As far as I know, there are no known quantum attacks that break the security of AES. It is unknown if they are able to turn AES insecure, like they do to RSA and discrete logarithm problems. And there are several post-quantum candidate alternatives to replace RSA and crypto algorithms that would break under quantum attacks.

Quantum computers break several security assumptions. But not all of them and we usually can replace the broken assumptions. Discovering that P=NP, or that one-way functions do not exist, on the other hand, would imply that several secure cryptographic constructions that we want to use are in fact impossible and would be a much scarier discovery.

Grover's Algorithm gets you effectively a square root difficulty improvement. So, AES 256 is "only" as strong as a 128-bit symmetric encryption if you have equivalently cheap quantum computers.

Even ignoring that we don't currently have any usable quantum computers and there's no reason to believe they would be affordable, let alone cheap, this mean AES-256 is fine.

Grover's algorithm is not quite as powerful as popularly described. In particular, it (roughly) divides the number of times you need to run AES by the number of times you run it sequentially. So it effectively square-roots the time requirement rather than the difficulty, and those are very different if the attack is parallel.

Eg if you were planning on breaking AES-128 by running 2^30 cores for 2^98 AES calls, it now only takes about 2^49 calls per core (2^79 total effort) plus the overhead of Grover's algorithm itself. There are also huge overheads from running everything on a quantum computer, some of which are theoretically avoidable (100x cost for error correction; gates take one clock cycle) and some of which are probably not (you must rewrite AES so that all computations are reversible). So breaking AES-128 might eventually be feasible, but AES-192 probably would not be.

There is a theoretical barrier against efficiently parallelizing Grover: all generic quantum brute-force algorithms (the kind that would work against a random function in a black box) require Omega(searchspace / depth) queries, at least for some model that may not quite match reality. (Edit: Omega and not O, since it's a lower bound)

Of course, AES isn't a random function in a black box, so there may be better attacks against it, but I'm not aware of any.

Sorry, this sounds like serious crackpot territory.

Btw, if your polynomial algorithm for NP is any good, you should be able to break any encryption at all. The problem of breaking cryptographic systems is typically inside of both NP and co-NP. That intersection is suspected to be substantial smaller than NP by itself. (Of course, if it all collapses to P, that wouldn't make a difference.)

If everybody considers P=NP a crackpot territory, then it will never happen, by definition. On the contrary, I think to believe that the sets described by NP-complete instances are somehow inherently "undescribable" (as is implied by naturalization) is crackpottery also.

But regardless, it's important to realize that modern cryptography relies on a hypothesis. It might be effectively true for now, but it might not in the future.

> Btw, if your polynomial algorithm for NP is any good, you should be able to break any encryption at all.

In theory, yes, in practice, there is a pretty big difference between "I think I just discovered how to do Gaussian elimination to solve linear equations" and "I can routinely solve sparse linear systems with millions of variables". Historically, it wasn't done by a single individual in a span of couple years.

> If everybody considers P=NP a crackpot territory, then it will never happen, by definition.

Oh, sorry, that's not what I meant to say. To be less vague, 'Practical P=NP is a very real possibility' is fine. 'Practical P=NP is a very real possibility (I am just testing a new algorithm)' is crackpot territory.

> But regardless, it's important to realize that modern cryptography relies on a hypothesis. It might be effectively true for now, but it might not in the future.

Different parts of modern cryptography rely on different sets of hypotheses. Eg the discrete logarithm problem being hard for some specific groups is one popular hypothesis.

> In theory, yes, in practice, there is a pretty big difference [...]

That's a valid point, but to make that point the approach you defend has to be more mathematically rigorous.

Basically, if you say '(I am just testing a new algorithm)', then that algorithm better be fast in order to convince anyone. Otherwise, you say something like 'I'm working on a proof for my new approach.' or 'I'm working proving sub-exponential runtime for a new algorithm'.

Ideally, if you don't want to be a crackpot, it helps to be well versed with the literature, and what has been done before and why it does or doesn't work.

(The former is especially important, if you want to claim you have a new proof for P != NP, because researchers have already formally ruled out lots of different approaches; so you better be able to explain why your approach does not fall under any of the ones that have already been proven not to work.)

> Oh, that's not what I meant to say at all.

I see. I didn't really wanted to claim anything (or much) in this respect. I am working on a "candidate algorithm", that I believe could be in P with low degree (o(n^8)). (And if it's not in P, I think it will be very useful to understand WHY it is not; that's one of several reasons why I am testing it.) The reasons why I believe it's in P are complicated (I would have to describe the method), and I didn't wanted to go into that. Still, that's why people should take P=NP as a real possibility.

AFAICT my approach is novel, but if some expert genuinely wants to help me understand where it is not novel, I will gladly explain how it works.

OK, that sounds a lot more reasonable.

I'm assuming you are working on solving some NP-hard problem?

> And if it's not in P, I think it will be very useful to understand WHY it is not; [...]

Yes, that's a good approach!

Btw, I spent quite a few years on and off trying to resolve the following question https://cstheory.stackexchange.com/questions/41251/simulate-... "Can you 'simulate' a heap in linear time?"

I would have been equally happy to find an algorithm that works in linear time, or to prove that it's not possible.

Last year I finally found the linear time algorithm.

> AFAICT my approach is novel, but if some expert genuinely wants to help me understand where it is not novel, I will gladly explain how it works.

I'd be happy to take a look.

> I'm assuming you are working on solving some NP-hard problem?

Yes, my choice of the problem is 2XSAT, which is a SAT class whose instances have clauses from 2-SAT and XORSAT. I proved (and I think that's where it becomes novel) that this class is NP-complete. This leads me to believe there is a clever generalization of polynomial algorithms for 2-SAT and XORSAT, and that's the subject of my interest.

The trouble is, algorithms for 2-SAT and XORSAT are wildly different. My first attempt to unify them, half a year ago, has failed. Since then I have made a lot of progress on the theory; now I have another candidate algorithm which generalizes them, and I am about to test it.

> Yes, that's a good approach!

I know, but it gets even better. I roughly follow what Krom did with 2-SAT in 1967. And it turns out, even if your attempt at polynomial algorithm turns out to be incorrect, the character of the exponential blow-up gives you at least some hint of what you need to fix.

> I'd be happy to take a look.

I wish I had written more on it, but the research got priority. For two months now, I am sitting on blogpost draft that outlines 2/3 of my strategy, as well as half of a proper paper; I was waiting if I can somehow conclude with a candidate algorithm, but I don't really have yet that written down in a formal way (it's new so some understanding needs to happen). I'll probably publish the blogpost as it is, and the actual algorithm (if the test implementation works out reasonably well) later as another blogpost. If you're still interested, I will send you an email when I publish the first part, probably this weekend, and you can tell me what you think.

Yes, I'm interested. There's an email address in my profile here.

My academic background is more on linear optimisation (and integer and combinatorial optimisation), but looking more into the various flavours of SAT would also be interesting.

I'm not sure whether I agree or not, as without cryptography the only way to have a private discussion with someone, which I think is equally important to transparency, as people usually are "transparent" about personal stuff with close friends/family members only under the condition that other people don't have access to the information, would be to have such conversation in person behind closed doors. Which it isn't always easy, think people living far apart. Consider also that having no cryptography isn't by itself enough to have a transparent government: they can still lock important documents in a physically secure place and have a long jail sentence as a deterrent for people thinking about leaking them.

> Consider also that having no cryptography isn't by itself enough to have a transparent government: they can still lock important documents in a physically secure place and have a long jail sentence as a deterrent for people thinking about leaking them.

But here you say that: Security can depend on social contract and not technology. But the same argument can be applied to your original objection. We can mandate (in the social contract) that people have the right to privacy. (And there are some analogs where we do that, for example, we could have Gattaca-like dystopia where people's access to health care is based on genetics, yet all developed countries have a ban on such discrimination.)

I think it's far more dangerous that the government or adversary is technologically capable of being non-transparent than if ordinary people don't have capability to be non-transparent. It's because I believe power ultimately thrives on information asymetry, and the encryption only amplifies this asymetry.

> It's because I believe power ultimately thrives on information asymetry, and the encryption only amplifies this asymetry.

Quite the opposite, I find. In fact, the government has the infrastructure and political power necessary for surveillance of people. The reverse is definitely not true. Regardless, assume you are in an authoritarian state with a powerful state police: how would you even attempt fighting it if you do not have a way of coordinating with the other people being oppressed? How can you trust communications if the government can interfere?

I simply don't believe that in an actual authoritarian state, private (Internet) communications are a neccessity for fighting back. I was born in Czechoslovakia, and if I look at what actual dissidents did, it seems that once your goal is to fight back, you just have to get used to that you're gonna be surveilled no matter what. Because if you want to convince many others that the system is oppressive, you will have to make yourself known. Vaclav Havel discusses some of the strategies in the Power of the Powerless, and it also goes to Gramsci, who observed that it's mostly ideology that keeps the systems of power.

I think privacy is important in democracy, but if you're taking on an authoritarian state, that some police knows what you had yesterday for dinner, that's the least of your problems.

To clarify: The harsh truth is, in an authoritarian state, the police doesn't really need your communications; they already know what you're up to: no good. That's enough for some of them to justify any action they want against you.

I am going to be pedantic as i am perfectly aware that you do not mean it this way but here we go:

> Security can depend on social contract and not technology.

Social contracts are technology, laws are technology, law as a concept is technology, Society is technology.

If you really want to be pedantic, you should recognize there is a difference between technology as implemented (the social contract as it's implemented now) and choice of technology (all the different ways how the social contract could be different, reflecting history and geography).

This is an insane take. If encryption is broken I _guarantee_ that the public will still be as in-the-dark as they are now. The government (and telcos) are the only ones who control the infrastructure needed to inspect this kind of traffic.

I am not suggesting that, in an encryption-free world, the advantage for the public is in being able to inspect all government traffic. Rather, it makes it easier for whistleblowers to bypass the government protections and get relevant documents that cover some atrocities.

I really like Assange's essay on the topic, where he describes that every big operation requires a sort of paper or document trail (which is used to coordinate many people), and this fact makes whistleblowing always an option.

However, I believe, encryption (and related things like trusted computing) helps to minimize the exposure of this trail even to internal actors, and in doing so, it makes whistleblowing more difficult.