Adam Langley
unread,Jul 7, 2016, 2:33:02 PM7/7/16Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Jochen Eisinger, Katriel Cohn-Gordon, PhistucK, David Benjamin, Matt Braithwaite, blink-dev, net-dev, security-dev
On Thu, Jul 7, 2016 at 11:12 AM, Jochen Eisinger <
joc...@chromium.org> wrote:
> out of curiosity, is there a high-level description available somewhere for
> why NewHope is supposedly safe in a post-quantum world?
Quantum computation is substantially different from classical and I do
not claim, even slightly, to understand it well enough to give a good
answer here.
But, very roughly, quantum computers aren't magic: they don't provide
a way to speed up the solution of any problem. A quantum algorithm
needs to ensure that all the wrong answers to a problem cancel out so
that there's a high probability of the correct answer remaining and we
only know of such algorithms for a subset of problems.
Factoring and discrete log are two problems where do have a quantum
algorithm, and that's the problem because everything is built on them,
pretty much. But, in the same way that we believe that factoring is
hard on a classical computer, we believe that several problems on
lattices, R-LWE included, are hard on both classical and quantum
computers. There's no proof of that however, in the same way that
there's no proof that someone won't solve factoring with classical
computers tomorrow. (Indeed, it's possible that R-LWE /might/ turn out
to be easy even on classical computers!)
There may be a deeper intuition about why these lattice-based problems
are unlikely to admit a quantum solution, but I'm afraid that I don't
know enough to see it.
Cheers
AGL