Topic: Bitcoin’s race to outrun the quantum computer (Read 1440 times)

^^
Thanks, that looks like the sort of thing I was after. I'll have a read through it tomorrow. Not sure how I missed it.
Every other quantum thread on here is full of my own posts; rare to find one that isn't!

I'm unsure if it counts as a considerable move but my imagination has stopped there.

https://bitcointalksearch.org/topic/m.52769870

Yes, sooner or later a QC will be developed that can run Shor to break public key cryptography. ECDSA is utterly insecure. Private keys can be derived from public keys. A solution is obviously needed in advance of such a QC becoming available. The problem here is that all coins will have to be moved to quantum-proof addresses. What happens to those coins that (for whatever reason) aren't moved? Do we leave them to be stolen by a QC, wreaking havoc and potentially destroying all of crypto? This is not hyperbole; it's a genuine threat. Or do we burn them before they can be stolen? It's a hugely contentious issue that goes right to the heart of bitcoin, cryptocurrencies, and decentralisation.

Theymos, ahead of the (elliptic) curve, posted about this back in 2016 (quote below). The thread that this triggered on bitcointalk was full of misunderstanding and outrage, and is perhaps indicative of the scale of opposition that such a move to QC-safe cryptography will face.

I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!

_{https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/}

----------------------------
What exactly are the dangers of quantum computing today, which is not there now, but can be tomorrow?
It's very simple and consistent.
My answer is this.

I'll talk about global danger, the danger to most cases, not to one person.

All protection protocols, we will talk only about cryptographic methods of protection, built on a principle:
1. Asymmetric cryptography is the first step in any protocol to agree on a common session key for symmetric cryptography.
2. The second step is symmetric cryptography encryption, where secrets are encrypted securely (AES).

Why is a quantum computer dangerous today that will work far tomorrow?

Because all of our encrypted messages are stored.
Details:
- those encryptions that are very interesting - stored many times, it's communication between interesting and big people of our time;
- all other messages are also stored, just in case, they can be interesting, probably.

Now how quantum cheaters will work:
1) they will only crack the first stage of the encryption protocol - only asymmetric cryptography, where the shared session encryption key was encrypted. That's it.
2) They use the resulting key to quietly read the AES cipher, the second step of the encryption protocol.

And now, everything falls into place: AES-256, the symmetric system, is not cracked, and RSA (with any length of key) or ECC (with any length of key), the asymmetric system is cracked without a doubt, even by very weak, first quantum computers.

That's why everyone is so concerned, that's why post quantum asymmetric encryption systems are already needed.

Yes, not all people encrypt good messages, there are so many that lead two lives at once and one of those lives is very bad.
But the bad thing is to read and decide what's bad and what's good will be guys with the same questionable reputation as the first ones.

Here is the real vulnerability of all the key encryption methods: everything secret, sooner or later, becomes known and not secret.

This vulnerability is completely devoid of new keyless encryption systems.

It's an interesting development, but yes, a quantum annealing computer can't be used to break cryptography, and will never threaten bitcoin. The annealing approach is more for problems where there are a huge number of possible solutions, and we're just looking for one that is sufficient out of that multitude of possibilities.

The biggest threat to bitcoin from quantum computing, as I've outlined previously, is the use of Shor's algorithm against re-used addresses:


My opinion is actually the exact opposite. I think that crypto developers, certainly for the big coins, and most definitely for bitcoin, are well aware of potential threats from quantum computers, and are actively developing safeguards.
We've covered previously and in considerable depth what QCs can and can't do. Asymmetric cryptography is massively vulnerable, but symmetric cryptography far less so -particularly AES256, as discussed above. It's a common misconception, perpetuated by mainstream media, that QCs instantly break all types of cryptography in all circumstances, when that is clearly not the case. QCs are great for certain specific types of problem, but it's technology, not magic, and it has limitations.

I am some random uninformed idiot posting opinions on a web forum, and even I am aware of what QCs can and can't do, and of the nature of their potential threat to cryptocurrencies in certain situations. People far smarter than me are developing these coins, and I'm absolutely certain that they are on top of the QC question. This is why I am convinced that the threat of QCs will not come as a surprise.

Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''


My opinion:

But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.
[/quote]
------------------
I think that as in the optical implementation of the OTP method, and just as in the QKD method, and just as in any other encryption method, there is always the issue of second party authentication. It is a question of verifying the other side of the communication.

But I do not think that the issue of authentication and the issue of having a closed, secret channel are the same thing.
Just the opposite, authentication must be done over an open channel in order to verify the originality of the conversation partner. If this confidence appears, then a closed channel based on encryption is established with the help of some kind of cryptography.

So, you're right, and the description of this method explicitly refers to the question of authenticating the conversation partner.

Now let's analyze what solutions we have now on this crucial issue.

We have numeric identifiers that are formed from either:
- A password that only the original interlocutor (Alice or Bob) presumably knows;
- biometrics, which ultimately always takes the form of a numeric code, a numeric identifier;
- keys that are not transmitted in the same pure form as a password or other, but as a numeric code obtained by a one-way cryptographic function;
- and so on.

And what in essence: - a constant digital code (one or more) digital code, digital identifier.

All these technological rudiments can be successfully used both in optical OTP, and in all advertised QKD.

All of them have the same drawback, from which neither quantum technology nor post quantum cryptography saves, it is a constant digital identifier.

Attacks are all similar as two drops of water, only come to us from different sides, always the same thing happens:
- stealing our digital identifiers;
- passwords;
- keys.

These attacks are only possible for one reason - because of the constant constants that identify us, identifying one user from the multitude of others.

Getting out of this enchanted circle, I see only one thing - variable numeric identifiers.
For example, your identifier has 256 bits of binary code.
If it changes all the time, but in such a way that only the party that has formed a closed channel with you knows about it (of course with normal encryption, not with quantum technological rudiments that are promoted and prepared for sale), it means it changes synchronously, then his stealing - it makes no sense.

And if your ID changes when you send each new packet of data, no one will ever even think about attacking your personal data.

I think that this kind of technology is possible, and the future belongs to it.
I call them: Keyless encryption and passwordless authentication technologies.
As an example of how to demonstrate the theoretical feasibility of such a communications channel and such technologies, I developed my own version, tested it, and came to the conclusion that it is not a utopia.

No, I read the article through a couple of times. It's an OTP approach, and I maintain that it is similar to BB84 QKD. It's a classical version of QKD.
I know it's not quantum cryptography, I'm saying it's a classical version of it. It's cleverly done, yes, but I think it has drawbacks...

But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.

Quantum cryptography is early in development. Yes, there are some huge technical hurdles, and likely we are decades away from full implementation for everyday users. Which is why post-quantum cryptography is also important.

I remain skeptical of the OTP method though, for the reason given above.

The entire security system today, these are key encryption systems and password authentication technologies.

Scammers, government, corporations are the ones on the other side, not ours. We're the victim to them, they're hunting us, we're defending ourselves against them. It's the real picture.

They're not hacking into cryptography, they take our keys and passwords and use them.

What was suggested above is encryption systems where the keys are variables, not stored, not used twice and not transmitted over any communication channels.
Option 1 is an almost keyless system:
https://www.nature.com/articles/s41467-019-13740-y.
Option 2 is a completely keyless system:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.

They have the future behind them.
And today:
Penetration and surveillance systems are evolving.
There is an accumulation of data on all users without exception.

Such exotic attack vectors are also used to capture information about passwords and keys:
- the level of power consumption;
- the sound of keystrokes (the information is taken remotely from window panes - by laser);
- electromagnetic background of the monitor, allowing at a distance (about 300 meters) to determine the area of the mouse movement on the screen or move the active items "menu" windows;
- modulation of electromagnetic radiation at the points of mechanical contacts of electrical connectors (for example, a 3.5 jack from a headset inserted into the device, modulates the useful signal to the frequency of radiation of the device processor and successfully demodulates at a distance);
- removing information from the LED light bulb to signal system access to the PC hard drive (via a hidden spyware pre-installed on the PC. This is what the Israeli security services did with the help of a drone helicopter, which captures information through a window from the LED winchester at speeds up to 6000 bits per second);
- a two-way communication channel established by means of ultrasound through conventional acoustic devices - speakers, a portable device or a personal computer.
Interestingly, a normal speaker, notebook, even a modern smartphone, is able to not only emit in the ultrasonic range (above 22 kHz), but also act as a microphone for such signals.

In general, the situation with our personal security is not only bad, but it is also deteriorating.

That's why, when developing keyless encryption technology, all possible attacks on third-party channels should be taken into account.

-----------------
I thought you were in a hurry to jump to conclusions. If you don't just study the scheme, but read the description of this method, let's call it OTP, it clearly says that it's not quantum cryptography at all (as I call it - "photonic bond"), on the contrary, it's the opposite of quantum cryptography.

This method excludes all the disadvantages of quantum cryptography, which in practice will have a function of key distribution for symmetric encryption systems.

For true cryptography, it is not suitable. It can be used as cryptography, but it's like going to rent a huge truck and carry a desktop computer on it. It's stupid. It looks ridiculous.

Quantum cryptography is very slow, very capricious, very resource-intensive.

And OTP completely eliminates these drawbacks, it's super fast, it works near light speed, it's super reliable, the only proven method in the history of cryptography, many orders of magnitude more reliable than AES with any key length.
In order to agree on a common key, the parties do not need to meet or transfer it over communication channels, or store it.

It is fantastic, it is real, it is the present future of modern cryptography, it is super-reliable, it has no drawbacks.

This isn't your "quantum key transmission", it's snail-speed. It's an old 1980s method. There were already successful experiments back then. But people thought back then, they could still think, not point their finger at the smartphone screen.

And vice versa, the OTP method is a modern method.
It's a technological way of developing cryptography.

But do not forget about the logical path of cryptography, because it is a program that everyone can put on your smartphone, with almost the same level of encryption reliability, but still get a plus:
- two-way, continuous, 100% accurate authentication;
- full match of the decrypted and encrypted message, up to 1 bit accuracy;
- alternative non-scalable blockchain;
- hiding the transmission or reception of information from an unauthorized observer;
- instant verification of any amount of information;
- many other things that no technological cryptographic method can do. 

No technological way of developing cryptography provides uninterrupted authentication. Only trust, or again, keys, passwords.

Our method has no keys and no passwords, no shortcomings.
 

Excellent! Finally our discussion across multiple threads reaches a consensus

Damn it.



Aha, yes, one-time pad stuff... which brings us back to quantum cryptography and QKD.



It's an inventive approach, but I'm not convinced of how this is better than the quantum alternative, BB84 QKD. I don't think OTPs are the answer here. An OTP by itself and used properly is secure, but the key needs to be shared in a 100% safe way. And if you have a means to share the key 100% safely, then you just use that method and there is no need for the OTP. Quantum entanglement is the 100% safe method (sorry, I wanted to focus on PQC and not return to quantum cryptography again!).
But we still have vulnerabilities so long as we have external classical dependencies.


Yes, agreed. AES256 looks secure against a Grover attack, so is likely safe in the medium-term, but longer term, who knows? Longer term the solution I still contend is likely to use some quantum mechanical mechanism such as entanglement to create fundamental 100% security, the big caveat here being that our understanding of quantum mechanics may change, and new possibilities and challenges in physics may present themselves...

"I think I can safely say that nobody understands quantum mechanics." Richard Feynman knew what he was talking about. The maths is one thing, but it's an abstraction, it only helps us so far in understanding QM from a human perspective.

I agree with all your comments.
Except for one, one.

There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability, C.Shannon, 1945.

It has been used for over 120 years and (attention) is still used today.  The most secret diplomatic and other messages are still sent only by the Vernam code!

No AES with any length of key, about asymmetric systems I am silent at all, categorically forbidden.

The thing is that modern cryptography has appeared as an alternative to Vernam's cipher.

No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.

The 2 versions of cryptographic systems that I mentioned at the end of last post use Vernam's cipher. But they're not used anywhere yet. It's not time.

The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

I definitely agree that the accepted term 'quantum cryptography' is a bit of a misnomer. In general it refers to quantum key distribution, so it's less about cryptography and more about using the laws of quantum mechanics to establish secure communication.


Sure. It's a way to generate a shared key that due to the underlying laws of physics cannot be hacked.


I absolutely agree. From a quantum attack perspective, classical asymmetric cryptography is hugely vulnerable to Shor's algorithm.
But classical symmetric cryptography is vulnerable to Grover. Not to the same extent, but still there is a vulnerability.


It depends how it's implemented, and what the external dependencies are, for example how the quantum channel is itself established. Work is ongoing and suggests that QKD can be secure, but the standard implementation isn't necessarily so, as assumptions of security are made. A variant of Kak's 3 stage model looks like it might be secure, but this needs to be confirmed. My point about MITM is really that whilst a quantum approach can in theory be 100% secure in a way that a classical approach cannot, it is still dangerous to assume that there are no vulnerable external dependencies.


True at the moment. Grover reduces the time to crack it, but not significantly.

Post-quantum cryptography is very important, I agree with you wholeheartedly on that. My basic point is that a purely cryptographic defence can never be as absolutely and fundamentally secure as a defence that is based on the laws of physics.

Given the huge technical obstacles to creating a workable quantum cryptography that can be used by everyone, I agree with you that in the short- and medium-term, PQC is definitely the answer.

Long-term though? I would argue that using a quantum mechanical defence may provide a better solution.

--------------------
What you call "quantum cryptography", and that's what everyone calls it, is only needed to agree on common encryption keys for common symmetric cryptography, such as AES-256. They use AES-256 because it cannot be cracked by any quantum computer.
It will be a post quantum symmetric system, so NIST, USA, decided.

It's a wordplay - it's not cryptography, it's a way to generate the same keys for 2 people.
China has developed this topic so well that it is already used in practice for banks, nowadays.
Why did this technology start developing?
Because the asymmetric encryption system (RSA, ECC) was performing this function, namely the function of matching the common key over a public channel for a symmetric encryption system.
But all asymmetric modern systems are unreliable.
This was a very controversial and very closed question until the threat of quantum computing appeared.
Today, for specialists, it is no longer a controversial issue, but a fact.
All modern asymmetric systems will collapse at any key length.
In fact, they have long been considered "conditionally reliable", but this is not what we are talking about.
The whole world, for many years now, has been looking for a reliable post-quantum asymmetric system.
For what?
Only for the main purpose of agreeing on a shared encryption key for symmetric systems.
As such model, approved by NIST, is not yet offered, began to develop technologies of the last century (the first such successful experiments Americans made in 1980), on a new element base.
It's a photon transmission of the polarization direction of the photon.
It is expensive, not convenient and it is not for those who have a smartphone, computer, tablet and ordinary Internet wi-fi. It's for VIPs. In addition, the option of fiber optic is a very slow Internet. But it's not cryptography in its normal sense.

You're wrong about the "quantum internet" being afraid of the "man in the middle" attack. This attack is only dangerous when it can be conducted invisibly.
You can't do it inconspicuously on the quantum internet.
This is a huge advantage of this method.

But there are other solutions.

1.
Here is the technological direction, and fast and reliable, and in no comparison with "quantum transmission":

"Science...
The new, non-hackable security system created by researchers at the King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Science Processes (CUP Sciences) aims to revolutionize communications privacy.

The essence of it is that the optical chip communicates over the fiber Internet with another optical chip, both chips have their own chaos, based on the second law of thermodynamics, the law of entropy, exchange through an open channel photons, different photons with different physical characteristics, the common encryption key is output as a digitization of the superposition of photon states at the output with the photon at the input. Simple, elegant. But the reliability of this method is that this key is calculated at both ends of the communication channel - and the channel is never transmitted.
Not only is it long enough to make a module 2 addition with the message itself. And this gives the Vernam class cipher, the only cipher for which absolute reliability in the absolute sense has been proven.

This was invented in the century before last (!), proved in the middle of the last century (!), all old reliable technologies - return in a new quality.

This is the technological way of cryptography development. It requires new chips and fiber optic cable between subscribers. But it will bury "quantum internet."

 2.
Two, not technological, but software. It's not worth anything.
It's not known, it doesn't claim to be laurels, but it works well for individuals, quietly and smoothly.
Here it is:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.

What's quantum cryptography?

Hello again! We've discussed this on another thread, so I won't go into it in depth again, but I'll mention China's Micius satellite as an example of quantum cryptography in action. Micius is already enabling a (small) quantum internet. A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. The quantum entanglement is the vital part of the encryption, the use of the laws of quantum mechanics to create the exchange of information: Quantum Key Distribution.

I will concede that whilst QKD removes some classical vulnerabilities, it does not remove them all: man-in-the-middle as an example.
But Micius is only the start. Other variants of quantum cryptography are also being advanced. Kak's 3 stage protocol for example (a quantum version of double-lock), a multi-photon variant of which is being developed to protect precisely against man-in-the-middle.

I am certainly not saying that post-quantum cryptography (classical cryptography used as a defence against quantum attack) is useless, it's not, it's extremely important.
But quantum cryptography (using the laws of quantum mechanics to implement cryptography) is important too.

Here's a time-lapse photo of Micius in action. https://cosmosmagazine.com/technology/the-quantum-internet-is-already-being-built

Excuse me a complete "Quack".. Thank you, thank you..

I might sound like a complete "space cadet" but i think there actually could be a way to mine the rest of Bitcoin in one swoop. It would probably ruin alot of stuff but none the less it could probably be done.

----------------
Yes, indeed, I have read a lot about cryptography on elliptic curves.

1. I learned that those who know a lot, they work for different unpopular organizations, they are always silent, and information about this knowledge and about these people is lost ...

2. I also learned that specially all modern cryptography is divided into 2 parts:
1) Household cryptography, those encryption systems that we know. They are allowed to be used by us, ordinary people; in unclassified matters;
2) State cryptography, the one that we are not allowed to use, and the government is obliged.

And I asked myself, why so?
More precisely, what is wrong with our everyday cryptography?

3. It is not clear why the NSA (USA) first ordered a study for British mathematicians, then hid all the materials for this study, and immediately banned the use of cryptography on elliptic curves in state secrets.
And this is despite the fact that only yesterday the NSA actively implemented ECC, despite the fact that not so long ago, the NSA bought all the patents for this system from 2 mathematicians.

4. Why are we assured of the reliability of asymmetric mathematical encryption systems without providing evidence of this reliability (evidence of the inability to solve the problem of discrete logarithm in fields of elliptic curves with a finite order of the field of numbers, which means discrete, point elliptic curves).

But I understand that if they know the secret, the weak point of this cryptography, then it is very beneficial for some that all ordinary people use and trust this cryptography.

And further, new questions ..

5. Why NIST does not even want to hear about ECC with an increased key length as a candidate for a post-quantum system.
Let me remind you that a key with a length of 521 bits ECC is equal to a reliability of 256 bits AES. But AES-256 remains a post-quantum system of the future, because no quantum computer will be able to completely enumerate a number of 256 bits.
But in ECC as much as 521 bits !!!
So, ECC breaks down not only with brute force attack, but also somehow, and that means mathematically !!!

Moreover, to increase the key length by 2 times in the ECC encryption paradigm is not a problem and a burden on modern processors.
However, they do not.
Moreover, they claim that this system (including RSA) breaks with any key length, if it breaks with a standard key length. This is not what I say, but people, professors in cryptography, people with a name, authorities in the world of encryption.

What does it mean?
Only one thing - these household systems are broken mathematically, by cryptanalysis.

6. I also learned (from a lecture by a respected mathematician-cryptographer) the following:
- some classes of elliptic curves are weak; - if you look at the standard NIST curves, you can see that they are verifiable random;
- if you read the Wikipedia page about the principle "there is nothing in the sleeves", you will notice that:
1) random numbers for MD5 are obtained from the sine of integers.
2) random numbers for Blowfish are obtained from the first numbers $ \ pi $.
3) random numbers for RC5 are obtained from $ e $ and the golden ratio.
These numbers are random because their numbers are evenly distributed. And they do not cause suspicion, because they have a justification.

Now the following question arises: where do the random generating values for the NIST curves come from?
Answer: unfortunately, we do not know.
These values have no justification.

Is it possible that NIST discovered a “significantly large” class of weak elliptic curves, tried various possible variants of generating values, and found a vulnerable curve? I can not answer this question, but it is a logical and important question.

What is the reason for this distrust of such a respected organization?
But on what:
“We know that NIST has at least successfully standardized a vulnerable random number generator (a generator that, oddly enough, is based on elliptic curves).

Perhaps he has successfully standardized many weak elliptic curves as well? How to check it? No way.

It is important to understand that “verifiable random” and “protected” are not synonyms. It doesn’t matter how complicated the logarithm task is or how long the keys are - if the algorithms are hacked, then there is nothing we can do.

In this regard, the RSA wins because it does not require special domain parameters that can be exploited. RSA (like other modular arithmetic systems) can be a good alternative if we cannot trust the authorities and if we cannot create our own parameters for the definition domain.

And if you're curious: yes, TLS can use NIST curves. If you check in google, you will see that when connecting, ECDHE and ECDSA are used with a certificate based on prime256v1 (aka secp256p1).

I am not a cryptographer and not a mathematician, not a scientist or a university teacher. No one is interested in my opinion and I have no authority.

But I do not consider myself an idiot and do not really trust the universal approved opinion of the herd. I try to draw conclusions.

If you are not tired of this topic, here are the arguments in my favor, the second post for December 4:
https://bitcointalk.org/index.php?topic=5204368.40

------------------
It makes sense to be afraid, and this is a well-thought-out opinion of cryptography experts.
Not only that, it is openly spoken about by people who hold responsible positions in very well-known companies.

The situation here is complicated, because the cryptography itself on elliptic curves, on which the digital signature in Blockchain and Bitcoin is based, is weak and dangerous.
Read more about it here (second post of December 4):
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368

But the second part - SHA256 remains reliable even when attacked by a quantum computer.
Because no computer will make a full search of all possible variants of binary number 256 bits long.

But, smart people have already invented and released a currency based on post quantum encryption methods.
I don't want to advertise it, but if the quantum computer starts working (although there are other, more serious concerns about cryptanalysis), the price of this crypt will rise quickly.

------------------
Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
Photon networks do not allow to take information not noticeably.
That's it.
From the very theft of information - they do not protect.
It's safe to use them just because the theft is noticeable.
And they are only planned to be used to agree on a shared key for conventional symmetric encryption systems such as AES-256. This system is not being broken by any quantum computer, not even in the distant future.

Now the problem is that no modern asymmetric systems (rather than symmetric ones) can resist quantum computers. And these systems are needed only to coordinate the common secret key for symmetric encryption systems.
Without asymmetric systems, we all need to meet in person in order to send an encrypted message.
And if there will be no asymmetric systems, the old photonic Internet, which today was called quantum (!), offers as an alternative. And successful transmission in this way was long ago, 50 years ago. These are old technologies on new equipment.

And there is no quantum cryptography, no interaction with quanta, encryption with quanta.

The foreseeable future lies only in mathematical, logical encryption methods that work on ordinary computers. They're being looked for. There's a competition. They're called post quantum cryptography. By the way, AES-256 is already among the winners in the category of symmetric encryption systems. This system is not afraid of future quantum computers, it's not even afraid of computers from another planet where the most advanced civilization lives.

Why not? Because this system works with all the values of the key. And that means, if there are no mathematical methods of cracking, and there are none, you have to do a full search of binary code 256 bits long. And it's not possible, there's no such number of particles in the whole universe.
Besides, this algorithm doesn't load the processor.
That's why it's not a problem to make a key 512 bits long.

And how many times 512 bits are more than 256 bits?
No, not twice, and I don't know what time. It's a mystically large number.
But 257 bits more than 256 bits - exactly twice as many.
You do the math from here.

Cryptography on elliptical curves can't just increase the length of the key and become post quantum. Why not?
Because such unreliable systems (asymmetric) break down mathematically by cryptanalysis. So they're not used in serious cases. But this system is used in blockchain and bitcoin.

And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.