FRESH
Hacker News
Hacker News Hacker Newshttps://gagliardoni.net/#20250714_ludd_grandpas
An abstract:
> "but then WHAT is a good measure for QC progress?" [...] you should disregard quantum factorization records.
> The thing is: For cryptanalytic quantum algorithms (Shor, Grover, etc) you need logical/noiseless qubits, because otherwise your computation is constrained [...] With these constraints, you can only factorize numbers like 15, even if your QC becomes 1000x "better" under every other objective metric. So, we are in a situation where even if QC gets steadily better over time, you won't see any of these improvements if you only look at the "factorization record" metric: nothing will happen, until you hit a cliff (e.g., logical qubits become available) and then suddenly scaling up factorization power becomes easier. It's a typical example of non-linear progress in technology (a bit like what happened with LLMs in the last few years) and the risk is that everyone will be caught by surprise. Unfortunately, this paradigm is very different from the traditional, "old-style" cryptanalysis handbook, where people used to size keys according to how fast CPU power had been progressing in the last X years. It's a rooted mindset which is very difficult to change, especially among older-generation cryptography/cybersecurity experts. A better measure of progress (valid for cryptanalysis, which is, anyway, a very minor aspect of why QC are interesting IMHO) would be: how far are we from fully error-corrected and interconnected qubits? [...] in the last 10 or more years, all objective indicators in progress that point to that cliff have been steadily improving
> Rotate everything that lasts >10 years to pure PQC now
The author suggests switching to Post-Quantum Cryptography which uses relatively new ciphers that haven't been as battle-tested as older ones like RSA and ECC. Back when those were introduced, there weren't any stronger ciphers at the time, so if they were broken, at least people knew they did the best they could to protect their data.
Now, however, we have standardized encryption with (to the general public's knowledge at least) uncrackable algorithms (provided sane key lengths are chosen), so doing anything that could weaken our encryption makes us worse than the baseline. This proposal is theoretically stronger, but it is unknown whether it will stand the test of time, even with today's technology, due to it being relatively new and not widely deployed.
The standard practice of rolling out PQC is using it as an additional layer alongside current encryption standards. This adds redundancy, so that if one is broken the data will stay safe. Using only PQC or only RSA/ECC/whatever makes the system have a single point of failure.
FYI, this is exactly what governments want (I'll let you guess why). This related post was on the front page just a few days ago: https://news.ycombinator.com/item?id=46033151
The author mentions: > RSA-2048: ~4096 logical qubits, 20-30 million physical qubits > 256-bit ECC: ~2330 logical qubits, 12-15 million physical qubits
For reference, we are at ~100 physical qubits right now. There is a bit of nuance in the logical to physical correlation though.
Scepticism aside, the author does mention that it might be a while in the future, and it is probably smart to start switching to quantum resistant cryptography for long-running, critical systems, but I'm not a huge fan of the fear-mongering tone.