Post-quantum defaults

Robert J. Hansen rjh at sixdemonbag.org
Tue Apr 7 02:24:29 CEST 2026 

> The other one involves something called neutral atoms. This
> technology has better noise performance. But it is a different
> technology. It appears that we don't know how to run a relevant
> algorithm on it at this time in a useful way. The paper refers to
> "engineering challenges". So I think this is the one to pay
> attention to in the next few months. We need to wait for comments
> from knowledgeable critics.

Yes and no.

Scott Aaronson, a widely respected quantum computational theorist, had 
this to say in December 2025:

	When Frisch and Peierls wrote their now-famous memo
	in March 1940, estimating the mass of Uranium-235
	that would be needed for a fission bomb, they didn't
	publish it in a journal, but communicated the result
	through military channels only. As recently as
	February 1939, Frisch and Meitner had published in
	_Nature_ their theoretical explanation of recent
	experiments, showing that the uranium nucleus could
	fission when bombarded by neutrons. But by 1940,
	Frisch and Peierls realized that the time for open
	publication of these matters had passed.

	Similarly, at some point, the people doing detailed
	estimates of how many physical qubits and gates
	it'll take to break actually deployed cryptosystems
	using Shor's algorithm are going to stop publishing
	those estimates, if for no other reason than the
	risk of giving too much information to adversaries.
	Indeed, for all we know, that point may have been
	passed already. This is the clearest warning that I
	can offer in public right now about the urgency of
	migrating to post-quantum cryptosystems, a process
	that I'm grateful is already underway.

For many years now my own personal, private, rule-of-thumb, educated 
guess, wild hope, semi-informed nonsense, however you want to put it, 
has been "I need to migrate to post-quantum cryptography while the risk 
of breaking RSA-2048 in the next five years feels to be under 1%."

It no longer feels like it's under 1%, and that motivates me to ask when 
GnuPG is going to migrate the standard keypair to PQC.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260406/437b073b/attachment.sig>

More information about the Gnupg-users mailing list