[jabbany]

Wait, isn't the point of post-quantum crypto to be as good as existing crypto but also be secure against known quantum attacks like Shor's algorithm and factoring. I don't think the goal is to trade off anything for defenses against quantum attacks.

If anything these stories should be more confidence inducing. They show that the rollout is conservative and that the system works. PQC algorithm has a flaw and it is found. FWIW the way existing traditional crypto is proven safe is pretty much the same -- get a bunch of people to work on attacks and weed out the bad stuff.

[DarkmSparks]

The problem they are trying to solve is how to do encryption in a world when finding solutions to any and all math problems is quick and easy.

And this article only reinforces the idea that the solutions they are coming up with are just obfuscation that is at best no harder than existing problems.

[jabbany]

Even theoretically, quantum doesn't make _all_ math problems easy... Can't they just avoid the things (like factoring) that are potentially vulnerable and just use other math?

[DarkmSparks]

The way quantum computers are purported to work, is they search a problem space simultaneously for all solutions, then spit out the correct solution.

It could be a factorisation problem, or any other.

for cryptography find x and y when f(x,y)=z given z

That is what "post quantum computing" means, aiui. It starts with x and y in all possible values of x and y, then spits out only the values that give z.

All encryption is only as strong as the difficulty of finding x and y given only z.

AIUI anyway. well aware I could have been misled - FUD.

[jabbany]

I think it also has to be a problem that is able to be constructed in a way where incorrect solutions destructively interfere with each other while correct ones don't.

Think of it as being able to simultaneously calculate a bunch of inputs but only being able to report the "sum" of those calculations to you. So to make it useful you'd need to be able to reconstruct problems such that the incorrect answers when computed cancel each other out. Otherwise your desired answer would just be mixed in with garbage and you won't be able to get anything useful out.

It's not actually that easy to make useful quantum algorithms that work and there's only a handful of them around...

[DarkmSparks]

yes, and that is a solved problem for all encryption already, you need that to find any key in encryption.

what makes that hard now is the search takes so much time.

In a theortical post quantum world that search wont take much time.

So the only way I see that post quantum encryption can be secure is if it is impossible to guess a solution and test it for correctness - which for whatever reason... never seems to get addressed.