Post-quantum defaults
Robert J. Hansen
rjh at sixdemonbag.org
Tue Apr 7 05:47:08 CEST 2026
> The issue I see here is that these seem to be specialized for elliptic
> curve cryptosystems. In other words, the "free lunch" of shorter keys
> and better performance by using the more-complicated mathematics of
> elliptic curves instead of the general integers is going away.
Yes. But attacks only get better over time: they don't get worse. If the
current defaults of ECC keypairs are at threat, and our original
projection for RSA-2048 was it would be safe only until 2030 or so (see
the GnuPG FAQ, section 11.2), then the solution is not to go back to
RSA-2048 but to find something with long-term prospects. That would seem
to be Kyber, not RSA-4096.
> This is almost *exactly* what I expected and is the concern that I have
> long had with EC cryptosystems: the shorter ECC keys will fall to
> quantum computing long before the longer RSA keys will.
Perhaps.
I have to say it all feels so very intensely surreal. As an undergrad in
1993 I read every crypto paper I could get my hands on, and back then
the tantalizing hot new thing in crypto was elliptical curves. They were
conjectured to be strong but they relied on the unproven
Taniyama-Shimura conjecture, which everyone thought was true but nobody
knew how to solve.
Then around 1995, Andrew Wiles proved Taniyama-Shimura (and, in the
course of doing so, Fermat's last theorem). ECC was now on
mathematically rigorous ground. It was a time of great upheaval and
everyone was eager to get on the ECC bandwagon and ...
Yow. Heady times. Seriously, you have no idea how big of a thing it was
unless you were there.
Now, thirty years later and approaching the end of my career, I'm seeing
the end of ECC. The last time I mentioned Taniyama-Shimura, the younger
cryptologists I was conversing with looked at each other confused until
another graybeard explained "it's what we used to call what they now
call the 'modularity theorem'."
I felt like an idiot. Of course nobody calls it Taniyama-Shimura any
more. It's no longer a conjecture, after all.
Sigh. Sic transit gloria mundi…
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260406/cc505667/attachment.sig>
More information about the Gnupg-users
mailing list