Why Quantum Cryptanalysis is Bollocks [pdf]

Original Article ↗ Hacker News Discussion ↗

Tone and Scope of the Critique

  • Some readers see the slides as sharp but largely numerical and data-driven; others see them as emotionally charged, cynical, or “wishcasting” against QC.
  • Several argue that the talk conflates justified skepticism of hype/grift with dismissing the underlying science and theoretical value of quantum cryptanalysis.

Progress in Quantum Computing

  • One camp: QC has had ~40 years of claims and very little externally visible impact; effective qubit counts and ability to factor non‑toy integers remain poor, suggesting stalled or overpromised progress.
  • Counterpoint: progress shouldn’t be judged by “largest integer factored” but by error rates, decoherence, and gate fidelity; error-correction experiments have seen dramatic improvements over the past decade.
  • Disagreement over timescales: some think we’re 1–2 orders of magnitude from “cryptographically relevant” error rates and thus decades away; others warn nonlinear or EUV-like breakthroughs could compress timelines.

Hype, Grifters, and Opportunity Cost

  • Multiple comments stress real opportunity cost: money, talent, and PhDs going into speculative QC while more impactful areas are neglected.
  • Others argue that the core research questions (quantum‑superior attacks, new hardness assumptions) are inherently valuable regardless of engineering outcomes.

PQC Standardization and Deployment

  • Several note that, regardless of QC feasibility, major governments and standards bodies have already committed to PQC and are in “full transition mode.”
  • Observed “sudden” urgency around 2022–2023 is linked partly to the NIST competition converging on specific algorithms.
  • Concern: PQC schemes are young, complex, and may hide unforeseen weaknesses; historical failures (e.g., broken PQC candidates) are cited as warnings.
  • Debate over hybrid vs PQC‑only: open protocols and big vendors lean hybrid; some government roadmaps appear to favor pure PQC, which critics call risky.

Threat Models: QC vs Everyday Attacks

  • Many agree with the presentation’s emphasis that OWASP-style bugs vastly dominate real-world compromises; cryptographic breaks are rare by comparison.
  • Others push back that “small leaks” (timing, nonce, microarchitectural issues) can and do matter, and are heavily mitigated precisely because they’re serious.
  • For state-level SIGINT, passive capture and “store now, decrypt later” are considered a distinct threat class where long‑term cryptographic strength—including against potential QC—can matter over decades.