16
A Cryptography Engineer’s Perspective on Quantum Computing Timelines (words.filippo.io)
submitted 2 days ago by corbin@awful.systems to c/notawfultech@awful.systems
7 comments fedilink hide all child comments

I'm not gonna dig up the links since I'm sure y'all're already tired of talking about quantum computing. I am going to insist that, while I professionally disagree with Filippo about plenty of things, I do not see any mistakes in their analysis here. Please start thinking about post-quantum cryptographic tooling today.

you are viewing a single comment's thread
view the rest of the comments
[-] lagrangeinterpolator@awful.systems 7 points 1 day ago

I think the main difference here is that breaking RSA now just requires scaling up existing approaches, while breaking LWE or anything like that would need a major conceptual breakthrough. The former possibility is much more likely, and in any case, cryptographers are the most paranoid people on the planet for a reason.

Unfortunately, one can never be sure about much in cryptography until P vs NP is solved (and then some).

(Of course, just because some people say that scaling up is enough doesn't mean it's actually true. For breaking RSA, we know have Shor's algorithm, while the only evidence AI bros have from superintelligence coming from scaling is "trust me bro".)

[-] aio@awful.systems 3 points 1 day ago* (last edited 8 hours ago)

Yeah and I agree that in principle we should be trying to move to cryptosystems which aren't known to be broken by quantum algorithms. I just don't think the argument in the article is sound. There are costs, including actual security risks, inherent to switching. To name a couple:

  1. There will be implementation errors any time a new cryptosystem is implemented; this is practically inevitable especially if you are trying to rush the process through in 3 years.
  2. Quantum-unbroken systems are slower and require bigger keys than elliptic curve systems. Users will be inconvenienced by the resulting performance hit, which will both impede adoption of cryptography in general, and tempt implementors into using incorrect parameters.

You have to actually weigh the benefits of resistance to quantum computers (which may or may not actually appear) against these costs (which certainly will). Paranoia isn't a threat model.

And to be clear cryptographers already know these things and if they still think we should all move to lattice cryptosystems despite the costs then that's totally fine. I just wish they would write their blog posts to reflect that instead of talking about the 1% thing.

this post was submitted on 06 Apr 2026
16 points (100.0% liked)

NotAwfulTech

567 readers
10 users here now

a community for posting cool tech news you don’t want to sneer at

non-awfulness of tech is not required or else we wouldn’t have any posts

founded 2 years ago
MODERATORS
self@awful.systems