[Cryptography] Quillon Graph: A private, post-quantum electronic cash system

Peter Fairbrother peter at tsto.co.uk
Thu Jan 8 13:26:03 EST 2026 

On 08/01/2026 04:34, Peter Gutmann via cryptography wrote:
> Peter Fairbrother <peter at tsto.co.uk> writes:
> 
>> Ummm, (ignoring that they can't be decrypted) signatures aren't really
>> subject to HNDL
> 
> Nothing is subject to HNDL.  

While I agree completely with the rest of your post, I have to interject 
a caveat here: HNDL need not solely refer to quantum cryptography, it 
could just as easily refer to a classical break, or an improvement in 
classical computer systems, sometime in the future.


As to my comment about signatures, they are often used to prevent MITM 
attacks, where any possibility of future forging is irrelevant. Also, in 
blockchains, pre-forgability signatures are also still secure as long as 
the blockchain is secure.

So HNDL (or HNFL) of signatures has limited targets, especially in the 
type of constructions under discussion, where protection now against the 
possibility of future quantum attacks is often simply unnecessary.


> Have you noticed how all the claimed quantum
> factorisation records are for just that, factorisation?  It's because it's
> easier to cheat with that.  No-one has ever claimed to have achieved any
> quantum result against (EC)DH, which would be needed for HNDL against TLS,
> SSH, IPsec, OpenVPN, Wireguard, Signal, WhatsApp, Facebook Messenger, ...,
> because it's much harder to cheat with the (EC)DLP than with factorisation.

Yep.

I like 1536-bit DH myself, can't see any classical attacks happening to 
that in the foreseeable future. Or 1536-bit RSA, for that matter. Is 
1536 bit overkill? Yes, except in the most extreme cases - but we don't 
know where those extreme cases will be, so let's do everything in 1536 bits.



Quantum? Shmauntum. When/if I see it coming...

When we first stared using RSA and discrete logs there was no proof that 
they weren't subject to a clever classical attack. Still isn't, but we 
have had some of Schneier's years of analysis by both cryptographers and 
mathematicians on that, and we accept that they are likely difficult 
problems. Likely enough that we rely on that assumption in our cryptography.


For Quantum Cryptography, we don't just rely on factorisation records by 
quantum cryptographers, but also on progress by physicists and 
mathematicians (though the main potential use of quantum computers, the 
one which brings in the funding, is obviously in cryptography).

After quite a few years research it looks like cryptographically useful 
quantum computers may forever be impractical due to noise, errors, and 
the difficulty of keeping a large array coherent. [1]

Can we rely on that assumption? Probably not yet, but we can for sure 
consider it.



Peter Fairbrother


[1] Not to mention the huge numbers of qubits and gates required - the 
entire superposition and coherence has to go through each of the gates 
too, not just be stored in the array of qubits. Ouch.

More information about the cryptography mailing list