Filippo Valsorda8h ago

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

https://words.filippo.io/crqc-timeline/

A Cryptography Engineer’s Perspective on Quantum Computing Timelines

The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Show threadClemens
@filippo Couldn't agree more with "the bet is 'are you 100% sure a CRQC will NOT exist in 2030?'" — and I'd also add the operational perspective: "are you 100% sure you've found and replaced every Debian oldoldstable and RHEL 8 box that doesn't support PQC by 2030?"
7:36pmWeb
Show threadFilippo Valsorda4h ago
@neverpanic oh Debian oldstable is not gonna make it. stable might not make it! I have a secret, over-optimistic wish that this will kill the "constantly run software 3-5 years out of date" model of distribution, and free us upstreams from having to deal with its fallout, but I know it won't.
Show threadBill Ricker47m ago

@neverpanic @filippo
We inventoried _everything_ once for Y2K and once for DST 2007 🇺🇸 , at least here.

We _can_ and _will_ do it again.
(Doing it for both CRQC and Y2038 simultaneously would be a cost-savings.)

(If you can't make a 100% inventory, ask your Red Team or contact a gray-hat hacker, see if they'll take $ for becoming white-hat red-vest on Red Team.)