The answer to your thought experiment is: I don't know.
That's the only correct answer, and the reason why you shouldn't use ECDH for long-term sensitive information. It's still a method based on computational difficulty. There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers. One could be discovered in 50 years, tomorrow, or might already be in use in organizations like the NSA. Even if quantum computing wasn't progressing in leaps and bounds (if you look at what is being done you might be very surprised), the possibility it presents is still there.
Again, I'm not talking about credit-card-transactions here. I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
The only truly safe alternative to QKD at present is the simple one-time-pad (a.k.a. Vernam cipher). i.e. The sender and receiver physically exchange random bit strings. In Canada we still see government agents carrying handcuffed briefcases around on commercial airlines a lot, and that's probably what they're full of. It may sound ridiculous to do this because you're relying on the loyalty of those agents, but security is ultimately a people problem no matter what technology you throw at it.
There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers.
But we could also say that about the cipher used to encrypt the bulk message data.
I'm just saying that QC for the forseeable future seems complicated, expensive, and fragile and at best only addresses one bit of the overall puzzle.
Again, I'm not talking about credit-card-transactions here.
That's always refreshing :-)
I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
You probably know some things I don't, but conventional and EC DH seem to be the more conservative choice to me whereas QC seems like it's barely out of the lab (i.e., we have less than a decade of real-world experience with it).
Re: The cipher for encryption of the message data:
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it.
QKD is far from ready for last-mile networks, but in principle it should be able to use existing fiber and have similar network topologies to what we currently have in classical networks. (e.g. It is possible to distribute entanglement through untrusted repeaters.) Your arguments against it are the same that were once applied to transistors or lasers.
As for ECDH, please reread what I posted earlier. If your information will not be sensitive after a decade or two it is perfectly fine. If the information will remain sensitive, it is unsuitable.
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it. QKD is far from ready for last-mile networks
The very term QKD as "Quantum Key Distribution" implies that the system we're discussing is good only for distribution of keys much shorter than the message.
So which is it?
You're not impressing me with the claiming of "one time pad security" for a system that's not actually a one time pad. This is classic snake oil jargon.
Your arguments against it are the same that were once applied to transistors or lasers.
Yes, I'll admit there's an element of reactionary conservatism here. The difference is that lasers were demonstrably doing something new and transistors were doing something existing (amplification) in a way that had radically better economics.
QKD is taking something that we're already doing now (non-intrinsically authenticated key agreement) and claiming that there's a need to do it in this new, expensive, complicated, and fragile way. Forgive me if I don't just take your word for it.
It would really be cool for those saying "really, your (EC)DH will be broken in 20 years" to put it where their mouth is and tell us what attacks they have in mind. Otherwise, it's just FUD.
"Quantum Key Distribution" in no way implies the key is shorter than the message. It actually needs to be longer to allow for error correction, authentication, and privacy amplification (i.e. to compensate for noise that could be attributed to an attack). A one time pad, or vernam cipher, is commonly used in commercial QKD systems. It's not snake-oil. Please google it. It's dead simple to understand and almost as easy to understand why it's impossible to break if used properly. As I pointed out, it's the gold-standard for paranoid government agencies even without QKD, ergo spooks with suitcases on planes.
As for attacks on ECDH, look up Shor's algorithm. That particular algorithm needs a quantum computer to run, but there is no existing proof showing that it is impossible to find one that would run efficiently on a classical computer. Again, the nature of classical communications means that encrypted messages may be copied and archived, so that vulnerabilities found in the future can compromise messages you send today. Maybe nobody will ever manage to crack ECDH, but maybe they will. It's a gamble. Quantum communications cannot be copied and archived so QKD must be broken at the time of transmission or the message is safe for all time. That's the big difference.
Again, I'm not suggesting ECDH isn't fine for most normal people's day-to-day needs. We're talking about secrets that need to be kept for generations that you simply don't want to gamble on.
That's the only correct answer, and the reason why you shouldn't use ECDH for long-term sensitive information. It's still a method based on computational difficulty. There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers. One could be discovered in 50 years, tomorrow, or might already be in use in organizations like the NSA. Even if quantum computing wasn't progressing in leaps and bounds (if you look at what is being done you might be very surprised), the possibility it presents is still there.
Again, I'm not talking about credit-card-transactions here. I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
The only truly safe alternative to QKD at present is the simple one-time-pad (a.k.a. Vernam cipher). i.e. The sender and receiver physically exchange random bit strings. In Canada we still see government agents carrying handcuffed briefcases around on commercial airlines a lot, and that's probably what they're full of. It may sound ridiculous to do this because you're relying on the loyalty of those agents, but security is ultimately a people problem no matter what technology you throw at it.