Filippo Valsorda

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

https://words.filippo.io/crqc-timeline/

A Cryptography Engineer’s Perspective on Quantum Computing Timelines

The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

3:14pmWeb
Show threadTristan Colgate-McFarlane6h ago
@filippo I'm still firmly in the camp of those believing that QC is largely stock market manipulation and a snake oil fuelled research grant grift... BUT...
Equally, if we have the post-QC crypto math, it only makes sense to use it. I don't see thee downside.
Show threadCraig Stuntz6h ago
@tmcfarlane I think Scott Aaronson frequently makes the case that the answer to "stock market manipulation or actual progress" is "both, by different companies."
Show threadJörn Franke4h ago
@filippo Both algorithms have not been extensively tested and analysed. It could be a significant higher risk that they are broken on classical computers than there is a quantum computer that can do what it stated by the papers. Instead of having quantum computer validating this risk in practice they only work on artificial irrelevant problems (not actually trying to break keys). It would be good to see some real case (even small) where they try do it - this would help to understand the risk.
Show threadJörn Franke4h ago
@filippo Quote from a paper that you cite: ", our most
time-efficient architectures can potentially enable run-
times of 10 days for ECC–256 with ≈ 26,000 qubits, and
97 days for RSA–2048 with ≈ 102,000 qubits"
This is for one key! If all "substantial engineering challenges" are solved.
It was not the scope of your post, but a broader assessment at Confidentiality, Integrity, Availability risks with some concrete estimations would help (which is maybe more a job for a IT Security Risk Manager).
Show threadFilippo Valsorda4h ago

@jornfranke I encourage you to reread the article because it addresses all your objections, especially the "why did they not break a small key".

I will add that the cryptography experts are actually very confident in the security of lattices. https://keymaterial.net/2025/12/13/a-very-unscientific-guide-to-the-security-of-various-pqc-algorithms/

A very unscientific guide to the security of various PQC algorithms

After publishing my series on UOV, one feedback I got was that my blog posts made people feel more confident in the security of the scheme, because “at least someone is looking into these thi…

Key Material
Show threadJörn Franke4h ago
@filippo I found no good argument for this. There is just a bogus comment that nobody asked the Manhatten project to create a small nuclear explosion. It has nothing to do with the topic and they of course did various tests and experiments to validate what they are doing.
It is a typical distraction from the fact that they even cannot solve small problems on QC.
Show threadJörn Franke4h ago
@filippo Cryptographic experts might be confident in the security of lattice, but I would be not confident in their secure implementation. It took decades to get the implementation right for classical algorithms and they are still often wrongly implemented. This is a big security problem.
Show threadFilippo Valsorda4h ago
@jornfranke I am a cryptography engineer so I can tell you from experience: no, ML-KEM and ML-DSA are easier to implement and easier to test than all their classical alternatives.
Show threadJörn Franke4h ago
@filippo I refer with implementation not in a specific library or tool, but a whole security system, e.g. integration into applications, into security operations. They will require significant changes in all aspects of the system and their operation.
Show threadJörn Franke4h ago
@filippo Do not get me wrong. I believe we need to be crpyto-agile as at the moment it is even a mess to update the algorithm of one application to a latest version. Here I also agree with Bruce Schneier (https://www.schneier.com/blog/archives/2026/04/google-wants-to-transition-to-post-quantum-cryptography-by-2029.html). However, one should not do this in panic mode and get that one first right before moving to so impacting changes in an organisation.
Google Wants to Transition to Post-Quantum Cryptography by 2029 - Schneier on Security

Google says that it will fully transition to post-quantum cryptography by 2029. I think this is a good move, not because I think we will have a useful quantum computer anywhere near that year, but because crypto-agility is always a good thing. Slashdot thread.

Schneier on Security
Show threadToni Aittoniemi3h ago
@filippo Can’t wait for the first quantum attack on cryptocurrency. The minute North Korea gets their hands on a large enough quantum computer, that one’s happening.
Show threadgrrl_aex3h ago

@filippo

Considering the stakes, combined with the scope of resources some superpowers possess, plus the "disclose this and it might cost you your _life_" level of "nda" they enforce, I wouldn't count on "a few years". Might already be here?

I suspect anyone who might have the actual info as to what the state-of-the-art crypto-breaking capabilities are at the level of a military superpower, they certainly aren't in a position to talk openly about it.

Show threadClemens2h ago
@filippo Couldn't agree more with "the bet is 'are you 100% sure a CRQC will NOT exist in 2030?'" — and I'd also add the operational perspective: "are you 100% sure you've found and replaced every Debian oldoldstable and RHEL 8 box that doesn't support PQC by 2030?"
Show threadFilippo Valsorda2h ago
@neverpanic oh Debian oldstable is not gonna make it. stable might not make it! I have a secret, over-optimistic wish that this will kill the "constantly run software 3-5 years out of date" model of distribution, and free us upstreams from having to deal with its fallout, but I know it won't.
Show threadslash1h ago

@filippo @robpike Here's an NSA publication on this topic, from 10 years ago. What I love about this is how they describe their requirements: they have to field systems and guarantee their security for 30 years into the future.

https://archive.org/details/cnsa-suite-and-quantum-computing-faq/mode/2up

CNSA Suite And Quantum Computing FAQ : National Security Agency : Free Download, Borrow, and Streaming : Internet Archive

NSA Guidance on crypto algorithms, and defending against quantum computing.

Internet Archive
Show threadArian18m ago

@filippo What about WebAuthn, Passkeys, etc?

I don't see any movement in that side of the pond. Just as we are convincing everyone to switch to them

Show threadFilippo Valsorda1m ago
@arianvp I do think they should get moving. But also, a passkey with a broken signature algorithm is still more secure than a password: the attacker needs the public key to fake a signature, and that's only in the website's database. I think it should still be phishing-resistant, too.
Show threadArian15s ago
@filippo yeh I guess the privacy-preserving aspects of the WebAuthn API paid off here.