Speakers: djb, Tanja Lange Last year your friend Karen joined the alternative music scene and sent you a sound track. The government is recording everything, and this year announced that alternative music is a gateway drug to terrorism (see http://www.theguardian.com/australia-news/2015/sep/25/radicalisation-kit-links-activism-and-alternative-music-scene-to-extremism). Fortunately, Karen encrypted the email. Fast forward to 2035. Stasi 2.0 has risen to power and has decided that, to protect society, anyone who has ever been exposed to alternative music will be sent to a „better place“. They still have a copy of Karen’s ciphertext. And here’s the really bad news: They’ve just finished building a billion-qubit quantum computer. Back in 2015, large general-purpose quantum computers haven’t been built yet, but the consensus is that they will be built, and that they will allow well-funded attackers to retroactively break practically all of today's deployed public-key cryptography. RSA will be dead. ECC will be dead. DSA will be dead. „Perfect forward secrecy“, despite its name, won’t help. Fortunately, there are replacement public-key cryptosystems that have held up very well against analysis of possible attacks, including future quantum attacks. This talk will take a hands-on look at the two examples with the longest track records: namely, hash-based signatures (Merkle trees) and code-based encryption (McEliece).