A cryptography engineer's perspective on quantum computing timelines

Posted by thadt 7 hours ago

A cryptography engineer's perspective on quantum computing timelines(words.filippo.io)

207 points | 89 commentspage 3

Sparkyte 4 hours ago|

There is always a price to encryption. The cost goes up the more you have to cater to different and older encryptions while supporting the latest.

OsrsNeedsf2P 5 hours ago||

Why do we "need to ship"? 1,000 qubit quantum computers are still decades away at this point

OhMeadhbh 4 hours ago|

So... In 2013 I was working for Mozilla adding TLS 1.1 and 1.2 support into Firefox. It turns out that some of the extensions common in 1.1, in some instances caused PDUs to grow beyond 16k (or maybe it was 32k, can't remember.). This caused middle boxes to barf. Sure, they shouldn't barf, but they did. We discovered the problem (or rather one of our users discovered the problem) by increasing the key size on server and client certs to push PDU sizes over the limit.

At the very least, you want to start using hybrid legacy / pqc algorithms so engineers at Cisco will know not to limit key sizes in PDUs to 128 bytes.

ekr____ 4 hours ago||

A few points here: There is already very wide use of PQ algorithms in the Web context [0], which is the most problematic one because clients need to be able to connect to any site and there's no real coordination between sites and clients. So we're exercising the middleboxes already.

The incident you're thinking of doesn't sound familiar. None of the extensions in 1.1 really were that big, though of course certs can get that big if you work hard enough. Are you perhaps thinking instead of the 256-511 byte ClientHello issue addressed ion [1]

[0] https://blog.cloudflare.com/pq-2025/ [1] https://datatracker.ietf.org/doc/html/rfc7685

krunck 4 hours ago||

This would also be a good time for certain governments to knowingly push broken PQ KE standards while there is a panicked rush to get PQ tech in place.

FiloSottile 3 hours ago||

Remember that the entities most likely to heed those governments recommendations are those providing services to said government and its military.

I feel like the NSA pushing a (definitely misguided and obviously later exploited by adversaries) NOBUS backdoor has poorly percolated into the collective consciousness, missing the NOBUS part entirely.

See https://keymaterial.net/2025/11/27/ml-kem-mythbusting/ for whether the current standards can hide NOBUS backdoors. It talks about ML-KEM, but all recent standards I read look like this.

adgjlsfhk1 3 hours ago||

IMO the idea that NSA only uses NOBUS backdoors is obviously false (see for example DES's 56 bit key size). The NSA is perfectly capable of publicly calling for an insecure algorithm and then having secret documentation to not use it for anything important.

FiloSottile 2 hours ago|||

DES is the algorithms that was secretly modified by the NSA to protect it against differential cryptanalysis. Capping a key size is hardly a "backdoor."

Also, that was the time of export ciphers and Suite A vs Suite B, which were very explicit about there being different algorithms for US NatSec vs. everything else. This time there's only CNSA 2.0, which is pure ML-KEM and ML-DSA.

So no, there is no history of the NSA pushing non-NOBUS backdoors into NatSec algorithms.

bawolff 3 hours ago|||

> see for example DES's 56 bit key size

In fairness, that was from 1975. I don't particularly trust the NSA, but i dont think things they did half a century ago is a great way to extrapolate their current interests.

some_furry 4 hours ago||

Which governments are you thinking of?

OhMeadhbh 5 hours ago||

In rebuttal, Peter Gutmann seems to think the progress towards quantum computing devices which can break commonly used public key crypto systems is not moving especially quickly: https://eprint.iacr.org/2025/1237

schmichael 5 hours ago|

That's not a rebuttal. The post references the paper and a rebuttal to it from an expert in the field.

john_strinlai 3 hours ago|||

>and a rebuttal to it from an expert in the field.

while i agree with filippo, the way you worded this makes me think that you may not be aware that gutmann is also an expert in the field. so, if you are giving filippo weight because he is an expert, it is worth giving some amount to gutmann as well.

schmichael 3 hours ago||

I apologize if I flippantly dismissed the fact that experts disagree. That was not my intention. I was trying to point out that OP does address the referenced counter-point post specifically.

john_strinlai 3 hours ago||

>Sorry if I flippantly dismissed the fact that experts disagree!

i dont really get your reply/insincere apology.

if you are going to bother mentioning filippo's expertise in the first place, its just weird to frame it the way you did. that is how someone would typically dismiss some random blogger with an appeal to authority. but if both people are authorities, it doesnt make sense.

if you already knew, than my comment can be context for future readers that dont and might just dismiss gutmann as a non-expert getting rebutted by an expert.

OhMeadhbh 4 hours ago|||

Damn. It's like I insulted Vault.

Also, I went over Filippo's post again and still can't see where it references the Gutmann / Neuhaus paper. Are we talking about the same post?

tkhattra 4 hours ago|||

From Filippo's post: "Sure, papers about an abacus and a dog are funny and can make you look smart and contrarian on forums."

OhMeadhbh 1 hour ago|||

If only we had a technology where an author could specify a unique identifier and name of another author's paper. Something that could cite a different paper and link to it.

commandersaki 3 hours ago|||

Is that even a rebuttal? Seems like just a dismissal without any substance. I expect in 10 years the predictions will be wrong, kind of like Y2K all over again.

xvector 4 hours ago|||

From the abstract:

> This paper presents implementations that match and, where possible, exceed current quantum factorisation records using a VIC-20 8-bit home computer from 1981, an abacus, and a dog.

From the link:

> Sure, papers about an abacus and a dog are funny and can make you look smart and contrarian on forums. But that’s not the job, and those arguments betray a lack of expertise[1]. As Scott Aaronson said[2]:

> > Once you understand quantum fault-tolerance, asking “so when are you going to factor 35 with Shor’s algorithm?” becomes sort of like asking the Manhattan Project physicists in 1943, “so when are you going to produce at least a small nuclear explosion?”

[1]: https://bas.westerbaan.name/notes/2026/04/02/factoring.html

[2]: https://scottaaronson.blog/?p=9665#comment-2029013

munrocket 4 hours ago|

Yes, this is why I invested in QRL crypto. With lates updates and no T1 exchange it looks like a good opportunity to grow.