[Cryptography] Two physics experiment questions

Jon Callas jon at callas.org
Wed May 27 02:11:55 EDT 2026 


> On May 26, 2026, at 02:11, Ralf Senderek <crypto at senderek.ie> wrote:
> 
> 
> On Mon, 25 May 2026, Jon Callas wrote:
> 
>> We need to do a PQC conversion NOW because history tells us we need to.
> 
>> We know from the upgrade from DES to AES that it takes about twenty years. 
>> We know from the upgrade from integer systems to ECC that it takes about twenty years. 
>> So it stands to reason that if a cryptographically relevant quantum computer is coming around 2050,
>> then we really, really, really need to do this conversion for 2030! Snap to it!
> 
> You picked the 2050 figure out of thin air, with no empirical justification.
> It could also be 2075 or 2126, nobody knows (including you and me).
> 
> I know you said the following in a different context, BUT ..

Perhaps you thought you could read my mind. Well, you're wrong.

The reason I pick 2050-2060 as my timeframe is this.

There is a site, keylength.org where a bunch of smart people, the Lenstras, Quisquater, and others made a bunch of estimates about when you should retired encryption of a certain key length. With a selection of reasonable assumptions about the continuation of Moore's Law (which isn't happening) one would expect that RSA 3K needs to stop around 2050-2060.

My figure is precisely a wry statement that I don't think quantum computers are going to do better at key breaking than we'd get if Moore's Law continued into the future unabated.

> 
>> It also means that everything else is off the table (and that's not good, but a different not good)
>> while we do it.
> 
> that's what is already happening.
> 
> Take the total silence on this list to Peter's posting about copy fail.

What about it? It's a kernel bug. It's not cryptography at all, and strictly speaking off-topic for the list. Would you like to bring it in to the mix? I did OS security before I did cryptography; I know a thing or two, perhaps as many as three.

> How many similar issues will be burried in the archives, if we'd take your urgency plea seriously,
> because it deprives resources from fixing things that make us unsafe today.

What makes us unsafe today? How is the PQC transition depriving resources from that?

Me, I think that PQC transition is really, really, really important because it's when we transition to PQC, all the stupid-ass news stories about quantum computers and Shor's algorithm will fall by the wayside and we can move on to other topics, like finding an actual use for quantum computing that would improve the human condition.

	Jon

More information about the cryptography mailing list