Did Schnorr destroy RSA? Show me the factors(sweis.medium.com) |
Did Schnorr destroy RSA? Show me the factors(sweis.medium.com) |
It seems like the only reason for the "put up or shut up" reactions is that "destroys RSA" comment in the submitted abstract...which isn't in the actual paper.
https://twitter.com/robinhouston/status/1169877007045296128
Its easier to drum up support for your paper when you have a quick way to prove to the community of mathematicians that your results are golden.
EDIT: The original webpage: http://math.mit.edu/~drew/sumsofcubes.html
As you can see, the sum-of-cubes announcements are very terse. Ultimately pointing to the following link: https://share.cocalc.com/share/900eec7e-0710-4e2f-a03a-dba01...
That kind of website / tweet is a "drop the mic" moment. It really makes people pay attention.
In particular, I think the right process would be:
1. Give some brief description of the result (eg factoring numbers in O(...)), and some proof (eg a factorisation of the next rsa semiprime, possibly more) that convinces people that your claims are true
2. Wait a while for people to have the chance to not be burned
3. Publish the paper
Instead, the authors seem to be going for:
1. Publish the paper with a provocative abstract.
2. Wait to see who implements the algorithm first.
It doesn’t seem the best idea to me, but what do I know?
As it is, if the algorithm presented is valid then this potentially compromises currently operating systems.
There are so many devices and pieces of software that are stuck on RSA, a headsup of say 5 years would still result in a clossal mess; may as well have the mess now.
I think it is - https://eprint.iacr.org/2021/232.pdf
The latter is much more important.
For an algorithm, asking for results is not that weird. It certainly fits within the purview of a paper. Moreover, it would be really strong evidence for the claims made in the paper. It is much easier to check than the proofs.
I wouldn't be surprised if a demonstration that pushes the current publicly known record for largest factored RSA modulus costs hundreds of thousands or millions of dollars even with this new algorithm, and the algorithm is also slower than other methods for, say 384-bit RSA.
It may be difficult even for Peter Schnorr to get that kind of budget for a demonstration before his paper gets traction.
I believe that this breakthrough could be quite a bit bigger because it's changing the costs from exponential to polynomial and so speedup is likely a much bigger change.
That's for previous algorithms, not the one described in the paper.
Also, without that sentence nobody would be trying to read the paper, so props to Schnorr who understands how to create the buzz :P
Apparently, "[t]his suggest that the approach may be sensible, but that not all short vectors give rise to factoring relations, and that obtaining a sufficient success rate requires much larger lattice dimension than claimed in [Sch21]."
Yes, claiming that "this breaks RSA" is bold, but this implementation shows that there is some advance in doing so in the paper.
Therefore signaling that this is a "scandal" via the postfix "gate" seems just inappropriate.
Apart from that kudos for the implementation to Ducas!
Calling it the "Schnorr attack" would imply that the outcome of it is still uncertain. And it also would sound way cooler ;)
Just to make sure you get Ducas's main argument, I quote him here again: "Personal study (unfortunately, never written down cleanly) of this approach suggested me that this approach requires solving SVP in dimensions beyond reasonable, leading to a factorization algorithm much slower than the state of the art. My impression is that this is the consensus among experts having spent some time on it as well."
So it seems like the conclusion is clear-cut contrary to what you were suggesting.
Also wouldn't the name "Schnorr attack" lead to people thinking of attacks on Schnorr signatures instead?
The blog post says the paper mentions 8.4e10 operations for factoring, but I can't find that number in the paper anywhere. The post then states: "The 800-bit claims would be 36 bits of work." I don't know what that means.
[edit]: the numbers are in the new version (https://eprint.iacr.org/2021/232). I was looking at the old version uploaded yesterday.
From the article: "Schnorr’s paper claims to factor ... 800-bit moduli in 8.4·10¹⁰ operations"
2^36 ~= 8.4·10¹⁰, so I guess "36 bits of work" means 2^36 operations. Analogous to how a password with 36 bits of entropy would require 2^36 guesses. My first time encountering the phrase "bits of work" as well, though.
>Our accelerated strongprimal-dual reduction of [GN08] factors integers N≈2^400 and N≈2^800 by 4.2·10^9 and 8.4·10^10 arithmetic operations.
To factor a number N (assumed to essentially be the product of two very large primes), find a 'short' lattice vector [0] using LLL [1] (and BKZ reduction? [2]) that finds many relations of the form:
(u_i) = p_i,0 * p_{i,1} * ... * p_{i,n-1}
(u_i - v_i * N) = q_{i,0} * q_{i,1} * ... * q_{i,n-1}
Numbers that have all their factors less than some prime, B, are said to be "B-smooth". In the above, both (u_i) and (u_i - v_i * N) are p_{i,n-1}-smooth and q_{i,n-1}-smooth, respectively.
Construct many u_i and (u_i - v_i * N), so much so that you can create a product of primes, r_i, of the form:
r_0^{2 b_0} * r_1^{2 b_1} * ... * r_{n-1}^{2 b_{n-1}} = 1 mod N
Since all exponents (2b_i) are even, we have the potential to find the square root of 1 which has the potential to resolve to two different numbers since N is composite. One of those is the product of r_i^{b_i} and the other is -1. Since y^2 = 1 mod N, we get (y-1)(y+1) = 0 mod N. If (y-1) or (y+1) are not 0, then then must share a factor of N and we've successfully factored.
The trick is, of course, finding the smooth numbers. To do this, a lattice basis is made such that you find a short integer relation of the form
a_0 ln(p_0) + a_1 ln(p_1) + ... + a_{n-1} ln(p_{n-1}) ~= ln(N)
u is chosen as the product of primes of all a_i > 0 and v is chosen to be the product of all primes where a_i < 0. The hope is that (u - v*N) is also p_{n-1}-smooth, which, as far as I understand, most of the math in the paper is trying to justify.
The main innovation here, as far as I can tell, is that Schnorr is fiddling with the 'weighting' of the main diagonal when constructing the lattice basis. I interpret this as basically trying to randomize the initial lattice basis so that the chances of getting a different integer relation (for eventual construction of u,v) is more probable.
I've been confused about this for over a decade as variants of this algorithm, and Schnorr's work in general, have been well published. For example, there's a paper from 2010 on "A Note on Integer Factorization Using Lattices" by Antonio Vera which discusses Schnorr's [3] construction.
Is Schnorr trying to shout louder so people will listen or is there something else fundamentally flawed with this type of algorithm?
Just a word of warning, LLL solves polynomial factorization in polynomial time (given a polynomial with integer coefficients, find it's factor polynomials also with integer coefficients) [4] and has been used to break other (now very old) cryptosystems [5]. If there's a candidate algorithm to solve integer factoring, lattice reduction (LLL, PSLQ, etc.) are it.
I know of fplll that's a stand alone (FOSS) implementation of LLL and some extensions (BKZ, etc.) [6].
[0] https://en.wikipedia.org/wiki/Lattice_reduction
[1] https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%...
[2] https://www.newton.ac.uk/files/seminar/20140509093009501-202...
[3] https://arxiv.org/pdf/1003.5461.pdf
[4] https://en.wikipedia.org/wiki/Factorization_of_polynomials#F...
But there’s no real current takeaway until we know if this approach works, and if so how extensible it is to RSA, especially 2048 bit RSA.
If you are going with it anyway, yeah, 4k bits is a safe choice for making it reasonably secure right now (2k being a bare minimum), but remember, attacks always get better, never worse, and RSA has a fair share of possible attacks.
Do we know that the paper is definitely from Schnorr? (Edit: The article claims its provenance is confirmed). The "destroys the RSA cryptosystem" claim is now part of the paper. While anyone can make mistakes, I would expect such claims to be at least somewhat carefully checked before releasing them.
Either way, I expect that we'll see either a retraction/correction or factors within weeks.
Should be trivial to show a working proof on a smaller-than-usual RSA number if "this really destroys RSA".
Why not let others do the rote reduction-to-practice?
Why not create an example where your theory was correct, & your reputation was on the line, that took a little while to resolve – but when it does, it does so definitively in your favor, so you are more trusted in future pre-definitive-verification pronouncements?
(I don't know enough about Schnorr-the-person to know if this fits his personality, but I can imagine such personalities.)
“This destroys the RSA cryptosystem” - https://news.ycombinator.com/item?id=26321962 - March 2021 (140 comments)
If a major government got wind that such work was going on, wouldn't it be prudent to publish before you are disappeared? I assume high-profile crypto research people are spied on.
Question for someone who is familiar math notation...was the abstract of this article easy to understand?
For me, the abstract seems like code but no commentary explaining what each bloc does. But I could be mistaken.
What I read is that someone contacted Schnorr over email to get this confirmation.
I’m not saying the confirmation is wrong. And I’m not saying email cannot convey information.
You seem to mean something different from what your words say...
see?
Now I just looked at that Schnorr paper and, well, I can tell you that I'm not going to be the one implementing it : (
It doesn't matter what you claim with words if you can't back it up with cryptographic evidence.
Shut up and prove you've done (or can do) the work.
More drawing attention to the wider theme that we generally should not take people at their word when we have the option to demand proof of work that can't be faked or mistaken.
Don't trust. Verify.
I don't know why people don't bring this up more often. It will likely happen long before quantum computers make it possible.
I don't think that such a secret can be kept for more than a few minutes with immediately proceeding to runtime weaponization.
It took me 3.3 years of actual computation time to do about 2^46 multiplication+modulo of two 2048 bit numbers on a Core i7. 2^36 of 2048 bit numbers should be doable in a day on an eight years old CPU.
P.S: that was on a single core, for the problem I solved was explicitly created as to not be parallelizable.
The public web and code signing PKIs collapse overnight. Most certificate authorities use RSA-2048 either for the roots or intermediates. The HN site not only uses a RSA-2048 key in its own certificate, the CA issuing that certificate and the root CA issuing the intermediate also do.
All data transmitted without forward secrecy on most web sites is compromised. Most websites nowadays use forward secrecy and/or ECDSA, but data sent years ago may still be of value (e.g. passwords) and become decryptable now.
Any data (e.g. backups, past e-mails) encrypted using RSA keys is at risk.
Any authentication system relying on RSA keys has a problem. This can include systems like smartcards or HSMs that are hard to update, software or firmware updates, etc. Banking too.
Edit to add - if RSA-1024 is practically breakable but RSA-2048 is not: some systems that relied on RSA-1024 have a problem. These should be rare, but sometimes legacy doesn't get updated until it becomes an absolute emergency. Everyone realizes that RSA-2048 is only a matter of time, that time is running out quicker than expected, and starts upgrading to ECDSA with more urgency. This will likely take a long time due to legacy hardware.
Forward secrecy does not protect against broken cryptography, so this is more about what methods were used and how much an new technique like this affects them.
It's a continuum from "impossible to do with all the time and energy of the universe and the most advanced computers we have" to "my commodity hardware can crack it in a few minutes".
The same goes for fears of quantum computing breaking current cryptography. It goes from effectively impossible to "yeah, we could break it with a few years of constant computation, which is plenty of time to switch to quantum resistant schemes".
If there were, for example, a way to glean a private key without factoring the modulus, I think we'd all agree that this amounts to "breaking" the system insofar as that it changes the applicability of the hardness assumption.
On the other hand, simply achieving a faster way to factor the modulus is, at best, part of a continuum as you say.
That's not how you treat broken cryptography. If your data is already collected and stored encrypted by a third party which still holds value after several years, you're already in bad shape.
2. Major issue is going to be webpki and replaying govt captured encrypted communications.
3. There are a lot of abandoned servers out there that use RSA. There is a lot of code signing that uses RSA. There is just a lot of identity proven on the web that uses RSA to prove the identity. It's going to be a clusterfuck of identity. Again, assuming the paper means RSA is just completely broken.
Only if you somehow "know" quantum computing is ever going to be practically realized. It may never be.
1024-bit and higher RSA is still unfactorable, so I don't think anyone will be attacking RSA directly any time soon.
Also, that whole thing about lots of computer encryption tech suddenly being effectively insecure.
But then there's that line: "This destroys the RSA cryptosystem" in the abstract of the paper.
The mitigation would be to move to experimental post-quantum crypto systems immediately (quantum computers have all the fuss because they can break rsa).
This is basically an unbelievable result. Without actually providing some factored numbers i am very doubtful.
[I have not read paper]
Edit: as pointed out below, i may have gotten overexcited. Still an incredible result if true.
"A bit"? A lot more than a bit. A world.
And on the surface, since it appears to be a factoring system, rather than a general purpose discrete log solver, the consequences, while incredible, are far more limited than the picture you paint. If this is even true; a matter over which I'm skeptical.
It does not extend to breaking eliptic-curve cryptography, for the same reason that the Quadratic Sieve does not extend to eliptic-curve crypto: the underling math problem is different (factorisation vs discrete logarithm).
https://twitter.com/SchmiegSophie/status/1367197172664389635
They mostly mirror the article this post is under, namely "show me the factors". Schnorr claims spectacular run times but it isn't clear he provides actual data from runs he's done. Schnorr also doesn't discuss complexity considerations in the detail they would deserve while focusing on basic details that I suppose wouldn't show up in a paper like this normally.
In the paper Schnorr suggests that this algorithm factors 800-bit integers in ~10^11 operations [36 bits], whereas the Number Field Sieve uses ~10^23 [76 bits]. Does that 76-bit figure represent the current state of the art, more or less?
Also, since the paper talks only in terms of specific sizes of integers, I assume there's no claimed asymptotic speedup over existing methods?
The runtime depends on the frequency of primes, which is how you know you can run the algorithm and have a good chance of finding a "B-smooth" number. So that frequency might decrease too fast as to make it not a polynomial time or quasi-polynomial time algorithm.
In terms of my own opinion, in general practical large exponent runtime algorithms have a way of becoming increasingly more efficient so this isn't usually a big blocking point, especially not for long. For example the interior point method eventually lent itself to faster implementations. In terms of frequency of primes, I suspect this is also not a big slowdown factor.
Anyway, like I said, I've been confused about this point for a long time. It seems like this method is providing effectively a polynomial time algorithm for integer factoring. I read this paper and others by Schnorr as "this is 'efficient' in the theoretical sense but the polynomial exponent is so large as to make it computationally infeasible right now" but then I don't know why this hasn't been bigger news. Maybe because the algorithm has a randomness component to it?
I don't know. If anyone is wiser than me, I would appreciate some enlightenment.
The notation is easy to understand (and as far as mathematical notation goes, really quite tame). I don't know what a nearly shortest vector of a lattice is in this context, but I do understand everything else. Note that means I have no idea how the actual method works, but I can understand what's being claimed.
You can have a "good basis" where the norms for b are low, or an equivalent "bad basis" with the same lattice points but with high norms. That's one hard problem (lattice reduction), but there are polynomial-time approximations.
The shortest vector problem, iirc, is to find the vector with the smallest norm in the best possible basis of that lattice.
You are mistaken. (Pretty much) all of mathematics is written as natural language, and those symbols are just abbreviations for stuff that could also be written as words. If I read those sentences out loud, another could write them back down and arrive at something that looks the same.
That's why all of mathematical notation is embedded in sentences - they are part of the sentence and can be read as such.
Further that is really basic notation a first semester student of any STEM discipline should be able to read, though I wouldn't expect them to know what a lattice and some of the other terminology is.
But if the author of the paper (or even someone else with a credible reputation) was to public factors and say they used this method then it's useful evidence.
The paper mentions some gains being possible through parallelism with one of the algorithms their work is based on, but also mentioned most prior art is not effectively parallelizable across discrete machines.
Even if the paper is correct it seems to fall into the 'moving down the continuum' category.
After all, 2^896 is 38 orders of magnitude smaller than 2^1024.
https://en.wikipedia.org/wiki/Frank_Nelson_Cole
If you 'destroyed RSA' through better factorization, all you have to do is start publishing factors of RSA challenge numbers.
Matthew Green has a fun thread about other ways to approach this along with an interesting "real talk about factoring" sidebar by Nadia Heninger:
https://twitter.com/matthew_d_green/status/13669500931784990...
This isn't science, it's math. As the article mentions, there is an 862-bit RSA challenge that hasn't been factored yet. Factoring it should be possible on commodity hardware if the claims in the paper are true. So why not just do it? The test of success is simple: either you win the challenge or you don't.
Then why would I trust it? You don't need to write code, you need to write an example
As Linus Torvalds says: talk is cheap, show me the code
Academia is full of "paper scientists" that put out papers but produce nothing of value.
They are also full of postgraduate students as well that would be more than willing to work together and put a proof-of-concept code with the paper.
https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2021/232...
The previous (reportedly wrongly uploaded) version is from 12/5/2019, 9:10:13 AM created with pdfeTeX-1.30.4.
https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2021/232...
The university website version is from 3/5/2020, 12:00:19 PM created with pdfTeX-1.40.15.
These dates & times are MM/DD/YYYY & CET.
A co-editor of the Cryptology ePrint Archive confirmed the submission on twitter:
Here is a version in the Google cache, it has an old date on it "work in progress 04.03.2020" and does not contain the "destroys RSA" sentence: https://webcache.googleusercontent.com/search?q=cache:E0L-S3...
The parameters can, in theory, be safely used by everyone, and generating them is relatively expensive. But because a few of these parameters were extremely widely used, and they were only 1024 bits strong, it is believed that a gargantuan effort to break them was worth it and the NSA did it.
It kind of is since a lot of it grew organically. Often it isn't even consistent across authors/countries. It wasn't really "designed".
The German Wikipedia has a decent overview of symbols and I often use it as a cheat-sheet for LaTeX, whereas the English equivalent of that article has a better explanation of basic notation.
https://en.wikipedia.org/wiki/Glossary_of_mathematical_symbo...
https://de.wikipedia.org/wiki/Liste_mathematischer_Symbole?o...
Even If you don't speak German, the article might be useful because you can follow the links to the individual articles next to the symbols, then change the language back to English. Or use it as a LaTeX reference if you're like me and have trouble remembering some of the more wonky abbreviations it uses. Of course that article isn't comprehensive, but most of the stuff that is missing is very domain-specific.
Seems like we should have figured out a way by now to use one time pad encyption by default for critical paths, even if that requires new industries to distribute pads and guarantee their security.
In TLS 1.3 all suites (such as TLS_AES_128_GCM_SHA256) have forward secrecy so it isn't even explicitly called out.
In these modern modes (and in other modern protocols like SSH) the two peers agree random ephemeral keys (these days with Elliptic Curve Diffie Hellman) and long term private keys are only used to sign things to prove who you're talking to over the resulting securely encrypted connection.
So if you break RSA you can forge those signatures but you can't decrypt messages sent to and from the legitimate owner of the keys, those were, as your parent explained, secured with AES and not RSA. You would need to perform a live active attack, a MitM to interpose between the real server and its clients so as to decrypt all messages in transit.
The current quantum computers are just on the edge of what we can simulate classically, so we can't yet rule out the possibility that realizing a quantum computation requires an exponential amount of energy in the number of qubits. (Though it should be noted that quantum mechanics predicts that this will not happen.)
There is a possibility that QM will break somewhere, but I wouldn't consider this very probable...
I don't think this is true...
Do you believe in "responsible disclosure" [1] of security vulnerabilities? How does your stated philosophy apply or not apply to ethics around disclosure of discovered software security vulnerabilities? Is that different?
[1] https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability...
I mean, I get it, it's not the most straightforward mental leap, but I can understand the sentiment.
And as far as responsible disclosure goes, no, the responsible thing to do is to notify everyone at once. Keep in mind if it is right, this means that nation state actors have just been equipped with a roadmap to potentially cracking a lot of banked ciphertext, probably faster than anyone else.
You don't sit on that kind of thing, even if it does mean some corporate actors get burned.
If the only thing saving your rear was an RSA key... Take notice: the clock may have just been significantly advanced. Be you nation-state, corp, or someone who'd just prefer to remain in the shadows.
Suffer thee not information asymmetry to live lest you carry the blood of those you sacrifice on the altar of your limited disclosure. It also hedges against you getting disappeared and suppressing whatever other people you shared it with that remain to keep something so relied upon from being realistically entertained.
I mean, cmon, how long has everyone been joking they'd hate to be the person who discovered how to break RSA, because we all know it would lead t
<SIGNAL_LOST>
If you found a simple way to kill all of mankind, that could be mitigated by waiting a week to publish while safeguards were implemented, is it wiser to publish immediately and risk someone killing all of mankind or to notify proper groups and then publish later after it won't kill everyone?
Maybe there's some nuance in these things. Ignoring effects of knowledge is not wise.
Yes, you can replace your SSH keys with elliptic ones, and maybe adjust your TLS accepted algorithms. Even this is not always easy or cheap.
But other things that may rely on RSA (or triple RSA) may have trouble upgrading fast, and upgrading them at all is going to cost a lot.
We know that Quantum computers can break it too, yet nobody really acts on it with any urgency. If suddenly there is a breakthrough and we can reach this state within a year, then there will be no time to adapt as well.
It all boils down to the general corporate attitude of not fixing catastrophic problems without precedence. We see the same with climate change and once it hits hard, it will be too late to adapt.
So there might be DOOMSDAY in the future, where all cryptography will cease to work, because somebody just figures a way to decide NP problems quickly enough.
Interesting. Reference?
Yeah, no. 3DES (Triple DES) is/ was a thing, but Triple RSA is not.
The blog post claims that people have been trying to reproduce his results for two years, though.
Hence, if you look at the strength of the currently best-known attack on RSA keys, you see that the key strength grows quite slowly as the keys get larger. This is purely from how sparse prime numbers are. From [1] which quotes NIST in 2015 we see (both collumns are in bits):
Strength RSA modulus size
80 1024
112 2048
128 3072
192 7680
256 15360
Technically the information is still there, it was just thought to be very hard to extract. This paper shows an easier way to extract it.
[1] https://crypto.stackexchange.com/questions/8687/security-str...
If true, it's still leaps and bounds ahead of anything we have today, though.
Forward secrecy only protects against the exposure of private key material. It does not protect against broken cryptography as it depends on the cryptography to keep old messages private. That's because it works by forgetting the session keys. If you can derive those session keys again then it is of no value.
The interesting part is using a weakness in one part to help decrypt a different part.
If nothing else, quantum computers should break RSA in particular (the algorithm is already known and just waiting for hardware) and the writing has been on the wall there for a long time.
Just like it was generally accepted that god exists. Those claims are of similar strength.
> If nothing else, quantum computers should break RSA in particular
Quantum computers with enough qubits do not exist and it's absolutely not obvious whether they will exist at all.
[For symmetric encryption quantum computers would only matter if they were pretty fast/cheap and we didn't have ready-to-go 256-bit symmetric crypto, but we do]
OpenSSH actually has an implementation of a reasonable contender for SSH. Google have experimented (in Chrome builds) with some of these contenders for TLS too. What you would likely want to do - since by definition these are relatively untried algorithms and so might be unsafe against adversaries with an existing not-at-all-quantum computer - is combine with an existing algorithm, most likely elliptic curve based, but RSA would be possible, under a "swiss cheese" model where you're only dead if an adversary penetrates all the layers.
But like I said, much worse. Given that there aren't any suitably large quantum computers (and it's always possible that we'll eventually figure out we just can't build usefully large quantum computers, just like we eventually found out that while you can travel faster than sound you can't travel faster than light) it would make no sense to deploy this today, even though it continues to make sense to do research Just In Case.
Slower, in a different complexity class from the classical ones (AKA O(n^2) instead of O(n), but I don't know what exact complexities the top candidates have right now, as a function of key length).
Larger messages, in that a signature requires 100's or 10's of Mb instead of a few kb.
Larger public keys, as again 100's of Mb instead of a few kb.
Larger private keys, as in a few to 10's of Mb instead of 1/2 to a few kb.
But I guess the most relevant "much worse" is that people have much less confidence that those algorithms are secure, and they are complex enough to hide huge traps that make implement RSA look like a walk in the park.
larger messages
larger public keys
larger private keys
They're useful in exactly one situation: when you have a temporary secure communication channel, and a long-term insecure channel. Then you can use the temporary channel to pre-share a lot of key material (say, a 1TB micro SD card carried covertly) and then use that for future messages. But that scenario is very rare.
"Our main cargo is a one-time cryptographic pad. The source is Commercial Security at Sjandra Kei; the destination is the certificants' High colony. It was the usual arrangement: We're carrying a one-third xor of the pad. Independent shippers are carrying the others. At the destination, the three parts would be xor'd together. The result could supply a dozen worlds' crypto needs on the Net for ..."
I don't really think the parent comment understands that there are creative ways around the difficulty of sharing secure pads. We don't need it for all data; but I think Vinge does hint at a totally viable means of sharing, and scenario in which it's practical.
Key exchanges would be annoying, but they are even more so for one-time pads.
But it will never come to even that: There are plenty quantum-safe asymmetric cryptosystems around.
If we were serious about it, sharing flash drives and even using couriers could make it work pretty well.
Some of the other choices aren't so much slower but are far bigger, for example McEliece systems.
There's lots of opportunities to make different trade-offs - at least if all of them survive a bit more scrutiny by smart motivated opponents - but they're all generally worse than what we have now - except that they resist Shor's algorithm.
I don't think that's a problem for end users, you are not constantly generating keys. It will be a problem for servers handling thousands of connections per second, but I'm sure dedicated HSMs will appear if there is a need for them.
In any case, I'm not an expert in crypto, just a poor sysadmin-by-accident who likes reading about the latest security developments so the bad guys don't pwn my servers. And as you said, engineering is always full of trade-offs, let's see what the NIST PQC standardization process will decide.