[Cryptography] Some quantum computers might need more power than supercomputers

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Jan 10 23:47:02 EST 2026 

Jon Callas <jon at callas.org> writes:

>This is why the bogeyman of collect now, decrypt later is within epsilon of
>bogus for many deltas.

While I'm drawing a diagram to try and decode that analogy, I should point out
that SNDL is the cryptographer's response to Roko's Basilisk, "pay homage to
$thing now or God (or a designated appointee) will smite you later".

Another point with SNDL, expanding on the comment from the talk that only
epsilon of all the traffic encrypted today will be interesting in 30 years
time, is that if your threat model is James Mickens' "Mossad doing Mossad
things to you" then you're screwed no matter what you do and if it's not
"Mossad doing Mossad things to you" then no-one cares enough about you to
spend 4 million Euros with an imaginary device to recover your whatever-it-is.
So I think step 0 of SNDL (again from the talk) would be to figure out who, if
anyone, would actually be affected by this, and if it's that important why the
attacker would pin their hopes on a physics experiment 30 years in the future
rather than just infiltrating the target's systems and grabbing the plaintext.

The whole SNDL bogeyman seems to me, alongside "but what if the monsters *are*
real?" ("what if someone does create a QC?"), like an argument of last resort
when you've got nothing else to put up.

>Clearly work needs to be done on how to create magic trick elliptic curve
>keys. We should do that sometime.

That would be kinda neat, publish a paper detailing how to create sleight-of-
hand ECC parameters suitable for solution via physics experiment.  So the
"breakthrough" isn't how to solve the ECDLP with a physics experiment, it's
how to create ECC parameters for which you can claim to have solved the ECDLP
with a physics experiment.

Following the pattern for integer factorisation you'd need to have something
where you only need to guess one or two bits to issue a press release claiming
success, but if it was that easy I'm sure someone would have announced a
successful result by now.

Peter.

More information about the cryptography mailing list