A cryptography engineer's perspective on quantum computing timelines

Original Article ↗ Hacker News Discussion ↗

Reading & learning resources

  • A recently updated general cryptography book with a post‑quantum chapter is recommended for those catching up.
  • Commenters note that practical deployment details are very new and not yet well documented.

Business and deployment aspects

  • Some see “PQ migration as a service” as a startup opportunity.
  • Others argue it’s too deep in the stack, hard to value, and security is a “vitamin not an aspirin,” making sales difficult.

Hybrid vs non‑hybrid PQC

  • One side: hybrids (classical + PQ) are essential because PQ schemes are newer, less battle‑tested, and side‑channel or structural breaks are still plausible.
  • Other side: if you believe CRQCs will be usable soon, classical ECDH becomes nearly worthless quickly; hybrids add complexity, bikeshedding, and slow standards work for little long‑term benefit.
  • There is disagreement on how comparable the risks are: “CRQC soon” vs “lattice/PQ break soon.”

Timelines and quantum progress

  • Some argue new fault‑tolerance and error‑correction results materially shorten the “Q‑day” timeline; migrations must start now due to slow standards, tooling, and hardware cycles.
  • Skeptics point out that factoring demonstrations remain tiny, progress is uneven, and error‑correction requirements are still enormous; they see predictions as speculative.
  • Others stress that once scalable error correction exists, going from small to large keys is mostly an engineering scaling problem.

What to migrate first: key exchange vs signatures

  • Earlier consensus: prioritize PQ key exchange (to stop “store now, decrypt later”), treat signatures as less urgent.
  • Newer view in the thread: timelines may now be tight enough that authentication/signature migration also has to start immediately.
  • Some propose preparing PQ certificates and infrastructure now, but only switching fully when necessary; others warn you cannot rely on being able to “fast switch” later.

Symmetric crypto and AES key size

  • Many agree symmetric crypto is largely safe; the article’s view is that AES‑128 is sufficient even post‑quantum.
  • Several commenters push back, arguing AES‑256 is cheap, already widely supported, and avoids long debates about whether 128‑bit keys remain “enough.”
  • There are practical constraints in some environments (e.g., embedded hardware only supporting AES‑128).

Hardware roots of trust and authenticators

  • TEEs, TPMs, firmware signing keys, and attestation roots are widely non‑PQ; replacing them could require large‑scale hardware refreshes.
  • Some note firmware/TPM implementations are often “soft” and may be partially upgradable, but many boot and attestation chains still depend on classical signatures.
  • Hardware security keys (e.g., for FIDO/WebAuthn, SSH) are considered safe for authentication against “record now, break later,” but unsafe for long‑term encryption keys once CRQC exists.
  • There is interest in PQ‑capable tokens and secure elements, but they are not yet broadly available.

WebPKI, standards, and rollout complexity

  • Commenters highlight a long supply chain: standards bodies, certificate rules, HSM vendors, CAs, browsers, and finally sites.
  • This argues for starting deployment well before any clear public evidence of CRQCs.
  • Some suggest partial mitigations (central authorities using PQ for revocation and updates) but acknowledge broad PQ certificate deployment remains hard.

Cryptocurrencies and PQ threat

  • Several discuss cryptocurrencies as early, high‑value CRQC targets due to direct financial upside.
  • For Bitcoin and others, larger PQ signatures would reduce throughput and bloat chains, making migration slow.
  • Some note ongoing work on PQ‑suitable signature schemes tailored to constrained blockchains, while warning about fraudsters using “quantum Bitcoin theft” narratives to raise money.

Trust, agencies, and standards

  • Thread revisits historical episodes where national agencies influenced or weakened algorithms, and debates whether current PQ standards could hide “NOBUS” backdoors.
  • Some argue current ML‑KEM/ML‑DSA designs leave little room for secret backdoors; others remain wary of any scheme strongly pushed by intelligence agencies.
  • Overall, there is tension between the need to move fast on PQC and skepticism about motives and assurances from governments and large vendors.