The Urgent Need for Quantum-Resistant Cryptography

In recent months, my perspective on the urgency of implementing quantum-resistant cryptography has shifted dramatically. Recent developments have highlighted the accelerating progress towards cryptographically-relevant quantum computers (CRQCs). Google released a paper indicating that breaking 256-bit elliptic curves could be feasible in minutes using superconducting qubits, while another study by Oratomic suggests that 256-bit curves could be broken with just 10,000 physical qubits if non-local connectivity is available. These advancements suggest that the hardware is improving, algorithms are becoming more efficient, and error correction requirements are decreasing.

Experts like Heather Adkins and Sophie Schmieg warn that quantum breakthroughs may be closer than anticipated, with a potential deadline of 2029. Scott Aaronson draws parallels to the secrecy of nuclear fission research, emphasizing the urgency of transitioning to post-quantum cryptosystems. The timelines for quantum computing have become more immediate, and it's crucial to recognize the risk of not acting now.

We must begin deploying what we have, even if it means using larger ML-DSA signatures in systems designed for smaller ECDSA signatures. The previous strategy of taking time to adapt protocols is no longer viable; we need to complete the transition by 2029. For key exchanges, migrating to ML-KEM is progressing, but any non-PQ key exchange should be considered potentially compromised. Non-interactive key exchanges should be set aside, and we should focus on pure post-quantum solutions.

Hybrid classic and post-quantum authentication no longer makes sense, as it only delays the transition. Symmetric encryption remains unaffected, as Grover's algorithm doesn't necessitate 256-bit keys. However, ecosystems with cryptographic identities must start migrating soon to avoid difficult decisions if CRQCs arrive before they're ready.

In my work, we face the challenge of outdated cryptography packages in the Go standard library and the risk of downgrade attacks. Trusted Execution Environments are at risk, and projects relying on them may need reassessment. File encryption is vulnerable to store-now-decrypt-later attacks, necessitating warnings for non-PQ types.

As I teach cryptography, I now present RSA, ECDSA, and ECDH as legacy algorithms, reflecting the shift in the field. For those interested in the ongoing post-quantum migration, follow my updates on Bluesky and Mastodon.