Someone said that I should not use public keys because they are suspected of being susceptible to quantum cracking. Is this true for all algorithms or just certain ones? Also, people tell me I should transmit the key over the Internet, but if I'm not using public key cryptography, that's idiotic! So there seems to be a conflict here.

I'm not an expert but my understanding was it's a general property of public key algorithms.

You said yourself that transferring the one-time-pad to the other party is not a problem. If you can do that, you can transfer the key for a symmetric cypher as well.

If that assumption was based on public key cryptography being safe, you have to find a different method or believe in public key cryptography remaining strong enough. Maybe forward secrecy is relevant for you? I do, however, have not much interest in public keys cryptography.

samoth made a suggestion for 512-bit encryption. Why not 1024- or 2048- or 4096-bit? The point is, obviously I couldn't have infinity-bit encryption (though that's essentially what an OTP does, in a way), but why stop at 512?

Because 256 bits are already overkill to the best knowledge available today.

There were also suggestions of adding rounds and layering multiple algorithms over each other, etc. I've read that this is a bad idea, because in some cases it can actually weaken security, and it could potentially be hard to predict whether it will be strengthened or weakened.

If you are not an actual expert in cryptography you should not just do that or stick at least to modifications which have already been adequately discussed in the cryptographic community.

Also, one of the things that really bugs me about cryptography is that for the most part, it's not provably secure. It's so complex that there's usually no mathematical way to absolutely prove the difficulty of cryptanalysis, because someone will come up with a better way eventually. In many cases, there may be a theoretical limit to how easily an algorithm can be broken, but it seems to me like it can't usually be proven. It's the same thing with compression algorithms, or most kinds of data encoding, really. You just have to test it a billion times and then inductively assume that it works. But with compression algorithms, the worst thing that can happen is the file grows (and you can prevent that anyway, so really the worst thing is that it doesn't shrink), but with cryptography, the consequences can be catastrophic.nbsp; It's so complex that there's usually no mathematical way to absolutely prove the difficulty of cryptanalysis, because someone will come up with a better way eventually.can be broken, but it seems to me like it can't usually be proven.&

Then you don't rely on one cipher but several with independent keys. Finding a fatal flaw in one cipher somewhere during your lifetime is possible, but unlikely. Finding fatal flaws in two or more ciphers during your lifetime is increasingly closer to impossible. Good candidates could be Rijndael (now known as AES), Serpent and Twofish since they were the finalists to become AES.
Also, it is by no means certain that there will ever be a way to break a cipher. For example AES is used extensively (including several governments) and the best attempt on it is still the purely theoretical attack I quoted from Wikipedia. Twofish has a similar purely theoretical attack under extremely special circumstances and there is even a newer replacement with Threefish.

Someone said that I should not use public keys because they are suspected of being susceptible to quantum cracking.

No, I said that it is nonsensical to use public key cryptography on the one hand side, and then, at the same time, insist on using OTP (transmitted over a channel secured by public key cryptography) because block ciphers are not secure enough.

Because, if anything is susceptible to a future, still hypothetical large-scale quantum computer, it will be public key cryptography.

samoth made a suggestion for 512-bit encryption

Again, not what I suggested. I suggested you use 128 bits, or 256 if you really, really, really feel unsafe.

I said that you could use 512 bits if you are pathologically paranoid. There is no technical reason why you couldn't do that, it's just that it is silly, and people will laugh at you. However, if you are really, really worried about a backdoor that maybe reduces the 2256 complexity of an attack to 2200 or even 2150 (this would be a bummer, but still it would be pretty harmless since 2150 is still entirely unfeasible), then it costs very little (a mere 32 bytes extra) to use a 512-bit key instead. It's possible, but it doesn't make sense.

Note that although 2*256 = 512, this does not mean that 2512 = 2*2256. It's a slightly bigger number than that.

With that in mind, the question "why not 1024- or 2048- or 4096-bit" makes me more and more think that you are not being serious, or that your earlier statement about knowing a lot (or anything) about cryptography isn't true. You should really understand how many orders of magnitude are between a 128-, 256-, 512-, and 1024-bit binary exponent.

256-bit symmetric keys are overkill already, but 512-bit keys are (insane + overkill)256. I'll leave it to you to figure what 1024-bit keys are.

Also, one of the things that really bugs me about cryptography is that for the most part, it's not provably secure.

Humans, on the other hand, are provably insecure. The symmetric block cipher is not the weak link in your security chain, and the 256-bit key isn't, either.

Also, one of the things that really bugs me about cryptography is that for the most part, it's not provably secure. It's so complex that there's usually no mathematical way to absolutely prove the difficulty of cryptanalysis, because someone will come up with a better way eventually. In many cases, there may be a theoretical limit to how easily an algorithm can be broken, but it seems to me like it can't usually be proven. It's the same thing with compression algorithms, or most kinds of data encoding, really. You just have to test it a billion times and then inductively assume that it works. But with compression algorithms, the worst thing that can happen is the file grows (and you can prevent that anyway, so really the worst thing is that it doesn't shrink), but with cryptography, the consequences can be catastrophic.

So your understanding of compression is about as sophisticated as your understanding of cryptography.

No, you cannot prevent the file from growing when you try to compress it, although you can bound how much it can grow (say, by a few bytes). There are perfectly good mathematics for understanding compression, even if the theorems don't say what you would like them to say.

>Note that although 2*256 = 512, this does not mean that 2512 = 2*2256. It's a slightly bigger number than that.

Yeah thanks. I understand the properties of exponentiation and multiplication.

>So your understanding of compression is about as sophisticated as your understanding of cryptography.

Everyone insults me. I understand PLENTY about compression (admittedly more than about cryptography but I know a fair amount about that as well, despite popular opinion).

Anyway, I don't think anyone's mentioned stream cyphers. They're popular in Europe or so I hear. What does anyone think about them?

We are really not trying to insult you: The smiley face was supposed to indicate the statement was a bit of a joke. But I do think you overestimate your level of understanding of these fields.

Well allow me to clarify: I have a lot of knowledge/education in computer science in a broad sense, not specifically cryptography, but I have taken some courses and read some books, and just studied it in general - enough to say that I understand how a lot of the algorithms work and I understand many of the potential attacks, as well as a lot of the protocols, etc.

Admittedly, I'm a bit rusty in the subject, and I may not be up to date on the absolutely cutting edge stuff, nor do I know about every possible goofy esoteric thing an attacker could throw my way, but then, that's why I'm asking for advice, isn't it? I don't claim to be the world's leading expert, but I think it's rather rude of elitists to treat me like I'm some ignorant hillbilly, just because I don't have a PHD specializing in cryptography/security, and I haven't devoted 20+ years of my life to the subject.

I'm plenty intelligent enough to understand anything you could tell me, provided it's explained adequately and unambiguously. I'm not bragging though; I'm just defending myself from what seems to be a constant onslaught against my personal character. If my opinion differs from anyone else's, because I have concerns that I think are legitimate, even if no one else does, they seem to think I'm a jerk for it. I noticed that when I started this account, my reputation was 100 by default, I think. Over several months, it had gradually increased to about 158. Now it's down to 107 after only a couple days of this specific topic. Personally, I don't care about that anyway, because it doesn't really have any tangible effect, but it does show just how petty a lot of people are.