[Cryptography] Two physics experiment questions

[Jon Callas]

> On May 23, 2026, at 03:11, Peter Gutmann via cryptography <cryptography at metzdowd.com> wrote:
> 
> I was updating the slides for my talk ("Why quantum cryptanalysis is
> bollocks") and there are two things I've got in there which are kind of open
> questions, so I was wondering what the studio audience thought:
> 
> Firstly, the NSA has been pushing for pure PQCs (not hybrids), and several of
> the five-eyes partners have followed suit with either the same or hybrids.
> The two biggest targets of the NSA, namely Russia and China, don't seem to
> care (Russia doesn't appear to be doing anything of note and China has been a
> few months away from announcing something about PQC algorithms for about five
> years now, and even then it's not government policy yet but something from the
> NGCC if it ever appears).  Neither of them seem to have any pressing concern
> about physics-experiment-based attacks.  Why, if they're the two most obvious
> targets?

I think my answer to this is the same as my answer to the next one below.

> 
> Secondly, Shor's algorithm is over thirty years old, dating from before when
> some of the people currently working on PQC stuff were born.  What triggered
> the panic over the last few years?

There are a number of things going on:

(1) After AES got standardized, a number of people started looking at what's next. After all, like any other discipline, cryptographers are going to cryptograph. For a while, that meant looking at ECC because in the early aughties, there were viable ECC algorithms as well as a lot of reasonable doubts about them. Those melted away in the aughties with a whole lot of things happening that meant there was a push towards ECC. Some of those were technical, but some of them were also related to IP, which all expired then. Once that became an engineering problem and not a thing that got papers accepted to CRYPTO, there had to be the next big thing, and the Quantum Threat is something to point out and justifies interesting math/engineering papers, and provides jobs.

In short, it became an interesting framework for cryptographers to invent and improve schemes that would not otherwise be interesting. Without an externality like Quantum Threat, why would anyone be seriously write papers about public key cryptography schemes that are slow, big, or both? PQC sweeps a large number of real-world considerations away from the discussion of what makes a good algorithm. This creates a breeze blowing in a direction that people would not otherwise go to.

(2) Over in the physics side, in particular what's called Quantum Information Science, they were working in earnest on QIS, and getting research. Inevitably, when physicists work on things they point in some direction to some societally useful thing. The real-world implications of physics advancements are important from a sociological/funding aspect. Why should we give them money? Well.... What?

Shor's algorithm has an advantage that it's a thing. You can point to it, and it exists, unlike a lot of other QIS things were the actual interaction to the real world is vague at best. However, this is something that can be pointed to.

"Why should we give you money? Whatcha gonna do with that quantum computer that affects the real world?"

"Uhh, uhhhh, uhhh -- uhh, we could factor numbers! Yeah, that's it, we could factor numbers."

"Why should we care?"

"Because, ummm, ummm, encryption!"

Without that, they're struggling to explain things, even now. Recent QIS articles have had headlines like "Quantum computers will finally be useful" (Nature, Feb 2026), "Quantum computers turned out to be more useful than expected in 2025" (NewScientist, Dec 2025), and so on. Without Q-Day, this is pretty faint praise. I've read special magazine sections on QIS and other than cryptanalysis, useful things a quantum computer can do are vague and mealy-mouthed, with fewer results even than quantum cryptanalysis -- and we both know about those.

To this day, there's no quasi-concrete reason to do QIS from this soft of brass tacks where's-the-real-world analysis. This is a thing for them. Particle physicists have this issue, too. Why do they need a bigger collider? Aerospace research has a lot of this problem, too. What's the practical aspect to continued development there? The things that are real, like energy use, are hard to sell in ways that fun stuff, like flying someplace faster are not. (And even that one can be kinda hard to sell -- it would be cool if I texted you now, we agreed on where we're eating dinner, and then that happened -- but it's not more than just cool in many scenarios.)

(3) The two things above are self-supporting. Why do we need new PKC algorithms? Because of the quantum threat. Why do we need more physics experiments? Because that's a tangible reason to do the physics experiments; it's not just tinkering, it's got a use.

(4) Now there's institutions. For example, there's NIST. We think of NIST as a creator of standards and guidelines, but that's only part of what they do. It's the National Institute of Science and Technology, after all, and their mandate is science and technology.

That's a direct part of the physics side, (2), and an indirect part of (1). Our friends over there were really not interested in another crypto competition, but they also have to respond to the community, so they got dragged into it while holding their nose.

Once that happened and there was a self-supporting infrastructure to fund mathematicians and physicists, the race was on. NIST didn't create the race, but found themselves in the position where they were cheerleaders and referees on both ends of it, like it or not. From my seats, the physics people mostly liked it; the encryption people mostly did not.

(5) Now you have a community of people all over -- encryption people are building new algorithms, because that's what they do. The physics people did experiments because that's what they do. 

Each of these justifies the other, and it constructs a literal Kuhnian Paradigm. Kuhn himself talked about scientific revolutions on a grander scale (there's also one of those going on, presently, but it's irrelevant to this discussion) but the things he's talking about, where the social pressure builds from interesting ideas into restructuring ways of doing things is what's going on.

The panic over the last few years is driven by the success of the math side, combined with the lack of progress that folks like you and I have noted. The math people have built some pretty good things, they've been tested, deployed, and are going great guns!

(6) The lopsided nature of PQC deployments, and the incredible, amazing success of them is also driving Q-Day hyperbole. Reasonably, they don't want to trip before the finish line. The most embarrassing thing that could happen over there would be that we'd do hybrid PQC (which because it's hybrid has zero advantages over either full pre-quantum or post-quantum systems), and the way to keep momentum going is to crack the whip and say, "OMG, Q-Day Any Day Now!!!! Hurry!! Hurry!!" Because otherwise the air's going to leak out of that tire, as the physics experiments fail to keep pace with the PQC engineers.

One of the threats to the Quantum Threat is that there are getting to be contrarian QIS physicists. Some of them are muttering that Q-Day is harder than people think. Some are even saying radical things like it's not as big a threat as we thought -- there's a contrarian consensus that we don't need to worry about Grover's Algorithm at all for practical engineering considerations, and I read someone who said they didn't think a CRQC was going at all for anything bigger than RSA 2K. I don't think I agree, but that's how things are going. Without a sense of urgency, QIS is going to be like Fusion in that we all know it will happen eventually, and yet not anytime soon.

There you go. That's what I think. Personally, though, I think that Q-Day will arrive, but no sooner than the 2050s, and that's at the earliest. I think quantum cryptanalysis is very much like fusion in that it's obviously possible but the engineering is hard enough that it may never be practical. I think we'll see a home Mister Fusion before we'll see a Quantum PC.

Moreover, there's also a huge liminal space in the middle here. Here's an example scenario:

Q-Day arrives, but the quantum computer costs $10B to build, and can crack one real-world key per year at the cost of $10M per key. Also note that the WebPKI people (e.g. LetsEncrypt) are mandating key rotation much faster than that. The real world implications of a quantum computer are pretty limited in this scenario.

Part of the urgency is, I think this -- there could also be a success failure. The physicists could succeed in a way that the correct response is not new encryption algorithms, but better software. A Q-Day that breaks one key per year in a world where they're rotated four times a year is not all that scary, even under the bogeyman of Collect Now, Decrypt Later. The finance people might just pull the plug on the project. So it's best to push, push, push, crack the whip because there's a quantum hellhound on our tail.

	Jon