[Cryptography] Has quantum cryptanalysis actually achieved anything?

[Peter Gutmann]

Condensing multiple replies into one message to avoid flooding the zone, in
rough chronological order...

Sebastian Stache via cryptography <cryptography at metzdowd.com> writes:

>One could argue that practical (i.e. with a net energy gain) nuclear fusion
>already is a fact. Stars do it

An off-topic reply here but stars use proton-proton fusion where the protons
are hydrogen ions, the standard form of hydrogen in space.  Since protons are
electrically charged they repel each other so the process is extremely
inefficient, even at the centre of the sun the energy produced per unit volume
is about the same as a compost heap.  The only reason why it works in the sun
is the massive scale it's done on.

Jon Callas <jon at callas.org> writes:

>If you look at the ten "2048-bit factorizations" in appendix S1, the distance
>p-q between the factors is either 2 (a prime pair) or 6. You just compute
>square root of n and guess one bit -- the complexity is literally 2^1.

At some point you cross a line where you go from sleight-of-hand to just
fraud.  I think this is one is at, or even over, the line.  You can "factor"
arbitrary-sized numbers with a C64 using this technique.

Jon Callas <jon at callas.org> writes:

>That's more reason not to tap the brakes on PQC deployment.

Except that, as the Bollocks talk points out, this draws resources away from
defending against what attackers are actually doing in the real world.  We've
spent 30-40 years tuning our existing crypto and security stuff, fixing bugs,
patching holes, responding to cryptalanysis, and so on.  Some of it is now
pretty good (and in any case mostly irrelevant because it's not what attackers
are targeting, we have a booming global cybercrime industry that couldn't care
less what crypto we use but that's another debate).

What the switch to PQC is doing is throwing away all of that evolution over
time and starting again with a new set of bugs, mistakes, errors,
cryptalanytical attacks, and problems that we can spend the next 30-40 years
trying to fix.  It's a major net loss for security to defend against an attack
that no-one has been able to demonstrate exists.  We may as well try and
implement Colin O'Flynn's Time Travel Resistant Cryptography (TTRC) while
we're at it, in case someone invents a time machine.

Danny Muizebelt <dannym at packetloss.at> writes:

>That is what bothers me about quantum computing, the promise of endless
>mathematical results out of nothing.

It's been doing great for String Theory (which is why I compared it to QC in
the Bollocks talk).

I think though for QC it's more like endless funding results out of nothing.

Peter.