Post-quantum defaults

Mon Apr 6 22:40:22 CEST 2026

> Can you elaborate on why  you think  this is the right time to do so?

My three pillars are the difficulty of accumulating a large enough 
ensemble; the difficulty of quantum error correction; and the general 
inefficiency of quantum computers. These are all to some degree 
interconnected.

For instance, there's a theoretical minimum of 5n+1 qubits necessary to 
break RSA-n, but at our current level of engineering it requires orders 
of magnitude more. That's an inefficiency problem that runs into "so, 
how do you plan to get that many qubits anyway?" (large ensemble 
problem) and "how do you plan on doing error correction on that huge 
ensemble?" (error correction).

Well, there's been some news there.

 From Google [1]:

	Specifically, we have compiled two quantum circuits (a
	sequence of quantum gates) that implement Shor's algorithm
	for ECDLP-256: one that uses less than 1,200 logical
	qubits and 90 million Toffoli gates and one that uses less
	than 1,450 logical qubits and 70 million Toffoli gates. We
	estimate that these circuits can be executed on a
	superconducting qubit CRQC with fewer than 500,000
	physical qubits in a few minutes, given standard
	assumptions about hardware capabilities that are
	consistent with some of Google’s flagship quantum
	processors. This is an approximately 20-fold reduction in
	the number of physical qubits required to solve ECDLP-256
	and a continuation of a long history of gradual
	optimization in compiling quantum algorithms to fault-
	tolerant circuits.

Well. That's … impressive. A twentyfold reduction is scary because it 
says they're on to a good method and this is just the beginning. There 
are some serious cracks showing.

But wait, 500,000 physical qubits? That's ... we can still take some 
reassurance from that, right?

Maybe.[2] Cain, Xu, King, et al., just a few days later showed that 
maybe it can be done in 10,000 physical qubits.

Serious cracks, indeed. It's not worth panicking over: I give a low 
probability these will turn into real attacks any time in the next few 
years. But I do think we'll all be using post-quantum algorithms around 
2030, and for a lot of us, the time to start making that transition is 
today.

[1] 
https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/

[2] https://arxiv.org/abs/2603.28627
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260406/2690a502/attachment.sig>