[jabbany]

> Its felt like FUD based on FUD for a while.

Not really...? Quantum stuff is real, there are real quantum computers that have been demonstrated to really do quantum operations. They're not close to being usable to break crypto yet, but it certainly makes sense to get ahead of it.

> There wouldn't be so much effort going into bridging air gapped systems if even traditional encryption could be trusted...

These are completely different problems. Encryption just keeps information confidential. By itself, it offers no _security_ guarantees. Even the strongest encryption would be moot against a keylogger. Crypto can be (and is being) used to provide some security, like via signed code, secure processors, and the such, but security is a multi-tiered thing -- you want all the protection you can get, and like keeping data encrypted at rest, air-gapping is just yet another layer of protection.

[spywaregorilla]

quantum is used for problems like finding the factorization of the number 4.

Jumping is also real, but we need not worry about people jumping out of the atmosphere.

[tptacek]

I'm not a believer (I'm not qualified to have an opinion but neither is almost anyone else here) in PQC, but to be clear, the logic behind moving forward on PQC is straightforward: everybody acknowledges that there are no known useful QC attacks on cryptography, nor really any on the horizon, but adversaries can easily stockpile terabytes of recorded network conversations today and keep them around to break when QC attacks do work.

If you think QC attacks are 20 years away from real-world demonstrations, then conventional cryptography has a 20-year ceiling, which would be a hair-on-fire analysis in any other context. How long are you willing to bet conventional cryptography will hold out? 50 years is also too short by cryptographic standards. And 50 years is a long time. You willing to bet 100 years? I am, but, like, nobody should listen to me on this.

This is also why KEMs are a priority over signatures for PQC deployment.

[jabbany]

> Jumping is also real, but we need not worry about people jumping out of the atmosphere.

If people are jumping twice as high this year than last, we would ;) https://www.researchgate.net/figure/A-chart-shows-the-progre...

(BTW this reply is not meant to make a point about the state of quantum -- it's complicated -- but merely as a response to the analogy)

[spywaregorilla]

I'm not much of a believer. It's worth pointing out that as the number of qubits goes up, so too does the error rate.

[luc4]

A larger number of qubits allows us to do effective quantum error correction. The idea is to group multiple physical qubits into one logical qubit, think of it as redundancy.

[spywaregorilla]

So what's the number of logical qubits we have achieved working practically then? Is this scalable, or is it just going to exponentially require physical qubits for each additional logical qubit?

Genuine question. I've no idea.

[luc4]

Quantum error correction has been experimentally demonstrated for a single logical qubit, e.g. [0][1]. Even though there might be implementations of multiple such qubits, we're still very much in the "Noisy Intermediate-Scale Quantum" era.

Generally, the number of physical qubits scales linearly with the number of logical qubits.

[0] https://journals.aps.org/prx/abstract/10.1103/PhysRevX.11.04... [1] https://www.nature.com/articles/s41586-022-04566-8

[DarkmSparks]

>but it certainly makes sense to get ahead of it.

Assuming they will exist.

And assuming there exists math that can't be solved easily by quantum computers that solve all math solution finding problems easily.

Surely it makes no sense to adopt encryption no one but a few individuals of questionable motives understand, to protect against a technology that is a long way from even proven yet. IMHO.

Anything else requires several leaps of faith that should be no where near "in use" encryption - research is of course a very different story, but stories like this are hardly confidence inspiring.

[jabbany]

Wait, isn't the point of post-quantum crypto to be as good as existing crypto but also be secure against known quantum attacks like Shor's algorithm and factoring. I don't think the goal is to trade off anything for defenses against quantum attacks.

If anything these stories should be more confidence inducing. They show that the rollout is conservative and that the system works. PQC algorithm has a flaw and it is found. FWIW the way existing traditional crypto is proven safe is pretty much the same -- get a bunch of people to work on attacks and weed out the bad stuff.

[DarkmSparks]

The problem they are trying to solve is how to do encryption in a world when finding solutions to any and all math problems is quick and easy.

And this article only reinforces the idea that the solutions they are coming up with are just obfuscation that is at best no harder than existing problems.

[jabbany]

Even theoretically, quantum doesn't make _all_ math problems easy... Can't they just avoid the things (like factoring) that are potentially vulnerable and just use other math?

[DarkmSparks]

The way quantum computers are purported to work, is they search a problem space simultaneously for all solutions, then spit out the correct solution.

It could be a factorisation problem, or any other.

for cryptography find x and y when f(x,y)=z given z

That is what "post quantum computing" means, aiui. It starts with x and y in all possible values of x and y, then spits out only the values that give z.

All encryption is only as strong as the difficulty of finding x and y given only z.

AIUI anyway. well aware I could have been misled - FUD.

[jabbany]

I think it also has to be a problem that is able to be constructed in a way where incorrect solutions destructively interfere with each other while correct ones don't.

Think of it as being able to simultaneously calculate a bunch of inputs but only being able to report the "sum" of those calculations to you. So to make it useful you'd need to be able to reconstruct problems such that the incorrect answers when computed cancel each other out. Otherwise your desired answer would just be mixed in with garbage and you won't be able to get anything useful out.

It's not actually that easy to make useful quantum algorithms that work and there's only a handful of them around...