of 1024 bits - 2048 bits.

Therefore, in quantum cryptography - it makes no sense.

Quantum cryptography doesn't rely so much on key complexity, it relies more on quantum entanglement, and the fact that a measurement of one photon disturbs the other photon. Hacking is not possible based on the laws of quantum mechanics as we understand them.

I'm not suggesting that quantum cryptography is the only or best approach, just that work is progressing here and it's not necessarily only post-quantum cryptography that should be discussed. There have been objections to QKD itself, but again work is progressing towards better solutions - Kak's 3 stage protocol for example (basically a quantum version of double-lock):


_{https://www.researchgate.net/profile/Partha_Basuchowdhuri/publication/1960902/figure/fig2/AS:279938969161741@1443754059593/Kaks-three-stage-protocol.png}

[Thekool1s]

I have really learnt so much from this thread. I feel like the discussion now needs to heads towards Mining. How Quantum Computers could affect mining and Decentralized aspect of the CryptoCurrencies. One of the thing which is mainly agreed in this thread is a move will be made towards "Quantum resistant Algo", which will prevent Quantum computers to break private keys but what about mining? Given that Quantum computers will be only a few in numbers, Basically these few "companies" would become the centralized figurehead for "Cryptocurrencies". Since there won't be a mining competition how will "cryptocurrencies" survive? Since currently, One of the reasons why people use Cryptos is their Decentralized aspect.

I will give FB's Libra's example. E.g FB gets their hand on one of few early "Quantum computers" they could basically make Libra stand out because it will be the only coin with the most "hashing" power / most secure, but they could easily decide which coin lives and which dies. Basically, if mark then wanted to mine BTCs, even after implementing the "Quantum Resistant" algos, Mark could just mine every block since he will have the most "hashing" power. I'm not familiar with How "Anti Asic" algos for mining work, but could in theory "Anti Quantum" algos could be made for Mining which could prevent this Centralization?

[QuickReview]

I have really learnt so much from this thread. I feel like the discussion now needs to heads towards Mining. How Quantum Computers could affect mining

The first quantum computers won't be able to mine Bitcoin because they will not have enough qubits to get the hash of the next block. For that task 2^128 basic quantum operations are needed. That is something for the "second generation quantum computers".
But to get the privatekey only 128^3 basic quantum operations are sufficient and will be within the range of "first generation quantum computers".
https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin

edit

The only thing that quantum computers can do is to speed up the calculation of SHA256 hashes. Even if its faster than normal computers by a factor of thousands, the ASICs would still be way faster than quantum computers. The difficulty will rise and the network would continue as per normal.
 

i dont think qunatum computers can speed up hashing, but anyway this is not what is meant by 'cracking' sha256.

Concerning quantum computers and cryptography, there are two totally different aspects.

1) quantum computers, if ever they come into existence with a lot of qubits (which I personally doubt, but ok), can TOTALLY CRACK the current public key systems based on prime factorisation (RSA, Diffie-Hellmann) or based upon discrete logarithms in groups (elliptic curve crypto).  The algorithm to do so is known, it is Shor's algorithm.  By TOTALLY I mean totally: just ANY key can be cracked in a matter of milliseconds, on the condition that the quantum computer has more qubits than (a few times) the key length.  If such a quantum computer exists, there is simply no difficulty in cracking the key, it doesn't take "days" or anything because the difficulty goes LOGARITHMIC with Shor's algorithm.

2) however, for hash functions, and symmetric crypto like AES-256, it can be shown that a quantum computer can AT BEST use Grover's algorithm to crack it.  Grover's algorithm doesn't crack entirely a hash function, but essentially HALVES ITS BIT STRENGTH.  So a SHA-256 hash (with 256 bits) would not require 2^256 trials like on a classical computer, but "only" 2^128 trials on a quantum computer, which is STILL IMPOSSIBLE to do practically.  Most people think that quantum computers will, if ever they exist, run much slower than classical machines, so 2^128 trials on a quantum machine will be much harder to solve than 2^128 trials on a classical machine.

So while quantum computers can speed up hash function searching, they won't crack it entirely.  The interesting thing is that under certain conditions, it has been established that Grover's algorithm is the best possible one on a quantum machine, to attack a random hash function.

==> big hash functions are still secure against quantum attacks ; most current public key crypto is totally broken by quantum attacks.

This is why it is somewhat strange, in the bitcoin protocol, to have hashed the public key to 160 bits, and not have kept the 256 bits.  If the menace of a quantum attack were the reason for this, it would have been wiser to keep the 256 bit hash as an address instead of the 160 ripemd hash, because under grover's algorithm this would become only 80 bits secure, while the 256 bit hash would remain 128 bit secure under a quantum attack, which is the same level of *classical* security offered by the elliptic curve signature scheme - which wouldn't survive, by itself, a quantum attack.  This is one of the peculiar crypto design "features" of bitcoin...

[gogxmagog]

(Frequently Asked Quantum Questions)

https://faqq.info 

[Thekool1s]

That is something for the "second generation quantum computers".

Even if you say these will be "The  Second generation of Quantum Computers" the fact remains that these will be only a few in numbers at first, It took decades for "Personal Computers" to roll out after the invention of first few generations. It will be same with the Quantum Computers I believe, Just like its mentioned in this thread currently a Below 0 degree temperature is required to run today's "Quantum Computers". So when these 2nd, 3rd or 4th whatever generation it may be, become a reality. Everybody won't have these in their basements... Only a select few will have the opportunity to work with them. What will happen to the "Decentralized" nature of the CryptoCurriences?

I mean if you look at companies like Bitmain, they use their Asics first and mine the S**t out of them, driving up the hash rate, Once they are done they sell their stuff to the public. All I am saying is will we be able to "save" the decentralized nature of Cryptocurrencies. Once these "Super Machines" become a reality?

[QuickReview]

I mean if you look at companies like Bitmain, they use their Asics first and mine the S**t out of them, driving up the hash rate, Once they are done they sell their stuff to the public.

Guess, what some private quantum computer developers will make before maybe selling it.

I do not know why people think that Bitcoin security will stop as is and too worried about quantum computers.  It maybe a threat but I am sure, Bitcoin developers will find way to level Bitcoin's security up before that happen.

That's not an issue. Bitcoin developers have already post quantum solutions.
But there are lots of 'shalecoins', https://bitcointalk.org/index.php?topic=5134441.0 coins with no owner. With quantum computers, these coins will become active and change the Bitcoin ecosystem.

Satoshi had already thought of the quantum computers, and the possible decoding of the privatekeys if it became available, ..

His coins would be quantum secured, if he sent them to P2PKH addresses. But he did not and isn't doing.

All I am saying is will we be able to "save" the decentralized nature of Cryptocurrencies. Once these "Super Machines" become a reality?

Yes, we will still have decentralized cryptos. It depends on us which coins will exist pre- and post-quantum. What we need is a quantum resistant signature system on the Bitcoin network now, even if we don't have to use it but it should be possible if we wanted to.

And for the "second generation quantum computers" people are already developing post SHA-hash signature systems. So we would then change to post SHA-hash signature systems before "second generation quantum computers" exist.

[Voland.V]

You probably know more than me.

I know a little about quantum mechanics, and next to nothing about cryptography.

Explain how you can have a photon associated with the transmitted, if you are not connected directly to the photon transmission channel?

And if you hold in your hand a smartphone that is connected to the Internet via 3,4,5-G, then how will you have a coupled photon?

Micius has demonstrated QKD wirelessly via satellite. There have been demonstrations using traditional fibre-optic lines, but the entangled state is more vulnerable to collapse using this approach, so satellite may be the better option.

A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. If in the Micius example you can communicate with the satellite, then you can receive the photon.

They aim to have a global quantum network in place by 2030. I have no opinion on whether or not 2030 is realistic.

If in a symmetric AES system you increase the key by 2 times (256-512), then the load on the computer will increase by about 2 times.
If you increase the key by 2 times in RCA, then the load will increase by 8 times with a key length of 1024 bits - 2048 bits.

Therefore, in quantum cryptography - it makes no sense.

Quantum cryptography doesn't rely so much on key complexity, it relies more on quantum entanglement, and the fact that a measurement of one photon disturbs the other photon. Hacking is not possible based on the laws of quantum mechanics as we understand them.

I'm not suggesting that quantum cryptography is the only or best approach, just that work is progressing here and it's not necessarily only post-quantum cryptography that should be discussed. There have been objections to QKD itself, but again work is progressing towards better solutions - Kak's 3 stage protocol for example (basically a quantum version of double-lock):


_{https://www.researchgate.net/profile/Partha_Basuchowdhuri/publication/1960902/figure/fig2/AS:279938969161741@1443754059593/Kaks-three-stage-protocol.png}

------------------
Quantum cryptography and quantum internet are photonic systems.
There are no quants there, there are quantum states of photons, such as the spin of a photon.

This is a game of words - "quantum Internet" or "quantum cryptography" - which greatly confuses its understanding by amateurs.

Let's see the essence, photonic systems are a lowering of hands before the call that quantum computers of modern public key cryptography have put.

It's like you used to have an elegant key to your house door, and now you've knocked down your door with a giant stone, counting on the thief not moving it.

That's a step back. Mankind loves these steps because they are man-made, because they create new value in the mass of new equipment, because the Internet can be made both safe and expensive.

Of course, it's the way of the monkey.
This is the path that mankind will leave behind like an old lamp TV when there is a new safe cryptography.

I support the idea that the mind always conquers power.
See if you want to make God laugh, tell him your plans...

In other words, they're systems that transmit light waves:

1) or via fiber optic cable (second half of the 20th century, soon this technology will turn 100 years old), without the possibility of wi-fi points at the end of this path;
2) or transmitting light photons by laser within line of sight.

The example you're looking at: "Micius has demonstrated QKD wirelessly via satellite" is very unhelpful for us ordinary users, but very much liked by rich and government organizations - there's plenty to write off "our" money. The monkey's way, but the rich monkey's way.

In this case, there is a problem, the receiver and the transmitter must be constantly on the same line! And that with a moving satellite!
They must be oriented strictly parallel to each other, which is very difficult to do when the source (satellite) moves at high speed on a circular trajectory.

Such an accurate mutual orientation of the quantum receiver and transmitter is similar to getting a coin from an airplane flying at an altitude of 100 thousand meters - exactly in the slot of the piggy bank, which, moreover, rotates.

It wasn't my idea," says Wang Jianyu, QUESS Project Manager.

 These and other achievements, not only are very expensive, they are absolutely unacceptable for us who own devices connected to wi-fi.

This is not the side of progress that the future holds.

Especially since all these experiments have been carried out successfully a long time ago, many of them, not later than 1987. 
But in those distant times, people still knew how to think, and this technology was postponed, it was waiting for a more appropriate time, our time.

That's your idea:
"So in quantum cryptography, it doesn't make sense.
Quantum cryptography doesn't rely so much on the complexity of the key, it relies more on the quantum complexity and the fact that measuring one photon interferes with another photon. "
- Cryptography is necessary because stealing information from this channel is not prohibited, it is just a fact that participants will know about it. In other words, this quantum (photon) cryptography does not protect the information, but on the contrary highlights it so that it can be seen with the naked eye, literally. Photons we see...

Your idea:
"There were objections to QKD itself, but again the work is moving towards better solutions, like the three-step Kaka protocol (mainly the quantum version of the double lock):"
- is a logical use of photon states, again with all the resulting disadvantages for us ordinary users to use photons, fiber, direct line of sight and so on, but not wi-fi or 3,4,5,6G is not the way for us.

Our way is keyless cryptography and password-free authentication, my topic is here:
https://bitcointalk.org/index.php?topic=5204368.0.

[Voland.V]

Not only quantum computing is dangerous.

The development of illegal attack techniques on networks and the large finances of cybercrime are much more dangerous.

Although the most famous specialists put quantum computing first.

I don't agree with them.

[Saidasun]

Not only quantum computing is dangerous.

The development of illegal attack techniques on networks and the large finances of cybercrime are much more dangerous.

Although the most famous specialists put quantum computing first.

I don't agree with them.

I agree there are other bigger threats to Bitcoin than quantum computing but what are you hinting to when you say "illegal attacks"?

[Voland.V]

Not only quantum computing is dangerous.

The development of illegal attack techniques on networks and the large finances of cybercrime are much more dangerous.

Although the most famous specialists put quantum computing first.

I don't agree with them.

I agree there are other bigger threats to Bitcoin than quantum computing but what are you hinting to when you say "illegal attacks"?

----------------------------------------------
It's the complexity of machine translation, all attacks are illegal, that's right.

Including attacks on cryptography using quantum computing (using a quantum computer).

And by "more dangerous" attacks, I mean exploiting for criminal purposes the weaknesses of cryptography itself on elliptic curves.

I don't understand it, why one part of people consider it reliable, and officials of special organizations categorically prohibit its use.

I do not understand why there is one cryptography for all of us, it is like household cryptography, and why there is another cryptography for special organizations and government agencies.

I don't understand why for so many years, long before the quantum computer was going to be built, so many serious people and organizations around the world are looking for a replacement for existing encryption methods.

After all, from an attack with quantum computing, it is enough to simply increase the length of the key.

After all the key in AES 256 bits long is not afraid of quantum computers (it is left as a working mechanism on post quantum period) because the method of encryption itself is very successful.

And cryptography on elliptical curves with any key length is not suitable.
And that's with the fact that the key length of even 512,000 bits or more - post quantum cryptography suits everyone!!!

So there's something wrong with ECC?

[Cnut237]

from an attack with quantum computing, it is enough to simply increase the length of the key.

No, it's not. QC processing power increases exponentially with each new qubit. This is why scaling up a QC can produce such phenomenal power.
Where a classical computer with 'n' bits can represent 'n' states, a quantum computer can represent (2ⁿ) states.
So as we increase complexity, the number of states that can be represented are as follows:
Classical: 1,2,3,4,5,6,7,8 etc
Quantum: 1,2,4,8,16,32,64,128 etc.

So there's something wrong with ECC?

Yes, there is. A QC can use Shor's algorithm to break ECC.

There is a lot of good work being done in post-quantum cryptography, as we've covered previously:

• Modify the PoW system such that QCs don’t have any advantage over classical computers. Defending PoW is not as important as defending signatures (as above), because PoW is less vulnerable. However various approaches that can protect PoW against QCs are under development, such as Cuckoo Cycle, Momentum and Equihash.
• Modify the signature system to prevent easy derivation of private keys. Again, various approaches are under development, which use some pretty esoteric maths. There are hash-based approaches such as XMSS and SPHINCS, but more promising (as far as I can tell) are the lattice-based approaches such as Dilithium, which I think is already used by Komodo.
  

... and I do think that many of these approaches look promising. My main concern is that post-quantum-cryptography solutions are based merely on being very difficult to hack, whereas quantum-cryptography is in theory fundamentally unhackable due to the immutable physical laws of quantum mechanics.

[Voland.V]

from an attack with quantum computing, it is enough to simply increase the length of the key.

No, it's not. QC processing power increases exponentially with each new qubit. This is why scaling up a QC can produce such phenomenal power.
Where a classical computer with 'n' bits can represent 'n' states, a quantum computer can represent (2ⁿ) states.
So as we increase complexity, the number of states that can be represented are as follows:
Classical: 1,2,3,4,5,6,7,8 etc
Quantum: 1,2,4,8,16,32,64,128 etc.

So there's something wrong with ECC?

Yes, there is. A QC can use Shor's algorithm to break ECC.

There is a lot of good work being done in post-quantum cryptography, as we've covered previously:

• Modify the PoW system such that QCs don’t have any advantage over classical computers. Defending PoW is not as important as defending signatures (as above), because PoW is less vulnerable. However various approaches that can protect PoW against QCs are under development, such as Cuckoo Cycle, Momentum and Equihash.
• Modify the signature system to prevent easy derivation of private keys. Again, various approaches are under development, which use some pretty esoteric maths. There are hash-based approaches such as XMSS and SPHINCS, but more promising (as far as I can tell) are the lattice-based approaches such as Dilithium, which I think is already used by Komodo.
  

... and I do think that many of these approaches look promising. My main concern is that post-quantum-cryptography solutions are based merely on being very difficult to hack, whereas quantum-cryptography is in theory fundamentally unhackable due to the immutable physical laws of quantum mechanics.

----------------------
In my opinion, post quantum cryptography should not be confused with cryptography based on the mutual relation of quantum states of photons.
Post-quantum cryptography uses mathematical coding methods.
Physical laws of the quantum world are used in quantum cryptography.

Post quantum systems, most of them, were developed 10-20 years ago. Some of them are new, developed recently. But they're all based on mathematics.

They should not be confused with related quantum states, it's a completely different approach to the problem.

We are not interested in quantum cryptography, it is not our level, it is not intended for ordinary users.
And it's not even planned for us.

It's post quantum mathematical cryptography that we are planning.

You are very mistaken about the length of the key if you think that a quantum computer can solve the problem of a complete search for a key only 256 bits long. No quantum computer can do that. That's why the AES-256 remains a post quantum system.

If cryptography on elliptical curves, as well as any other cryptography with a public and private key was reliable, and everything depended only on the length of the key, then no search for post quantum systems would be done by mankind.

Moreover, a large number of cryptographic systems that were candidates for post quantum encryption systems were not cracked by quantum computers, but by good old cryptanalysis, mathematical methods.

The key which is not broken by full search in system AES length 256 bits - corresponds to a key 15300-16400 bits in system RSA. If it were only for the speed of quantum computing, you could use an RSA with a key length of 16400 bits or more, or cryptography on elliptical curves (ECC) with a length of 512 bits.

Instead, AES-256 with only 256 bits of key is definitely left (it's a symmetric system), but all our asymmetric systems (including RSA and ECC) are not.

Moreover, for serious secrets 5 years ago they were forbidden to use, this is only what has already leaked to the press.
Neither ECC, nor RSA have ever been used in serious cases 10 years ago.
Details here, post dated December 04, see:
https://bitcointalk.org/index.php?topic=5204368.0.

Therefore, there is only one conclusion - all modern asymmetric systems with a pair of public and private keys - do not fit with any length of the key precisely because they are weak, but the details of this circumstance are not specified and few people know.

[Cnut237]

In my opinion, post quantum cryptography should not be confused with cryptography based on the mutual relation of quantum states of photons.
Post-quantum cryptography uses mathematical coding methods.
Physical laws of the quantum world are used in quantum cryptography.

Post quantum systems, most of them, were developed 10-20 years ago. Some of them are new, developed recently. But they're all based on mathematics.

They should not be confused with related quantum states, it's a completely different approach to the problem.

I agree, and I'm well aware of the distinction. Post-quantum cryptography and quantum cryptography are completely different things. It's unfortunate that they have such similar names!

We are not interested in quantum cryptography, it is not our level, it is not intended for ordinary users.
And it's not even planned for us.

It's post quantum mathematical cryptography that we are planning.

Not sure I agree with this point. I would contend, as I have previously, that work in quantum cryptography is progressing at pace and whilst there are technical issues to overcome, it does potentially offer a fundamentally unhackable solution to quantum attacks, and one which can be used in the mainstream. Having said that, of course post-quantum cryptography is hugely important as well, and work is progressing there, too. There's no need to focus on just the one approach, though, and dismiss the other.

You are very mistaken about the length of the key if you think that a quantum computer can solve the problem of a complete search for a key only 256 bits long. No quantum computer can do that. That's why the AES-256 remains a post quantum system.

I think we agree, but are coming at this from different angles. An increase in key length is trivial to overcome if we're talking about asymmetric cryptography, where a quantum computer can apply Shor's algorithm. But as you state below, AES-256 is symmetric.

AES-256 with only 256 bits of key is definitely left (it's a symmetric system), but all our asymmetric systems (including RSA and ECC) are not.

AES-256 security may be fine currently, it may be resistant to the best current attack (Grover search), but that's my point. Quantum cryptography uses the laws of quantum mechanics to make a system absolutely unhackable for all time, whereas post-quantum cryptography makes a system secure against current attacks, with no guarantee of security against future technology or future algorithms.

If AES-256 can beat Grover, what about other approaches? Quantum Square Attacks? Biclique Attacks? How about all mathematical attacks that haven't yet been devised?

I'm being flippant, and I do agree that there is certainly a chance that a post-quantum cryptography solution will remain forever secure, but we can't know for certain. My point is merely that we should investigate both quantum cryptography and post-quantum cryptography. It seems wasteful to focus solely on one approach.

I value the discussion immensely, by the way - thank you