[Cryptography] Quillon Graph: A private, post-quantum electronic cash system

Stephan Neuhaus neut at zhaw.ch
Mon Mar 30 03:09:31 EDT 2026 

On 3/28/26 10:53 PM, jrzx via cryptography wrote:
 >>    That said, I'll raise your implicit challenge directly:
 >> If the post-quantum push is a trap, what's the recommended
 >> alternative? Stay classical and accept the (disputed but non-zero)
 >> quantum risk? Use non-NIST algorithms
 >> (which ones? with what analysis history?)? The "don't trust NSA"
 >> position is strong on diagnosis but thin on prescription.
 >
 > Thin on prescription because no one actually knows what quantum 
cryptanalysis can do -- the capacity to factor large numbers does not 
necessarily imply a similar capability on elliptic curves -- and no one 
knows what quantum resistance might actually look like.

There seems to be evidence that it *does* imply a capability to solve 
the DLP over elliptic curves; see https://eprint.iacr.org/2017/598.pdf 
Note that this applies to prime fields, not to GF(2^n). Their resource 
estimates also imply a rather large quantum computer, and they don't 
give a runtime estimate. (The latter is important in the light of the 
recent "breakthrough" where it was discovered that you can break 
RSA-2048 with just 5000 or so qubits, if you are prepared to swap qbits 
for exponential running time; see https://scottaaronson.blog/?p=9615)

My own take on this is that there is, at the moment, exactly zero 
evidence for an imminent threat. People like djb argue that this is 
expected because QC capabilities grow exponentially, so you will see 
"Tiny-RSA" being broken, followed by more "Tiny-RSA", then followed by 
RSA-512, then quickly followed by RSA-4096. But I'm not buying this 
argument, for two reasons. First, because all quantum factorisations so 
far have used trickery and thus cannot be used for evidence of progress. 
And second, because it relies on engineering AND scientific 
breakthroughs, and while I can see engineering breakthroughs being made 
once you know that something is possible, scientific breakthroughs are 
much harder to rely on.

Djb's counterargument is that we would never have gotten to the moon if 
all we had done was look at the height of flights and concluded that the 
moon would be forever out of reach. But this is a fallacy. Apart from 
using an analogy, which is always tricky, the correct way would have 
been to look at the heights and speeds achievable with  already existing 
rocket technology. And there it was clear that it could help solve at 
least one of the main problems of going to the moon, namely achieving an 
orbit. Sputnik had proved that. Not many scientific breakthroughs were 
needed; most of those had already been made, albeit by someone else.

 >
 > NIST has a long history of being a malicious scam.  If NIST quantum 
resistance is not a malicious scam, it is snake oil.

Returning to cryptography, my (admittedly limited) knowledge of PQC 
tells me that no one at this point can show that lattices are truly 
quantum-safe. To be fair, no-one knows the opposite either, so I 
wouldn't go so far as to call NIST PQC a scam. But.

It would be a hoot if we standardised lattice-based crypto and it later 
turned out that NSA knew how to break lattices (and it would be an even 
bigger hoot if they knew how to break them classically). At the same 
time, no one knows how to even think of a quantum computer large enough 
to break even toy RSA. If we absolutely must standardise something, it 
therefore seems to me to be a no-brainer to at least standardise 
hybrids, and hybrids only. Also, the breakneck speed at which 
standardisation is progressing is concerning to me, especially in light 
of how many proposals were broken. If I remember correctly, even a 
significant number of round-2 candidates were broken, something that I 
don't remember happening in the AES competition. (But again, my memory 
is not perfect, so I may be wrong.)

So to return to the OP's question: my recommendation would be that if 
you believe in the quantocalypse, and believe that 
store-now-decrypt-later is a credible threat, use hybrids, if you must. 
I don't believe in either, but at least with hybrids, you can't be worse 
than ECC alone.

 > No one can write a quantum resistant algorithm, because we lack 
theory and empirical experience.  We don't even know what is quantum 
vulnerable, except for RSA.

And DH, even though most researchers seem to focus on RSA. Peter Gutmann 
has the theory that sleight-of-hand is easier with RSA than with DH, and 
given the relative paucity of quantum-DH records and the relative 
abundance of quantum-factorisation-sleight-of-hand records, this theory 
has much to recommend it.

Fun

Stephan

More information about the cryptography mailing list