top | item 40847374

(no title)

tyoma | 1 year ago

For a long time I wondered why there was such a big push for PQ even though there was no quantum computer and a reasonably working one was always 15 years in the future.

… or was there a quantum computer somewhere and it was just kept hush hush, hence the push for PQ?

The answer turns out to be: it doesn’t matter if there is a quantum computer! The set of PQ algorithms has many other beneficial properties besides quantum resistance.

discuss

AnotherGoodName|1 year ago

The point is that a lot of secrets need to remain secrets for many years. If some government found a way to break elliptic curve in the same way that the number field seive broke rsa (hence we now need 2048-bit keys rather than 256bit keys we were using in the 90s) we’d be fucked for many years to come as all secrets are leaked.

So there may not be quantum computers now. But if there’s going to be in 20years we need our crypto to be resilient now.

thehumanmeat|1 year ago

Because SNDL is a long planned attack for secrets that have a long life time.

https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later

ziofill|1 year ago

I’m a physicist working on QC. I know we actually don’t know if a “secret” QC exists somewhere, but given that major theoretical and engineering breakthroughs are needed to build a fault tolerant one (and all QC companies are facing this regardless of whether their qubits optical, superconducting, trapped ions etc), I’d put that possibility to near zero. Consider also the talent and expertise that is needed for such an endeavour…

adastra22|1 year ago

There are pathways to quantum computers that are intrinsically highly fault tolerant: https://sqc.com.au/news/

bdamm|1 year ago

And many problems, namely, enormous keys and signatures that make PKI nigh impossible for the embedded/IoT space.

tyoma|1 year ago

According to the linked post there are PQ algorithms that will fit this niche:

> This variety of different trade-offs gives developers a lot of flexibility. For an embedded device where speed and bandwidth are important but ROM space is cheap, McEliece might be a great option for key establishment. For server farms where processor time is cheap but saving a few bytes of network activity on each connection can add up to real savings, NTRUSign might be a good option for signatures. Some algorithms even provide multiple parameter sets to address different needs: SPHINCS+ includes parameter sets for “fast” signatures and “small” signatures at the same security level.

cyberax|1 year ago

The signature size for hash-based algorithms is around 16kb, and can be feasibly reduced to 8kb. The key sizes are around 32 bytes.

Lattice-based algorithms are around 1kb.

vikramkr|1 year ago

Also, we are talking about mitigating a large tangible downside risk to a sudden breakthrough in the space - all the secrets stop being secret. "Reasonable" timeline estimates for how far away we are matter for thinks like if/how much we invest in the tech, but optimistic timelines become pessimistic when defending against downsides and we should be pessimistic when preparing regulations and mitigations

kadoban|1 year ago

> … or was there a quantum computer somewhere and it was just kept hush hush, hence the push for PQ?

If there were a quantum computer somewhere, or close to one, it would be reasonably likely for it to be secret.

I look at the history of crypto in the mid to late 20th century for example. Small groups in the Allies and the NSA and etc. had certainly more knowledge than was public by a wide margin, years to decades.

charlieyu1|1 year ago

By 1990s they were pretty rubbish. DES could be cracked by home PCs for a couple of days.