Encryption algorithms that run on classical computers that are expected to be resistant to quantum computers.
This is notably not the case of the dominant 2020 algorithms, RSA and elliptic curve cryptography, which are provably broken by Grover's algorithm.
However, as of 2020, we don't have any proof that any symmetric or public key algorithm is quantum resistant.
Post-quantum cryptography is the very first quantum computing thing at which people have to put money into.
The reason is that attackers would be able to store captured ciphertext, and then retroactively break them once and if quantum computing power becomes available in the future.
There isn't a shade of a doubt that intelligence agencies are actively doing this as of 2020. They must have a database of how interesting a given source is, and then store as much as they can given some ammount of storage budget they have available.
A good way to explain this to quantum computing skeptics is to ask them:Post-quantum cryptography is simply not a choice. It must be done now. Even if the risk is low, the cost would be way too great.
If I told you there is a 5% chance that I will be able to decrypt everything you write online starting today in 10 years. Would you give me a dollar to reduce that chance to 0.5%?
Man-in-the-middle attack
quantumcomputing.stackexchange.com/questions/142/advantage-of-quantum-key-distribution-over-post-quantum-cryptography/25727#25727 Advantage of quantum key distribution over post-quantum cryptography has Ciro Santilli's comparison to classical encryption.
BB84 is a good first algorithm to look into.
Long story short:
- QKD allows you to generate shared keys without public-key cryptography. You can then use thses shared keys
- QKD requires authentication on a classical channel, exactly like a classical public-key cryptography forward secrecy would. The simplest way to do this is a with a pre-shared key, just like in classical public key cryptography. If that key is compromised at any point, your future messages can get man-in-the-middle'd, exactly like in classical cryptography.
QKD uses quantum mechanics stuff to allow sharing unsnoopable keys: you can detect any snooping and abort communication. Unsnoopability is guaranteed by the known laws of physics, up only to engineering imperfections.
Furthermore, it allows this key distribution without having to physically take a box by car somewhere: once the channel is established, e.g. optical fiber, you can just keep generating perfect keys from it. Otherwise it would be pointless, as you could just drive your one-time pad key every time.
However, the keys likely have a limited rate of generation, so you can't just one-time pad the entire message, except for small text messages. What you would then do is to use the shared key with symmetric encryption.
Therefore, this setup usually ultimately relies on the idea that we believe that symmetric encryption is safer than , even though there aren't mathematical safety proofs of either as of 2020.