[Cryptography] Has quantum cryptanalysis actually achieved anything?
Richard Carback
rick at carback.us
Mon Feb 24 16:09:14 EST 2025
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Apropos of the discussion, this morning on twitter I saw:
>
> <https://twitter.com/mjos_crypto/status/1893989617575092240>
>
> Oh lord, they published it <screen shot> [This is the paper on the D-Wave
> factorization of a 2048-bit RSA number -- jdcc]
> <https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10817698>
While it is important to call out these gimmicks, I have been watching this space for a while and I believe the primitives are in place for the situation to change quickly:
1. The basic gate constructions are convincingly proven to work, namely the Toffoli (CCNOT) gate, which is the primary one used for the proposed algorithms ( https://en.wikipedia.org/wiki/Toffoli_gate ).
2. The algorithms work in simulators using these gates.
3. Error rates are now hovering around 10^-4 (down from 10^-3 last year). This takes the # of logical qubits required from ~2 million to ~650k for ECC per the leading error correction mechanism. If the antimony qubits (8 errors to flip - https://spectrum.ieee.org/quantum-error ) are made to work at scale then it’s more like 5-10k logical qubits. We already have quantum computers of that size although they are D-Wave annealing machines which can’t easily be configured to work the way we need them for the algorithms yet.
4. The # of qubits are starting show an exponential growth pattern.
5. The closest allegory for manufacturing qubits is a transistor, and our current manufacturing capabilities easily exceed 100 billion of those per chip. It’s not clear to me at all that it would take very long to scale up to millions or so in 18 months or so given the engineering gets worked out. Unlike in the past, the capex risk v. reward equation to anyone who can build these things first is massively tilted to the latter side.
FWIW my background is working on several post-quantum libraries (a ratchet, sleeve wallet, etc). I have been following progress the last few years and in December I became very convinced we are at or nearing the inflection point where this takes off assuming a black swan event doesn’t stop it.
Last month a colleague and I made a calculator tool (with more data and references) called the quantum doom clock if anyone wants to try it:
https://quantumdoomclock.com/explanation
-Rick
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsGpBAEBCABdBYJnvN/6CZA/GuWbfQE6TTUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnphTsjuIcoX4deCFNYmOFsxYhBAGFytdGt1Ef
10NhlD8a5Zt9ATpNAADFfw//SzSm9bcHIJv8meGon7RyThfJU4GhtYauDgaG
Jm7g4Rn15ZCR6EXHEWeb1J6OKHEhKaRXWZfGfJ6UsWSHSwPm0aBR2earYsun
Gvx1ZXQUEZJG4KWHTXzzRRtRURxUMaZtFdXmYc0zok6JePcT7W2soIzZbrJW
W2Zti3IKUWYNOvBodvEJSfm56jozgRPJif0TH8X1O+RYMlfxRnbCyVsumzHH
PcZ3EtdEHSb7Ta7Krv3WO4p94bsEEj10g3MGFl6tvmRjtF0jzLLTjOpCMzzD
OJiradKY7F1M2INqA1yXsj4iDlSCgAFk+3JgFOQ6I06SRBuh2uExij5DYsVq
wEWKra3ChzJi3WCEtwMdkfYXkbtFEq3PMYdETjTObCaj33qMMRQdDLQ9WcaB
oParj7LuKqq8SV3jxkJDK0WGhIgcp+jJsTYjh9rVcVn+CZ9OC/cbmsx6HoVP
30vLnm5kKNq1tWuVLL4/7kLQDLyIY2eIUwzfydBhgRHltXKTDqA04uVfe9Zi
/PgPeGMKxQCnz9ekicw9F3df0C/7Oaa6rpnaYfaRR1ji8l7muwQCB98gUvSj
opHXOT0btqUjR5kWHBM6Ofr3DoKcRh9HEPHYddmBkGG8bZqj8u/HN8/gO6v+
4yT6p/EqroKZwZUa4OQ1zQMoqvowOSO5VPPaRatTMCzy2rY=
=lgQM
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - rick at carback.us - 0x0185CAD7.asc
Type: application/pgp-keys
Size: 3147 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250224/84d467ef/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - rick at carback.us - 0x0185CAD7.asc.sig
Type: application/pgp-signature
Size: 636 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250224/84d467ef/attachment.sig>
More information about the cryptography
mailing list