Thoughts on PQC

[Jacob Bachmeyer]

On 4/13/26 16:07, Robert J. Hansen via Gnupg-users wrote:
>> The point I was trying to make was that in your original e-mail at 
>> [1], your second point  and other parts are not helping me 
>> understanding your thoughts on PQC.
>
> 1. An awful lot of the people talking about PQC are doing so for 
> self-serving reasons. Some of these people are committing outright 
> fraud. They think that if they can use enough science gibberish they 
> can fool people into giving them money. I used as an example a company 
> that once traded for $970/share, where their CEO made extraordinary 
> claims about how quantum computing capability would double every 38 
> days for the next two years. This man had a Ph.D in physics. Was he 
> just an incompetent physicist, to make such an outrageous claim? Or 
> was he a fraud looking to sell stock to people who were easily impressed?

Well, if the stock traded at $970/share, I would say that he succeeded 
in getting people to give him money, at least for a while.  *That* part 
worked, even if the qubits did not.  :-)

>
> [...]
>
> So that's my first thought on PQC: a lot of the people talking about 
> it are swindlers, scoundrels, rogues, grifters, and flimflam artists. 
> You should always remember that when hearing someone talk about PQC. 
> "Is this person a fraud, or are they being honest?"

My understanding (based on the "heffalumps" paper) is that past PQC 
systems have had nasty tendencies to unravel under conventional 
computing.  You have looked at this much more than I have.  Have we 
finally found problems that are reliably hard for both quantum and 
conventional computing?

>
> [...]
>
> 3. There is thoroughly too much special pleading going on.
>
> The sine qua non of computer science ("without this, there is 
> nothing") is effectiveness. If something isn't effective, it's not an 
> algorithm. If it's not an algorithm, it's ... well, very probably boring.
>
> The quantum computation and quantum cryptanalysis crowd tends to be 
> guilty of this. A few years ago Google invented a "problem" that 
> existed to ... to what? They created a random quantum circuit (which 
> is a little weird, but not totally weird: random matrix theory is 
> well-known in computer science, RQC is sort of its quantum analogue) 
> that did nothing, could do nothing, except ... set itself up faster 
> than a classical algorithm could.
>
> Where's the effectiveness? What problem was it solving?

How does its performance compare to existing TRNGs?  (Presumably a 
random quantum circuit would produce random output... or is my ignorance 
showing and most of them just produce zero or some constant not 
characteristic of the circuit?)

(It could be "return 4;" in quantum form.)  :-)

> [...]
>
>
> 6. The bottom line
>
> It's something to keep an eye on, but remember the odds are 
> overwhelmingly good you won't need PQC in the next five years.

As another guy with a bunch of ideas, I expect RSA-2048 to eventually 
fall to ever-larger clusters if Moore's law does not completely break 
down.  (We are also very close, if not already at, a point where Moore's 
law collides with hard physical limits, like the inability to make 
transistors smaller than the atoms of which they are comprised.)

Looking at it another way, I expect conventional computing to solve 
RSA-2048 before qubit ensembles capable of solving even RSA-1024 are built.

On the other hand, reports seem to suggest that the mathematical 
advantage that makes 256-bit ECRSA viable despite RSA-256 being easily 
solved does not apply to Shor's algorithm.  If *that* is correct, EC 
cryptosystems will fall to quantum computing long before RSA does, and 
*possibly* [*] even before conventional clusters are able to solve RSA-2048.

[*] The "possibly" here carries quite a bit of weight:  the required 
advances in *both* conventional and quantum computing are uncertain.


-- Jacob