

Not sure what you think my “different premises” are? Also I obviously already know that Shor’s algorithm solves the discrete log problem. I don’t know why you phrased your comment assuming I’m an idiot.


Not sure what you think my “different premises” are? Also I obviously already know that Shor’s algorithm solves the discrete log problem. I don’t know why you phrased your comment assuming I’m an idiot.


Yeah and I agree that in principle we should be trying to move to cryptosystems which aren’t known to be broken by quantum algorithms. I just don’t think the argument in the article is sound. There are costs, including actual security risks, inherent to switching. To name a couple:
You have to actually weigh the benefits of resistance to quantum computers (which may or may not actually appear) against these costs (which certainly will). Paranoia isn’t a threat model.
And to be clear cryptographers already know these things and if they still think we should all move to lattice cryptosystems despite the costs then that’s totally fine. I just wish they would write their blog posts to reflect that instead of talking about the 1% thing.


I feel like the same “<1%” argument is used to justify a whole lot of things these days. Can you guarantee that there’s a <1% chance that someone will come out next year with a paper showing that LWE can be broken efficiently with a quantum algorithm? What about a classical algorithm? I feel like a better argument is needed than just “well you can’t be sure it won’t happen” because we aren’t sure about pretty much anything.
Ok next time you should really not do the “lucky 10000” bit, it comes off as very condescending especially if the person you’re talking to already knows the thing you’re telling them.