[Cryptography] Some quantum computers might need more power than supercomputers

Jon Callas jon at callas.org
Sat Jan 10 15:13:36 EST 2026 


> On Jan 9, 2026, at 00:15, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> 
> Jon Callas <jon at callas.org> writes:
> 
>> Some quantum computers might need more power than supercomputers
> 
> The German government (via the BSI) wrote a report on this and estimated that
> it would take 100 days and €4M in electricity to recover a single 2048-bit key
> on a quantum computer that doesn’t exist.  That's one single key.  There are 7
> trillion keys negotiated each year just for TLS web connections.

Precisely. This is why the bogeyman of collect now, decrypt later is within epsilon of bogus for many deltas. 

It's not even like that is a new thing. Back in the idealized era of Enigma/Lorentz decryptions, one of the major tasks was not decrypting messages so much as finding things worth decrypting. Decrypting the morning weather report isn't particularly useful. As usual, traffic analysis is key. Now to be fair, many of those 7 trillion keys are people reading the newspaper or social media, and easily trimmed away. And there are keys that we can identify as keystones that open up other things. Among my personal museum things is a paper tape that is an old Lorentz intercept that no one ever bothered to decrypt. I haven't, either. 

A person I know was recently helping a family get information artifacts from someone who had died. The gist of the tale was that they had no way to get a phone's six-digit PIN code. They could get to all sorts of important things once they got control of the deceased's gmail account, because the lost-password recovery flow loops to the email account. Nonetheless there were a number of things they just couldn't get to because it required the phone's PIN. There are two morals of the story. One is directly relevant here, and it's that it might actually be worth cracking the login password or phone PIN of some person, because that unlocks everything else. Password managers make this even more true. The other is that people should consider making sure that a few common passwords/PINs are kept along with one's will.

> 
> Oh, and that's for integer factorisation, not (EC)DLP, so not actually useful
> for attacking the shopping list of common crypto protocols I mentioned
> earlier.

Clearly work needs to be done on how to create magic trick elliptic curve keys. We should do that sometime.

	Jon

More information about the cryptography mailing list