17 comments

[ 2.9 ms ] story [ 28.1 ms ] thread
Ok, maybe I'm missing something here.

So we know that quantum computers hold a real risk of being able to break a lot of encryption. We also know that changing cyphers is hard (because reasons)

But what I don't see is what I can practically do now, as either someone who is a CTO/Big Cheese™ or a lowly engineer?

Aaronson know his stuff but I am not sure he hasn’t considered the fact that, in this current hype cycle, the quantum researchers breathlessly reporting to him on a breakthrough just around the corner are just lying to him and themselves.

I have been hearing about one more technical hurdle to solve before quantum algorithms become feasible since before I graduated. That was in 1996.

"The Shor of Damocles" - what a metaphor.

I thought it was a typo at first but wikipedia explained:

The Sword of Damocles is an ancient Greek moral anecdote, an allusion to the imminent and ever-present peril faced by those in positions of power.

Shor's algorithm is a quantum algorithm for finding the prime factors of an integer

It applies to those subject to a capricious arbitrary power as well. Like living under a shitty parent, the same threat(s) they settle on to control them becomes the dangling Sword till its forecefully removed and they are neutered
Tl;dr:

> if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning.

> Shor of Damocles

What is the biggest number factored using Shor's algorithm?

Last time I looked it was very unimpressive.

Edit: It's gotten worse. 21 from 2012. "Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog" say the factorization of 35 in 2019 actually failed.

https://eprint.iacr.org/2025/1237

As a software engineer with a good amount of freedom to choose what tools I want to use, what can I do presently to move towards post-quantum cryptography? AFAIK the hashes and symmetric cyphers that are in wide use are already resistant, leaving mainly public-key cryptography as the problem. Is there, for instance, a drop in replacement for `ssh-keygen -t ed25519`?
I'm sure eventually i'll eat my words - but Quantum still seems like a massive marketing gimmick. The technology itself is incredibly interesting, but it feels as if CERN began advertising itself as a marketing stunt - there's just something about the way I see quantum marketed + advertised right now that doesn't seem to align with reality.
Re the "Manhattan project in 1944" argument - I am very cautious about the "modulo engineering scaling" carve-out -- unlike the uranium manufacturing pipeline of World War 2, that involved massively scaling up a known process, on the face of it there's no uncontroversial process/architecture to scale up in this case.

On the face of it, even relatively "point-target" goals of this kind could take many decades if at all; GaN for blue diodes come in mind as an example of a field that was stuck for a generation -- until it wasn't.

Sounding the alarm while presenting no data or science, as a member of the National academy of sciences, is doing a disservice to the position, to science, to the self.

Show the data, the charts, let people decide for themselves.

People are starting to catch on to the AI scare mongering, let the quantum computer scare mongering begin. We should probably start giving these companies lots of money lest other countries beat us to it.
Many people in this thread are skeptical about quantum computers, and that's fair. This migration is a big part of my current job, and even I think that there's a non negligible chance that we won't see commercially available quantum computers anytime soon.

The problem is that we're not trying to predict the exact future, we're hedging against possible developments. If there's a 50/50 chance of quantum computers being widely deployed for cryptoanalysis, then there's a 50% chance of this migration being useless. But you don't want to bet your security on a coin toss! So, we migrate.

That's the unfortunate truth of security, sometimes the protections are never triggered. But you still need them.

There are different types of skepticism when it comes to Quantum Computing (QC). One can be skeptic about its feasibility, namely achieving Fault Tolerant Scalable Quantum Computer (for instance Gil Kalai).

Or, they can be skeptic its applications on the real world.

I am on the second camp, very much. It has mainly two important application areas: Breaking Some Public Key cryptography and Simulating Quantum System.

I think the 1st one is very real, we need to be serious and careful on the migration.

The second area is, I think, extremely overhyped.

One should ask what cases there are for investing in QC that makes financial sense. I can think of couple of areas where quantum effects are important enough to justify this. Better designs for Enzymes and Solid State Batteries. The case for enzyme designs is weakened even more if you check the recent paper by Garnet Chan: https://bsky.app/profile/dulwichquantum.bsky.social/post/3mh...

Unless we see collorobaration between IBM/Google and BYD/CATL/Tesla that will lead to next gen solid state batteries, I would say it wont have substantial impact on the real world. One also has to consider that QC is not the only method to simulation strongly coupled Quantum Systems, there are already other methods, tensor network, Deep Learning based, etc.

Lastly, the QCs will be coming in the future. SO, yhey kind of need to hurry up since current benchmarks for EV batteries are improving every year. There is also the issue of translating lab result into production environment.

All of these factors are eating away the relevance of QCs when it comes to real world applications.

I think we are essentially left with a situation where the only practical application of the technology (QC) is to steal stuff on the internet.

Does djb ever frequent HN? Can we summon him with the correct incantations?

I'd really like to know what his current work on the subject entails, but when I try googling his stuff all I find are years-old papers, more recent meta discussion, and him making a few comments about other peoples' work.

I was sure that by now he'd have at least collaborated on some avant-garde PQ algo that was as different from the NSA approved stuff as chacha20-poly1305 was from AES. I was hoping for a PQ-NaCl folks would be using soon, not the libpqcrypto that seems to lack traction among devs (for reasons I do not understand). I am disappoint.

(It's probably all tucked away in some corner of the web that a layman like me will never find. Sigh.)

Edit: Hah! I gave up on looking for papers or repos and decided to just read his blog instead. Well would'ya look at that! It's non-stop PQ ranting of the kind we've come to love and cherish from DJB. No new repos or code with his imprimatur that I can see so far but better than I was expecting. Looks like I've got some reading to do....

I should have subscribed to his rss feed years ago. And his "microblog" too! https://microblog.cr.yp.to/

My only concern is that in the rush to implement PQC everywhere, less well-tested/battle-hardened algorithms get used and everything becomes insecure to someone who has found the master key.