Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #158: Defunct processes


sci / sci.crypt / Re: State of Post Quantum Cryptography?

SubjectAuthor
* State of Post Quantum Cryptography?The Running Man
`* Re: State of Post Quantum Cryptography?Jakob Bohm
 +- Re: State of Post Quantum Cryptography?Jan Panteltje
 +- Re: State of Post Quantum Cryptography?The Running Man
 `* Re: State of Post Quantum Cryptography?Peter Fairbrother
  `* Re: State of Post Quantum Cryptography?Jakob Bohm
   `* Re: State of Post Quantum Cryptography?Peter Fairbrother
    `* Re: State of Post Quantum Cryptography?The Running Man
     `* Re: State of Post Quantum Cryptography?Phil Carmody
      `- Re: State of Post Quantum Cryptography?The Running Man

1
Subject: State of Post Quantum Cryptography?
From: The Running Man
Newsgroups: sci.crypt
Organization: EasyNews
Date: Thu, 2 May 2024 08:20 UTC
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: runningman@writeable.com (The Running Man)
Newsgroups: sci.crypt
Subject: State of Post Quantum Cryptography?
Date: Thu, 2 May 2024 08:20:27 -0000 (UTC)
Organization: EasyNews
Lines: 5
Message-ID: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
Injection-Date: Thu, 02 May 2024 10:20:27 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="6e887c0b79ecf6cc34b8ad21d55b22fb";
logging-data="3941507"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ARDIZZZamLfw5OkBnQve5LboObXPp4Ic="
Cancel-Lock: sha1:lRIiwfPqYIgQYCrqVsvCM4/HN+w=
View all headers

What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?

I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.

I myself am very much in doubt whether to use PQC or stick with known ciphers.

Subject: Re: State of Post Quantum Cryptography?
From: Jakob Bohm
Newsgroups: sci.crypt
Organization: WiseMo A/S
Date: Mon, 6 May 2024 13:53 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jb-usenet@wisemo.invalid (Jakob Bohm)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Mon, 6 May 2024 15:53:18 +0200
Organization: WiseMo A/S
Lines: 35
Message-ID: <v1ancg$2jieu$1@dont-email.me>
References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 06 May 2024 15:53:20 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="2ac1398673a6f071421033f1d5ca8ade";
logging-data="2738654"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX192YR8nZS73J1hLrXe6Ut1HoBxw70+ItzE="
Cancel-Lock: sha1:Q6+L7j/yZEMFDkC2X8RuKIfim8M=
In-Reply-To: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
Content-Language: en-US
X-Mailer: Epyrus/2.1.2
View all headers

On 2024-05-02 10:20, The Running Man wrote:
> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
>
> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.

If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers. They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128).

>
> I myself am very much in doubt whether to use PQC or stick with known ciphers.
>

From what I read so far, the most promising PQC signature algorithm is
the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
will take serious work.

Key exchange will be harder, though the DJB-sponsored proposal for a
"Classic McElice" variant may be solid.

Any PQC public key algorithm will need to be combined with double
strength symmetric algorithms.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Subject: Re: State of Post Quantum Cryptography?
From: Jan Panteltje
Newsgroups: sci.crypt
Date: Tue, 7 May 2024 05:06 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: alien@comet.invalid (Jan Panteltje)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Tue, 07 May 2024 05:06:24 GMT
Message-ID: <v1ccsg$3vg5$1@solani.org>
References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com> <v1ancg$2jieu$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; ISO-8859-15
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 7 May 2024 05:06:24 -0000 (UTC)
Injection-Info: solani.org;
logging-data="130565"; mail-complaints-to="abuse@news.solani.org"
User-Agent: NewsFleX-1.5.7.5 (Linux-5.15.32-v7l+)
Cancel-Lock: sha1:v6R8Xfv3zQf03pLMITbgFWb7MiQ=
X-Newsreader-location: NewsFleX-1.5.7.5 (c) 'LIGHTSPEED' off line news reader for the Linux platform
NewsFleX homepage: http://www.panteltje.nl/panteltje/newsflex/ and ftp download ftp://sunsite.unc.edu/pub/linux/system/news/readers/
X-User-ID: eJwFwYEBwCAIA7CXUGg7zlGQ/09YAudiKQgGBhNMxemvH73hZbABcgI1Zbqzs7T1lsnZhHy30vzMxa7KH0UyFRg=
View all headers

On a sunny day (Mon, 6 May 2024 15:53:18 +0200) it happened Jakob Bohm
<jb-usenet@wisemo.invalid> wrote in <v1ancg$2jieu$1@dont-email.me>:

>On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are
>> winners, but do you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current
>> cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the
>> promise of eternal confidentiality which current ciphers cannot guarantee.
>
>If any bad actor has a quantum computer with just a few more Qubits
>than the ones demonstrated in public, they can break most current public
>key algorithms using known attack algorithms written a long time ago for
>such (then hypothetical) computers. They can also break symmetric
>encryption at the same difficulty as if the key length was half as many
>bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
>128).
>
>>
>> I myself am very much in doubt whether to use PQC or stick with known ciphers.
>>
>
> From what I read so far, the most promising PQC signature algorithm is
>the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
>will take serious work.
>
>Key exchange will be harder, though the DJB-sponsored proposal for a
>"Classic McElice" variant may be solid.
>
>Any PQC public key algorithm will need to be combined with double
>strength symmetric algorithms.
>
>Enjoy
>
>Jakob

Experiment opens door for millions of qubits on one chip:
https://www.sciencedaily.com/releases/2024/05/240506131552.htm
Summary:
Researchers have achieved the first controllable interaction between two hole spin qubits in a conventional silicon transistor.
The breakthrough opens up the possibility of integrating millions of these qubits on a single chip using mature manufacturing processes

?

Subject: Re: State of Post Quantum Cryptography?
From: The Running Man
Newsgroups: sci.crypt
Organization: EasyNews
Date: Wed, 8 May 2024 04:05 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: runningman@writeable.com (The Running Man)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Wed, 8 May 2024 04:05:16 -0000 (UTC)
Organization: EasyNews
Lines: 17
Message-ID: <Rhl5xUdkLGpfTfY0lWWjQMhF6oCPkjTTCDXATLM7hAw=@writeable.com>
References: <v1ancg$2jieu$1@dont-email.me>
Injection-Date: Wed, 08 May 2024 06:05:16 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="80f5cb84063164f15d8a531b23146f59";
logging-data="3945413"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19HGbSG+LOxYHs++CLdd0bJN5nrn2qU9Cg="
Cancel-Lock: sha1:PYs3hFcxCLi1z5aYIJn64EPULPY=
View all headers

On 06/05/2024 15:53 Jakob Bohm <jb-usenet@wisemo.invalid> wrote:
> On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.
>
> If any bad actor has a quantum computer with just a few more Qubits
> than the ones demonstrated in public, they can break most current public
> key algorithms using known attack algorithms written a long time ago for
> such (then hypothetical) computers. They can also break symmetric
> encryption at the same difficulty as if the key length was half as many
> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
> 128).
>

Define: "a few more qubits." I've read that maybe up to a million qubits are needed to compensate for the errors and noise to be able to break current asymmetric encryption algorithms. Symmetric algorithms aren't vulnerable in any case since quantum algorithms only halve the number of bits of security (i.e. 256 bits becomes 128 bits which cannot be broken).

Subject: Re: State of Post Quantum Cryptography?
From: Peter Fairbrother
Newsgroups: sci.crypt
Organization: A noiseless patient Spider
Date: Thu, 9 May 2024 21:28 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: peter@tsto.co.uk (Peter Fairbrother)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Thu, 9 May 2024 22:28:49 +0100
Organization: A noiseless patient Spider
Lines: 66
Message-ID: <v1jf6i$srv9$1@dont-email.me>
References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
<v1ancg$2jieu$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 09 May 2024 23:28:50 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="aef108995cedaa31a1f606ba33af3b13";
logging-data="946153"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18/vpb42XtFAdtGAz1Xec/mm/1s2CrGqN0="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:pxpjD/bjIA0qo4uVww/WXF4jQn0=
In-Reply-To: <v1ancg$2jieu$1@dont-email.me>
Content-Language: en-GB
View all headers

On 06/05/2024 14:53, Jakob Bohm wrote:
> On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I
>> know the NIST has held a contest and that there are winners, but do
>> you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the
>> security and privacy of millions of unsuspecting users.

Yep, that's a risk. PQC algorithms are of necessity less mature than
current cryptographic algorithms. If I may quote Schneier's law it its
original form:

"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break. It’s not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis. And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around."

The winning PQC algorithms have had some of that analysis, but perhaps
not enough. I would not be surprised if, like some of the candidates,
the winners were comprehensively broken.

And there is another risk: that they will broken in ways we don't know
about now. Quantum computers of the needed scale still don't exist, and
we don't have years of practice using them - so it is practically
inevitable that new attack techniques using quantum computers will be
developed.

> If any bad actor has a quantum computer with just a few more Qubits
> than the ones demonstrated in public, they can break most current public
> key algorithms using known attack algorithms written a long time ago for
> such (then hypothetical) computers.

Err, no. Just no.

You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day public
key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
like 20.

Having 1,000 error prone qbits, which has been done in a couple of
cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
annealing qbits.

Not even close.

And close only counts in horseshoes and hand grenades.

> They can also break symmetric
> encryption at the same difficulty as if the key length was half as many
> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
> 128). [..] Any PQC public key algorithm will need to be combined with double
> strength symmetric algorithms.

Now there we agree, in fact double strength symmetric algorithms should
be de rigueur in general use as of yesterday: but I don't see why we
can't double up and use classic public key algorithms *as well as* PQC
public key algorithms, at least for a while.

Peter Fairbrother

who doesn't see why we need the u in qubits

Subject: Re: State of Post Quantum Cryptography?
From: Jakob Bohm
Newsgroups: sci.crypt
Organization: WiseMo A/S
Date: Fri, 10 May 2024 06:32 UTC
References: 1 2 3
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jb-usenet@wisemo.invalid (Jakob Bohm)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Fri, 10 May 2024 08:32:26 +0200
Organization: WiseMo A/S
Lines: 88
Message-ID: <v1kf1r$1726o$1@dont-email.me>
References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
<v1ancg$2jieu$1@dont-email.me> <v1jf6i$srv9$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 10 May 2024 08:32:27 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="65bd4a72cea69ad221432d6d9a7ca5ca";
logging-data="1280216"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/fBpgwWDHoz77nTEAt7SJALJVml4nX3ig="
Cancel-Lock: sha1:vIf6T3P5lKIzTJCJiO45bETm3AA=
In-Reply-To: <v1jf6i$srv9$1@dont-email.me>
X-Mailer: Epyrus/2.1.2
Content-Language: en-US
View all headers

On 2024-05-09 23:28, Peter Fairbrother wrote:
> On 06/05/2024 14:53, Jakob Bohm wrote:
>> On 2024-05-02 10:20, The Running Man wrote:
>>> What is you guys take on PQC (Post Quantum Cryptography) algorithms?
>>> I know the NIST has held a contest and that there are winners, but do
>>> you guys think they're safe to use?
>>>
>>> I fear they may be broken in the future thereby destroying the
>>> security and privacy of millions of unsuspecting users.
>
> Yep, that's a risk. PQC algorithms are of necessity less mature than
> current cryptographic algorithms. If I may quote Schneier's law it its
> original form:
>
> "Anyone, from the most clueless amateur to the best cryptographer, can
> create an algorithm that he himself can’t break. It’s not even hard.
> What is hard is creating an algorithm that no one else can break, even
> after years of analysis. And the only way to prove that is to subject
> the algorithm to years of analysis by the best cryptographers around."
>
> The winning PQC algorithms have had some of that analysis, but perhaps
> not enough. I would not be surprised if, like some of the candidates,
> the winners were comprehensively broken.
>
> And there is another risk: that they will broken in ways we don't know
> about now. Quantum computers of the needed scale still don't exist, and
> we don't have years of practice using them - so it is practically
> inevitable that new attack techniques using quantum computers will be
> developed.
>

See further below where Fairbrother returns to this subject.

>
>> If any bad actor has a quantum computer with just a few more Qubits
>> than the ones demonstrated in public, they can break most current
>> public key algorithms using known attack algorithms written a long
>> time ago for
>> such (then hypothetical) computers.
>
> Err, no. Just no.

Note that I was talking logarithmic steps, not single Qbit steps.

>
> You would need about 1,000 reliable entangled error-free qubits
> equivalent (REEFQe) to do any useful cryptanalysis of present day public
> key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
> like 20.
>
> Having 1,000 error prone qbits, which has been done in a couple of
> cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
> annealing qbits.
>

Would those numbers apply to things like EdDSA and ECDSA?

>
> Not even close.
>
> And close only counts in horseshoes and hand grenades.
>
>
>> They can also break symmetric
>> encryption at the same difficulty as if the key length was half as many
>> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
>> 128). [..] Any PQC public key algorithm will need to be combined with
>> double strength symmetric algorithms.
>
> Now there we agree, in fact double strength symmetric algorithms should
> be de rigueur in general use as of yesterday: but I don't see why we
> can't double up and use classic public key algorithms *as well as* PQC
> public key algorithms, at least for a while.
>

Yes, doubling up the types of algorithms used is a good way to hedge
bets against bad algorithms. Staying with known at-risk algorithms is
problematic.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Subject: Re: State of Post Quantum Cryptography?
From: Peter Fairbrother
Newsgroups: sci.crypt
Organization: A noiseless patient Spider
Date: Fri, 10 May 2024 16:28 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: peter@tsto.co.uk (Peter Fairbrother)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Fri, 10 May 2024 17:28:07 +0100
Organization: A noiseless patient Spider
Lines: 53
Message-ID: <v1lhuo$1etcj$1@dont-email.me>
References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
<v1ancg$2jieu$1@dont-email.me> <v1jf6i$srv9$1@dont-email.me>
<v1kf1r$1726o$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 10 May 2024 18:28:08 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="5b92961659be51fb265e82927dd6307a";
logging-data="1537427"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/L/KVOUQkIQgfeJ3WPgNTMmfQMpd884Xo="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:RbHazUNulpUUeppyayAihatVyA4=
In-Reply-To: <v1kf1r$1726o$1@dont-email.me>
Content-Language: en-GB
View all headers

On 10/05/2024 07:32, Jakob Bohm wrote:
> On 2024-05-09 23:28, Peter Fairbrother wrote:

>> You would need about 1,000 reliable entangled error-free qubits
>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>> public key algorithms, and we are nowhere near that. Not even 100
>> REEFQe, more like 20.

> Would those numbers apply to things like EdDSA and ECDSA?

A thorny question.

The publicity for quantum computers is usually splashed about measured
solely in qubits (approximately, quantum storage bits, a bit like a
register in a cpu with only one register); but that's not immediately
relevant to the amount of computation they can do - they also need
quantum gates, qubits by themselves can't do any computing.

So even 1,000 "real" qubits is just a very rough ballpark figure which
doesn't actually mean very much.

In terms of comparing breaking RSA and breaking ECDSA, you would need
more qubits but less gates for RSA - but as you can, above some
minimums, pretty much swap needed qubits for needed gates, that doesn't
help much.

I believe the minimum number of "real" qubits needed is about 350 for
ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
a LOT more quantum gates.

Overall it's pretty hard to say which is easier to do, and would depend
on more than the number of qubits a computer has. Quantum gates are
noisy too, especially the ones which do entanglement.

[1] I could be wrong here, I'm a bit out-of-touch. And these are
_theoretical_ minimums, and even then estimates vary, a lot.

In practice, realistically the best I've seen uses about 6,000 real
qubits and 10^12 gates to break 2k RSA in months. You would also need a
depth of about 10^11 (depth is the longest chain of quantum gates used,
and they all have to work...)

We are closer to getting to Alpha Centaurus and taming fusion than doing
that.

Peter Fairbrother

Subject: Re: State of Post Quantum Cryptography?
From: The Running Man
Newsgroups: sci.crypt
Organization: EasyNews
Date: Mon, 13 May 2024 06:17 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: runningman@writeable.com (The Running Man)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Mon, 13 May 2024 06:17:38 -0000 (UTC)
Organization: EasyNews
Lines: 59
Message-ID: <epj0i3qTn0l0LoPeudnOyLH1Iu0TiTHt52YZbtCh8No=@writeable.com>
References: <v1lhuo$1etcj$1@dont-email.me>
Injection-Date: Mon, 13 May 2024 08:17:38 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="b020895a0b0d404ce8a345428e4f9825";
logging-data="3482115"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/4U72nRSpVbzWGswWMcT1esIJhmygujbA="
Cancel-Lock: sha1:ti3PH2sOWGXTYGdzfYvm7i4SIk4=
View all headers

On 10/05/2024 17:28 Peter Fairbrother <peter@tsto.co.uk> wrote:
> On 10/05/2024 07:32, Jakob Bohm wrote:
>> On 2024-05-09 23:28, Peter Fairbrother wrote:
>
>>> You would need about 1,000 reliable entangled error-free qubits
>>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>>> public key algorithms, and we are nowhere near that. Not even 100
>>> REEFQe, more like 20.
>
>> Would those numbers apply to things like EdDSA and ECDSA?
>
> A thorny question.
>
> The publicity for quantum computers is usually splashed about measured
> solely in qubits (approximately, quantum storage bits, a bit like a
> register in a cpu with only one register); but that's not immediately
> relevant to the amount of computation they can do - they also need
> quantum gates, qubits by themselves can't do any computing.
>
> So even 1,000 "real" qubits is just a very rough ballpark figure which
> doesn't actually mean very much.
>
>
> In terms of comparing breaking RSA and breaking ECDSA, you would need
> more qubits but less gates for RSA - but as you can, above some
> minimums, pretty much swap needed qubits for needed gates, that doesn't
> help much.
>
> I believe the minimum number of "real" qubits needed is about 350 for
> ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
> a LOT more quantum gates.
>
> Overall it's pretty hard to say which is easier to do, and would depend
> on more than the number of qubits a computer has. Quantum gates are
> noisy too, especially the ones which do entanglement.
>
>
>
> [1] I could be wrong here, I'm a bit out-of-touch. And these are
> _theoretical_ minimums, and even then estimates vary, a lot.
>
> In practice, realistically the best I've seen uses about 6,000 real
> qubits and 10^12 gates to break 2k RSA in months. You would also need a
> depth of about 10^11 (depth is the longest chain of quantum gates used,
> and they all have to work...)
>
>
> We are closer to getting to Alpha Centaurus and taming fusion than doing
> that.
>
>
> Peter Fairbrother
>
>

<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>

They now believe they can build million-qubit processors using ultra-pure silicon.

Subject: Re: State of Post Quantum Cryptography?
From: Phil Carmody
Newsgroups: sci.crypt
Organization: A noiseless patient Spider
Date: Mon, 13 May 2024 20:45 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: pc+usenet@asdf.org (Phil Carmody)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Mon, 13 May 2024 23:45:23 +0300
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <87a5ktigpo.fsf@fatphil.org>
References: <v1lhuo$1etcj$1@dont-email.me>
<epj0i3qTn0l0LoPeudnOyLH1Iu0TiTHt52YZbtCh8No=@writeable.com>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Mon, 13 May 2024 22:45:23 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="0abbc5eb9c455b54df7caac39acc3df0";
logging-data="3871579"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18SRQIBeYR/snrhRzYhKIwa"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cancel-Lock: sha1:2xjpWVGzs/C1Je56qmCs7jdwt9g=
sha1:4+tXMON89Cm8bDPSxqQ6agnIZI8=
View all headers

The Running Man <runningman@writeable.com> writes:
> <https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
>
> They now believe they can build million-qubit processors using ultra-pure silicon.

You have confused "could" with "can".

Phil
--
We are no longer hunters and nomads. No longer awed and frightened, as we have
gained some understanding of the world in which we live. As such, we can cast
aside childish remnants from the dawn of our civilization.
-- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/

Subject: Re: State of Post Quantum Cryptography?
From: The Running Man
Newsgroups: sci.crypt
Organization: EasyNews
Date: Tue, 14 May 2024 05:50 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: runningman@writeable.com (The Running Man)
Newsgroups: sci.crypt
Subject: Re: State of Post Quantum Cryptography?
Date: Tue, 14 May 2024 05:50:43 -0000 (UTC)
Organization: EasyNews
Lines: 19
Message-ID: <lTedO5XMINnf2oAP2i3zNYrDq4xDwmhAmcRDPrPYoYk=@writeable.com>
References: <87a5ktigpo.fsf@fatphil.org>
Injection-Date: Tue, 14 May 2024 07:50:44 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="a61a17f68d40bbea6a80ea9d1bbe2547";
logging-data="18051"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18uKppDjyZWgYCrqS9r+HDqfnY+NclNqKE="
Cancel-Lock: sha1:EUSh335rslC+qpgBqdoUaCD+MGM=
View all headers

On 13/05/2024 23:45 Phil Carmody <pc+usenet@asdf.org> wrote:
> The Running Man <runningman@writeable.com> writes:
>> <https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
>>
>> They now believe they can build million-qubit processors using ultra-pure silicon.
>
> You have confused "could" with "can".
>
> Phil
> --
> We are no longer hunters and nomads. No longer awed and frightened, as we have
> gained some understanding of the world in which we live. As such, we can cast
> aside childish remnants from the dawn of our civilization.
> -- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/

And here's another one:

<https://www.spacedaily.com/reports/Experiment_Allows_for_Potential_Millions_of_Qubits_on_Single_Chip_999.html>

1

rocksolid light 0.9.8
clearnet tor