Filippo Valsorda10h ago

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

https://words.filippo.io/crqc-timeline/

A Cryptography Engineer’s Perspective on Quantum Computing Timelines

The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Show threadJörn Franke7h ago
@filippo Both algorithms have not been extensively tested and analysed. It could be a significant higher risk that they are broken on classical computers than there is a quantum computer that can do what it stated by the papers. Instead of having quantum computer validating this risk in practice they only work on artificial irrelevant problems (not actually trying to break keys). It would be good to see some real case (even small) where they try do it - this would help to understand the risk.
Show threadJörn Franke7h ago
@filippo Quote from a paper that you cite: ", our most
time-efficient architectures can potentially enable run-
times of 10 days for ECC–256 with ≈ 26,000 qubits, and
97 days for RSA–2048 with ≈ 102,000 qubits"
This is for one key! If all "substantial engineering challenges" are solved.
It was not the scope of your post, but a broader assessment at Confidentiality, Integrity, Availability risks with some concrete estimations would help (which is maybe more a job for a IT Security Risk Manager).
Show threadFilippo Valsorda7h ago

@jornfranke I encourage you to reread the article because it addresses all your objections, especially the "why did they not break a small key".

I will add that the cryptography experts are actually very confident in the security of lattices. https://keymaterial.net/2025/12/13/a-very-unscientific-guide-to-the-security-of-various-pqc-algorithms/

A very unscientific guide to the security of various PQC algorithms

After publishing my series on UOV, one feedback I got was that my blog posts made people feel more confident in the security of the scheme, because “at least someone is looking into these thi…

Key Material
Show threadJörn Franke
@filippo I found no good argument for this. There is just a bogus comment that nobody asked the Manhatten project to create a small nuclear explosion. It has nothing to do with the topic and they of course did various tests and experiments to validate what they are doing.
It is a typical distraction from the fact that they even cannot solve small problems on QC.
6:04pmWeb