Will you heed my warnings now?

Original Article ↗ Hacker News Discussion ↗

Practical steps for engineers and CTOs

  • Inventory where cryptography is used (TLS, SSH, custom protocols, hardware, vendors).
  • Prefer “crypto agility”: make algorithms configurable, not hardcoded.
  • Update crypto libraries (e.g., recent OpenSSL) and application versions (e.g., modern OpenSSH, browsers).
  • Enable PQ key exchange where available (e.g., X25519 + ML-KEM768 in TLS, modern SSH using PQ KEX by default).
  • Use scanners to assess external TLS/SSH posture and PQ readiness; monitor server/client configs, not just libraries.
  • For orgs: define a post‑quantum roadmap, write policies, train staff, and push vendors for their migration plans.

Harvest‑Now‑Decrypt‑Later vs authentication

  • Strong focus on “store‑now, decrypt‑later” threats: adversaries can capture encrypted traffic today and decrypt once a large quantum computer exists.
  • This makes migration of encryption/key exchange more urgent than signatures/authentication.
  • Confidential data that must remain secret for decades is the priority; some argue action was needed years ago.
  • Authentication (SSH keys, certificates, document signatures) is seen as less urgent because verification happens “now,” before practical quantum attackers exist.

Difficulty and scope of migration

  • One camp: rotating to stronger crypto “isn’t that hard,” and has been done repeatedly.
  • Another camp: at global scale it is “insanely difficult,” especially for legacy devices, embedded systems, hardware‑baked crypto, and constrained formats (e.g., JWTs).
  • Expect a 90/10 split: most upgrades straightforward, a critical minority very hard and time‑consuming.
  • Concern that frequent deprecations turn many devices into e‑waste; others say delaying only worsens that.

Algorithms, hybrids, and standards

  • Widely discussed approach: hybrid key exchange (classical like X25519 plus post‑quantum ML‑KEM768) to hedge against either quantum failure or PQC breaks.
  • Public‑key signatures are still contentious: trade‑offs in key/signature size, statefulness, and certificate formats; multiple designs and timelines (e.g., 2029 targets) are mentioned.
  • Some emphasize that the risk of a flawed PQC scheme may be comparable to, or higher than, a near‑term large quantum computer, reinforcing the case for hybrids.

Quantum computing progress and skepticism

  • Enthusiastic view: underlying capabilities (fault‑tolerance, gate fidelity, scalable architectures like neutral atoms) are progressing; factoring small numbers is not a good metric, analogous to fixating on a “tiny nuclear explosion” in 1940s.
  • Skeptical view: Shor’s algorithm has only factored very small integers (e.g., 15, 21) after decades; some liken quantum promises to fusion or full self‑driving—always “a few years away.”
  • Some argue large‑scale QC might never be practical or economically viable; others say there’s no strong evidence of physical impossibility.
  • A few note that any major cryptanalytic breakthrough might be kept secret by states, so public factoring records may understate progress.

QKD and alternative approaches

  • Quantum key distribution is seen as interesting but not scalable to the whole internet; some technical critiques are linked.
  • For most purposes, software‑only post‑quantum schemes are considered more realistic than widespread QKD deployment.

Risk of overreaction

  • Concern that rushing PQC everywhere could lead to widespread adoption of immature, poorly vetted algorithms, possibly introducing new systemic vulnerabilities.
  • Others counter that security planning is about hedging against plausible futures; even if quantum attacks never materialize, migration effort is justified by the downside risk.