Filippo Valsorda1d ago

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

https://words.filippo.io/crqc-timeline/

A Cryptography Engineer’s Perspective on Quantum Computing Timelines

The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Show threadJörn Franke1d ago
@filippo Both algorithms have not been extensively tested and analysed. It could be a significant higher risk that they are broken on classical computers than there is a quantum computer that can do what it stated by the papers. Instead of having quantum computer validating this risk in practice they only work on artificial irrelevant problems (not actually trying to break keys). It would be good to see some real case (even small) where they try do it - this would help to understand the risk.
Show threadJörn Franke1d ago
@filippo Quote from a paper that you cite: ", our most
time-efficient architectures can potentially enable run-
times of 10 days for ECC–256 with ≈ 26,000 qubits, and
97 days for RSA–2048 with ≈ 102,000 qubits"
This is for one key! If all "substantial engineering challenges" are solved.
It was not the scope of your post, but a broader assessment at Confidentiality, Integrity, Availability risks with some concrete estimations would help (which is maybe more a job for a IT Security Risk Manager).
Show threadAndreas K1d ago
@jornfranke
And where are we in the usable qubits race?
@filippo
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)1d ago

@yacc143 @jornfranke @filippo

This is a tricky question because the definitions shift. A lot of these algorithms require all of the qubits to be in the same quantum circuit, but not all devices allow this and two smaller quantum computers do not combine to make a single large one in the way classical ALUs can. A lot of the recent publications have been focused around using multiple physical qubits to handle the various error conditions and present as a single logical qubit, so a system with a thousand qubits may only be one qubit from the perspective of a quantum computing algorithm that’s modelled on a perfect quantum computer.

Show threadپویان Pouyan

@david_chisnall what about quantum gates? Aren’t they as important as the number of required bits?

@yacc143 @jornfranke @filippo

Apr 7 at 9:05amWeb