This article by Justin Thaler is a nice counterpoint to the interview with Scott Aaronson that I posted yesterday (#1312936).
The real challenge in navigating a successful migration to post-quantum cryptography is matching urgency to actual threats.
We are nowhere near a cryptographically relevant quantum computer by any reasonable reading of public milestones and resource estimates. Companies sometimes claim a CRQC is likely before 2030 or well before 2035, but publicly known progress doesn’t support those claims.
By a “cryptographically relevant quantum computer” I mean a fault-tolerant, error-corrected quantum computer capable of running Shor’s algorithm at scales sufficient to attack elliptic curve cryptography or RSA within a reasonable timeframe (e.g., breaking secp256k1 or RSA-2048 with at most, say, one month of sustained computation).
Recent systems approach the physical error rates where quantum error correction begins to work, but no one has demonstrated more than a handful of logical qubits with sustained error-corrected circuit depth… much less the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually required to run Shor’s algorithm. The gap between demonstrating that quantum error correction works in principle, and achieving the scale needed for cryptanalysis, remains vast.
- Demos claiming “quantum advantage”, which currently target contrived tasks.
- Companies claiming to have achieved many thousands of physical qubits.
- Companies making liberal use of the term “logical qubit”.
Thaler presents 7 recommendations for "What we should do now" at the end of the piece. They seem pretty reasonable to me. I also really like how he makes a distinction between the vulnerability of encryption and signatures -- encrypted data that is treated as safe to expose to the public can be harvested now for later decryption, while signatures are mostly only vulnerable once a cryptographically relevant quantum computer finally comes along.