Post-quantum cryptography is too damn big
Performance & Size Concerns for PQC
- Many comments agree that current post-quantum signature schemes (e.g., lattice-based like Dilithium) are very large, causing handshake bloat, latency, and memory pressure – especially problematic for embedded and constrained devices.
- Some argue that “14 KB isn’t much” compared to multi‑MB web pages; others counter that handshake data is head‑of‑line blocking, repeated across many connections/CDNs, and thus latency-critical.
- There’s concern that we may be stuck with large schemes for a while; others think protocol changes (connection reuse, HTTP/2/3, cert-chain elision, transparency logs) can mitigate overhead.
Threat Model & Timing of Quantum Attacks
- Skeptics question whether large-scale quantum computers will exist soon enough to justify widespread PQC deployment, likening the situation to fusion or over-hyped tech that is always “20 years away.”
- Others argue quantum computing remains the most plausible known threat to current asymmetric crypto and that crypto migration takes decades, so early action is prudent.
- “Harvest now, decrypt later” is discussed: some see it as overblown; others note that once a large quantum computer exists, archived traffic without PQ key exchange is exposed.
Alternative Technologies: QKD & One-Time Pads
- Quantum Key Distribution is seen as more mature than large quantum computers but impractical for general internet use: requires special hardware, good optical paths, and still needs an authenticated (thus PQ-safe) channel.
- Some argue physical key distribution or classical symmetric crypto plus small shared secrets is simpler; QKD’s cost–benefit is questioned.
- One-time pads are acknowledged as theoretically perfect but operationally difficult; PQ-safe symmetric crypto with good key exchange is favored.
Use Cases: Web, Cryptocurrencies, and Signatures
- For the web, several propose focusing first on PQ-safe key exchange to protect against retrospective decryption, while keeping classical certificates for now.
- Cryptocurrencies are highlighted as especially exposed to future quantum attacks; account models with pluggable signature schemes and contract-based wallets are discussed as a migration path.
- Some debate separating integrity from confidentiality (e.g., subresource integrity, hashes), but others emphasize that URLs and access patterns themselves are sensitive, so encryption remains important.