As the coordinator of the PQCRYPTO project (Post-quantum cryptography for long-term security ICT-645622), I am enthusiastic about the European efforts to build quantum computers and to investigate quantum computing. I had hoped to endorse the Quantum Manifesto, but after a more careful read I cannot endorse it in its current form.

Post-quantum cryptography is a branch of cryptography that searches for cryptographic systems that remain secure even when the attacker is equipped with a quantum computer. It is known that RSA and ECC, the most commonly used public-key cryptosystems, are fatally broken by quantum computers. There some other, less studied systems for which no efficient quantum attacks are known and that are likely (with correctly chosen parameters) to resist quantum attacks, but the complexity of these attack algorithms is largely unknown. Post-quantum cryptography basically deals with the fallout of progress in building quantum computers.

Society needs to be prepared for these advances. Most urgently, we need to change the way we do encryption because cryptosystems remain on the market for 20-30 years once they are fielded and I do expect quite some progress on building large quantum computers in that time frame. Even worse, if an eavesdropper stores a message that he is unable to decrypt now he will be easily decrypting it once he has a quantum computer -- and for many kinds of people (the health-care sector, journalists, lawyers, diplomats, ...) the secrecy of their messages matters for the years to come. If people have to fear that their communication will (eventually) be read by outside parties it has a chilling effect on their expression and leads to self-censorship, see e.g.,
	https://www.washingtonpost.com/news/wonk/wp/2016/04/27/new-study-snowdens-disclosures-about-nsa-spying-had-a-scary-effect-on-free-speech/
Right now this is also visible in the uptake of cryptography and anonymization services following the Snowden revelations -- but all used public-key cryptography does not resist quantum computers.

Given the urgency of the matter, as PQCRYPTO we have published initial recommendations for post-quantum cryptographic algorithms 
	https://pqcrypto.eu.org/docs/initial-recommendations.pdf 
These recommendations are highly conservative but also highly inefficient, to the extent that they place a high burden on users' computation and bandwidth. More research is urgently needed to assess the security of more efficient proposals under quantum attacks -- to find more efficient attack algorithms, to optimize them, and to compute their complexity. The analysis is closely related to quantum algorithms but these cryptosystems typically run on current conventional computers (PCs, laptops, mobiles, RFID chips, smart cards, etc.), requiring research in secure and efficient implementations. The PQCRYPTO webpage
    https://pqcrypto.eu.org/index.html
contains more information on the project and the topic. Standardization bodies such as NIST, CRYPTREC, ISO, ETSI, and the IETF have recognized the importance of finding alternative cryptosystems and are scrambling to issue recommendations while recognizing that more research effort is needed. Companies in IT security are alarmed because they realize that progress in building quantum computers means that they cannot keep their security promises. There is a great potential in Europe's research and industry leading the path towards long-term security but other countries, most notably Canada, Japan, Taiwan, and the US are investing strongly in this area. Research in quantum computing, quantum algorithms, and post-quantum cryptography is of extreme importance and high urgency.

Unfortunately, looking at the draft manifesto I noticed that cryptography appears only in the context of quantum cryptography, which is not solving the problems. Quantum cryptography does not run on the existing networks, does not help in protecting today's sensitive communication, and most importantly, it does not protect the last mile: the connection between the quantum node and the end-user device, such as a mobile or other wireless device.  Quantum cryptography fundamentally cannot solve authenticity problems such as electronic signatures or establish communication between partners that do not share any common secret. This means, it is impossible to use it to secure operating-system updates or to establish authenticity of an Internet banking site.  It has only the limited functionality of generating a random sequence of bits which then can be used the same way that a stream cipher is used. However, stream ciphers are not significantly affected by quantum attacks. Endorsing the manifesto would mean endorsing this technology which is leading away from a solution, rather than towards one.

I strongly encourage the authors of the manifesto to include post-quantum cryptography in place of quantum cryptography. Post-quantum cryptography is of high urgency and relevance for society and democracy as a whole and offers a significant potential to European business.