[Cryptography] Two physics experiment questions

Nicko van Someren nicko at nicko.org
Sat May 23 20:40:19 EDT 2026 

On May 23, 2026, at 04:11, Peter Gutmann via cryptography <cryptography at metzdowd.com> wrote:

> I was updating the slides for my talk ("Why quantum cryptanalysis is
> bollocks") and there are two things I've got in there which are kind of open
> questions, so I was wondering what the studio audience thought:
> 
> Firstly, the NSA has been pushing for pure PQCs ...
> The two biggest targets of the NSA, namely Russia and China, don't seem to
> care ...
> ... Why, if they're the two most obvious
> targets?

I don't have a good answer to question 1.

> Secondly, Shor's algorithm is over thirty years old, dating from before when
> some of the people currently working on PQC stuff were born.  What triggered
> the panic over the last few years?

I believe that the answer here is to do with real and meaningful improvements in the physics experiments, specifically around the ability to connect qubits together.

Computers are made up of storage, logic and switchable connections between them. If you want to perform useful computation on qubits you need all of these. People worked out how to set, store and measure quantum state quite a long time ago, and they became able to cause those states to interact through a useful set of quantum gates some years later. What has changed in the last five years or so is that people have worked out how to reliably move quantum state from one place to another in a *switchable* way.

Companies like Photonic Inc (https://photonic.com/) have tech that can store a few qubits close to each other and cause them to interact in gate-like ways but also can transfer the quantum state of one of those qubits onto a photo with a wavelength in the band handled by existing off-the-shelf optical fibre systems, send it somewhere else and put it back into another cluster of bits. 

This sort of switchable connectivity has two impacts on the viability of building a useful QC. The first is obviously scale. If you can build your machine in parts and assemble them into something bigger and it still work then that just helps with the engineering problems. The second is more subtle: the ability to connect any qubit to any other qubit hugely expands the set of algorithms that can be implemented efficiently. Importantly, there are classes of error correction (Quantum Low-Density Parity Checks) that couldn't work at scale when you didn't have arbitrary connectivity but do work when you have any-to-any switching. These sorts of codes bring down the noisy-to-logical qubit ratio by a couple of orders of magnitude.

So, switching makes a step-wise difference (a quantum leap?) If you can build machines that are a couple of orders of magnitude bigger *and* you need a couple of orders of magnitude fewer bits then you have really moved the needle on what's possible. There are still plenty of problems that need to be solved before quantum computers are cracking RSA, and there are still open questions that may make this all moot (Rational Quantum Mechanics might put an upper bound on the size of quantum state we can ever represent), but we got 20 years of Moore's law improvement in the last 5, and I think that is what has reset people's clocks for transition to PQC.

Cheers,
Nicko

More information about the cryptography mailing list