The big difference is that encryption based on computationally difficult (but not impossible) problems (i.e. factoring) should not be used to encrypt information that must remain secure long-term.
e.g. Say you have a highly sensitive secret that must remain secret not for just a few years, but decades or centuries. If you encrypt it using a factoring based scheme and then transmit it classically, an eavesdropper could take a copy of the encoded message without your knowledge. Whatever scheme it was encrypted with will then have to stand up to decades of advances in algorithms and computing technology. Quantum computers will probably break most currently used factoring-based schemes (including elliptic) eventually, and there's no guarantee that there exists no classical algorithms that could break such encryption with practical amounts of classical computation either. You should view anything encrypted and transmitted using factoring-based methods as having been broadcast publicly with an unspecified delay.
Quantum cryptography is unbreakable in theory, but is not without flaws in practical systems. However, the nature of communicating with quantum states (google the no cloning theorem) means that attacks must be known and used at the time your message is transmitted. An eavesdropper trying to listen in on quantum encrypted communications cannot archive coded messages to attack at his or her leisure. Attacks must be immediately successful or the message will remain secure for all time.
So, your credit-card info is probably safe to transmit using factoring based cryptography, since it changes every few years. Your medical records, or where you buried that body, are a different matter entirely!
Whatever scheme it was encrypted with will then have to stand up to decades of advances in algorithms and computing technology.
So will the block or stream cipher you encrypted the data with.
Quantum computers will probably break most currently used factoring-based schemes (including elliptic) eventually
That seems extremely optimistic to me. Given the current state of the technology, it's a little like an astronomer discovering a distant new star and then promising to open suntan parlors from its concentrated rays.
Try this thought experiment: For a given set of security and speed requirements, take the money you would spend on a pair of quantum key exchange devices and spend it instead on accelerator hardware for non-quantum ECDH operations. How much longer (and more secure and reliable) can we make the key exchange parameters with this conventional hardware within the same time limits?
The answer to your thought experiment is: I don't know.
That's the only correct answer, and the reason why you shouldn't use ECDH for long-term sensitive information. It's still a method based on computational difficulty. There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers. One could be discovered in 50 years, tomorrow, or might already be in use in organizations like the NSA. Even if quantum computing wasn't progressing in leaps and bounds (if you look at what is being done you might be very surprised), the possibility it presents is still there.
Again, I'm not talking about credit-card-transactions here. I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
The only truly safe alternative to QKD at present is the simple one-time-pad (a.k.a. Vernam cipher). i.e. The sender and receiver physically exchange random bit strings. In Canada we still see government agents carrying handcuffed briefcases around on commercial airlines a lot, and that's probably what they're full of. It may sound ridiculous to do this because you're relying on the loyalty of those agents, but security is ultimately a people problem no matter what technology you throw at it.
There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers.
But we could also say that about the cipher used to encrypt the bulk message data.
I'm just saying that QC for the forseeable future seems complicated, expensive, and fragile and at best only addresses one bit of the overall puzzle.
Again, I'm not talking about credit-card-transactions here.
That's always refreshing :-)
I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
You probably know some things I don't, but conventional and EC DH seem to be the more conservative choice to me whereas QC seems like it's barely out of the lab (i.e., we have less than a decade of real-world experience with it).
Re: The cipher for encryption of the message data:
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it.
QKD is far from ready for last-mile networks, but in principle it should be able to use existing fiber and have similar network topologies to what we currently have in classical networks. (e.g. It is possible to distribute entanglement through untrusted repeaters.) Your arguments against it are the same that were once applied to transistors or lasers.
As for ECDH, please reread what I posted earlier. If your information will not be sensitive after a decade or two it is perfectly fine. If the information will remain sensitive, it is unsuitable.
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it. QKD is far from ready for last-mile networks
The very term QKD as "Quantum Key Distribution" implies that the system we're discussing is good only for distribution of keys much shorter than the message.
So which is it?
You're not impressing me with the claiming of "one time pad security" for a system that's not actually a one time pad. This is classic snake oil jargon.
Your arguments against it are the same that were once applied to transistors or lasers.
Yes, I'll admit there's an element of reactionary conservatism here. The difference is that lasers were demonstrably doing something new and transistors were doing something existing (amplification) in a way that had radically better economics.
QKD is taking something that we're already doing now (non-intrinsically authenticated key agreement) and claiming that there's a need to do it in this new, expensive, complicated, and fragile way. Forgive me if I don't just take your word for it.
It would really be cool for those saying "really, your (EC)DH will be broken in 20 years" to put it where their mouth is and tell us what attacks they have in mind. Otherwise, it's just FUD.
"Quantum Key Distribution" in no way implies the key is shorter than the message. It actually needs to be longer to allow for error correction, authentication, and privacy amplification (i.e. to compensate for noise that could be attributed to an attack). A one time pad, or vernam cipher, is commonly used in commercial QKD systems. It's not snake-oil. Please google it. It's dead simple to understand and almost as easy to understand why it's impossible to break if used properly. As I pointed out, it's the gold-standard for paranoid government agencies even without QKD, ergo spooks with suitcases on planes.
As for attacks on ECDH, look up Shor's algorithm. That particular algorithm needs a quantum computer to run, but there is no existing proof showing that it is impossible to find one that would run efficiently on a classical computer. Again, the nature of classical communications means that encrypted messages may be copied and archived, so that vulnerabilities found in the future can compromise messages you send today. Maybe nobody will ever manage to crack ECDH, but maybe they will. It's a gamble. Quantum communications cannot be copied and archived so QKD must be broken at the time of transmission or the message is safe for all time. That's the big difference.
Again, I'm not suggesting ECDH isn't fine for most normal people's day-to-day needs. We're talking about secrets that need to be kept for generations that you simply don't want to gamble on.
Reading your comment, and a few short articles (and that Defcon19 talk) on Quantum cryptography, correct me if I'm wrong. Quantum cryptography is a "way" (emphasis) to securely send a one time pad to the recipient in such a way that due to the quantum effects, if the quantum bit currently in transmission (in the wire) is mitm'ed, it doesn't reach the end or something like that. So both of you can discard that bit and continue on to the next bit until you've transmitted the whole pad.
More or less. Quantum states can only be measured probabilistically. This, combined with the fact that they cannot be cloned, is what makes the eavesdropper detectable if he/she tries to intercept the quantum states in between the sender and receiver. i.e. The sender knows what she sent, but if the eavesdropper measures those states and tries to imperfectly clone them she will send states to the receiver that will produce impossible results when measured by the receiver.
In a true MITM attack the eavesdropper could claim to be the receiver to the sender and the sender to the receiver and exchange keys with them both. This is why authentication must be a part of QKD protocols.
Once you have a secure key, using it as a one-time-pad is the most secure way to send data. (Note: We're skipping a few steps like error correction and privacy amplification)
Sounds to me like an incredibly convoluted, fragile, and expensive method of exchanging keys.
In what practical way is this better than traditional or elliptic-curve Diffie-Hellman key exchange?