deflating heffalumps

Robert J. Hansen rjh at sixdemonbag.org
Sat Jan 4 04:51:32 CET 2025 

> In theory, with long-enough (perhaps too long for practical use) RSA 
> keys, conventional factoring would be /easier/ than Shor's algorithm. Is 
> there such a "turnover" point?

When talking about science fiction technologies, the only answer is "who 
knows?" You'll hear me say that a lot here.

If someone in the 1950s were to ask questions about computing technology 
today, the best minds of the '50s might be able to specify the physical 
limits of computing but none of them would have a clue as to how closely 
we'd approach those limits.

Sure, there's probably a turnover point. Nobody has a clue where. Nobody 
thinks the GNFS is approaching the asymptotic limit of factoring: we 
just don't have a better algorithm. Yet. A number-theoretic breakthrough 
would move the turnover point enormously. So would engineering 
breakthroughs in coherence time. So would a proof of P=NP. So would...

Who knows? The future does not come according to predictable progress. 
Stagnation and breakthrough is more often the case.

My estimate of each computational qubit in a massive ensemble requiring 
five qubits of error correction is a wild guess that seems, according to 
my prejudices, pretty conservative. There's zero reason to take it as 
authoritative, consensus, or grounded in physical limits of the universe.

> So those figures are low by factor of ...?

Who knows? At present we can't build an ensemble even 1% the size needed 
to break RSA-4096. By the time we get to ensembles of that size, who 
knows what breakthroughs we'll also have made in quantum error correction?

> So a quantum computer able to solve RSA-256/384/512 can also solve EC- 
> RSA-256/384/512 with the same difficulty?

I answered this.

>> The US government's belief is that RSA-3072 will be sufficient for 
>> protection of Top Secret/SCI data for the next twenty-five years.
>>
>> [...]
> 
> And what about the various elliptic curve cryptosystems?

I provided you with a link to the NSA's CNSA Suite 2.0. I did this 
hoping you would read it.

Securing TS/SCI traffic with legacy CNSA 1.0 algorithms such as ECDH, 
ECDSA, and RSA will be officially approved until 2033 in most roles. 
After that, it's all PQC.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250103/3d98e2ea/attachment-0001.sig>

More information about the Gnupg-users mailing list