[j2kun]

I work on homomorphic encryption, and there are some rumors circulating that, if this checks out, it will break some of the leading FHE schemes like BFV, where the moduli used are quite large (in the hundreds of bits or even over a thousand bits).

[ilya_m]

… only if scalable quantum computers exist.

[warkdarrior]

If scalable quantum computers do not exist, we do not need PQC.

[sgt101]

We need PQC about 20 years before practical, scalable gate quantum computers appear (if they can do all the right gates).

I think that this will be signaled when someone factors a 32 bit integer on one. At that point I guess it'll be about 20 years before someone can factor a 2048 bit integer, and I'll get twitchy about what I am sending over the wire with PKI. My feeling is that all my secrets from 20 years ago are irrelevant to life now so I feel 20 years of warning is quite sufficient.

[adastra22]

We are within 20 years of scalable quantum computers already.

[adrianN]

The record for integer factoring on quantum computers was on the order of factoring fifteen into three times five the last time I checked. Can we do three digits now?

[eigenket]

Significantly larger numbers than 15 have been factored [1] but not using Shor's algorithm. Shor's algorithm is particularly sensitive to noise/errors in your quantum computer and isn't going to be useful unless we get a properly error corrected machine working. The algorithms used in [1] are considerably less fancy (with worse asymptomatic performance) but are more resilient to noise.

[1] https://arxiv.org/abs/2012.07825

[vikramkr]

I'm not sure that's the right question. It's more, is there a chance at all of anyone figuring it out, and given the enormous scale of the security risk that poses, we should start proactively mitigating those threats. If fusion energy goes from perpetually 10 years away to suddenly here, that's pretty much just a white swan. If quantum computers happen, that's a global security risk before it's a civilizational upgrade.

[baby]

The last time I checked they even cheated to factor fifteen

[foota]

Hemomorphic encryption is not the same thing as post quantum crypto?

[Beldin]

No, they're orthogonal terms. Homomorphic encryption is encryption where a specific operation on ciphertexts (e.g., ×) translates into an operation on the underlying plaintexts (e.g., +). With fully homomorphic encryption, there are even two such ciphertext operations (and corresponding plaintext operations).

Post quantum crypto is cryptography that cannot be broken by a quantum computer. This is rather nebulous, since we haven't yet discovered all possible algorithms that can run on quantum computers. Before you know it, someone comes along and finds a new efficient algorithm for quantum computers that breaks something thought to be post-quantum. Which is what is happening here - if the results stand up under scrutiny.

Sidenote: it may turn out that any crypto scheme which supports some operation on ciphertexts that translates into an operation on the plaintexts is quantum-resilient (or, vice versa, quantum-vulnerable). But tgat would require a fornal proof.

[deknos]

Homomorphic Encryption does often use lattice mathematics

[Ar-Curunir]

But classically secure FHE is still a useful thing (even if it is broken by hypothetical quantum computers).

[Ar-Curunir]

FHE is still only known from lattices, and has nothing to do with post-quantum computers.

[odyssey7]

I wouldn't bet against the existence of a modern Bletchley Park analogue.