[Cryptography] Two physics experiment questions

Jon Callas jon at callas.org
Mon May 25 17:38:59 EDT 2026 


> On May 24, 2026, at 23:21, Bill Stewart <billstewart at pobox.com> wrote:
> 
> On 2026-05-23 17:14, Jon Callas wrote:
>> (5) Now you have a community of people all over -- encryption people are building new algorithms,
> > because that's what they do. The physics people did experiments
> > because that's what they do.
> 
> I get the impression that, while the physics parts are going slowly,
> the PQC algorithms have been starting to get, if not as fast as RSA,
> at least much less impractically huge as the early attempts,
> many of them with public keys that can fit in an Ethernet packet,
> and Moore's law (even with AI temporarily making market price/performance decline instead of improving :-) means they're implementable and possibly even practical.

Absolutely!

Don't get me wrong on this, I am not at all saying we shouldn't do a PQC upgrade. We should and we need to, and we need to be working on it now. I was answering Peter's question, why all the panic right now and the OMG, GONNA HAPPEN ANY SECOND NOW.

We need to do a PQC conversion NOW because history tells us we need to. The major lesson one should draw from history is that people don't learn *anything* from history. Never have, never will.

We know from the upgrade from DES to AES that it takes about twenty years. We know from the upgrade from integer systems to ECC that it takes about twenty years. So it stands to reason that if a cryptographically relevant quantum computer is coming around 2050, then we really, really, really need to do this conversion for 2030! Snap to it!

I also don't think that the present systems are at all bad. They're surprisingly good. Even the hybrid stuff is pretty darned amazing.

Nonetheless, that means we need to think about the upgrades that have to follow in the decades ahead. Those include both migrating from hybrid to full-PQ, and also migrating to better PQ algorithms.

One of my old bosses, an Apple Fellow, used to tell this story. As you can tell, it has stuck with me for decades:

Napoleon was sitting around with his military command, planning ahead. While they were undisputed leaders with armies in Europe, they'd had their whole navy sunk. That means they needed new ships. That means they needed wood. And there was, alas, a shortage of wood. Napoleon said that well, that means they needed to plant forests, pretty obvious if you think about it. One of the high command said, "but Emperor, that will take thirty years!" Napoleon stood up, leaned over the table, and replied, "then we haven't a moment to lose."

That's where we are. An orderly transition is going to take a generation, and so we have to do it now. It's really, really good that all the PQC transition tests going on are working well. It's really good that the hybrid algorithms seem to be hybriding in all the right ways. 

A disorderly transition is easier, in contrast. If a CRQC appears tomorrow, we pick some suitable algorithms and just run with them, fast and hard. There's going to be breakages, downtime, outages and so on. It's going to be a mess of two to five years as we sort it out. It also means that everything else is off the table (and that's not good, but a different not good) while we do it.

It's preferable to be where we are now, where we are rationally discussing the whole mess, and doing it in an orderly manner.

	Jon

More information about the cryptography mailing list