[HN Gopher] Quantum Resistance and the Signal Protocol ___________________________________________________________________ Quantum Resistance and the Signal Protocol Author : dm Score : 193 points Date : 2023-09-19 16:02 UTC (6 hours ago) (HTM) web link (signal.org) (TXT) w3m dump (signal.org) | sdeframond wrote: | I am a bit puzzled: governments and big corp are pouring indecent | amounts of money in developing quantum computers, which main | application, afaict, is to break cryptography. | | ...and this is defeated by changing our algorithms ? | | Whats the use in developing quantum computers then? | contact9879 wrote: | The use is all the other applications of quantum computers that | aren't breaking cryptosystems | Boogie_Man wrote: | Actively resisting _future_ attackers and hardware is an | incredibly forward-thinking thing to do, bravo. _How long_ into | the future is an achievable and desirable duration for encryption | (barring any rapid, unforeseen paradigm shift)? If ten years is | acceptable for declassification of standard documents in the US, | is this a reasonable target for day to day signal chats? | candiddevmike wrote: | Maybe we need a statue of limitations for encrypted data to | help with future proofing/make the collection useless in a | court of law? If you go to lengths to encrypt your data, there | should be some current and future expectation of privacy around | it, even if someone can decrypt it. | Boogie_Man wrote: | To my understanding, despite variance from state to state, a | general "rule of thumb" for the statute of limitations | outside of "the big R" and "the big M" is ten years. This | squares with the generic declassification timetable. I can't | think of anything I'm genuinely upset about from more than a | decade ago. I feel that I am an almost completely different | person than I was a decade ago. If I found out someone robbed | a bank ten years ago I'd be more inclined to think "That's | wild, how did that go?" than I am "Oh no this guy is going to | rob me". | JanisErdmanis wrote: | It is good that they kept the classical crypto along. However, | the general tendency towards quantum-resistant cryptography | leaves me puzzled. From my perspective as a physics PhD graduate, | I firmly believe that a quantum computer capable of breaking | public key crypto will never be built. This is because as you add | more qubits, there's increased interference between them due to | the additional connections required. | | It's similar to how FM radio works: there's a main frequency and | several sidebands. When you adjust the tuner to pick up a | station, you're essentially "interacting" with the corresponding | station. But if there are too many stations, you may no longer be | able to hear the music, and as a result, there would be only a | static noise present. | | This leads me to a somewhat cynical conspiracy. Imagine the | moment when a curios government agency realises that building a | quantum computer for this purpose is a futile endeavor. Instead | of admitting this, they could perpetuate the idea that its | construction is just around the corner. Then, act as a wolf in | sheep's skin and introduce everyone to quantum-resistant | solutions, which are unfortunate to have secret hidden backdoors | by having done more advanced research on them. Has anyone thought | about this? | coppsilgold wrote: | AFAIK no one is transitioning to PQC algorithms by abandoning | classical ones. They concatenate classical and PQC - so-called | hybrid. | JanisErdmanis wrote: | I agree with this. My concern only applies if the classical | crypt gets deprecated or new solutions use PQC exclusively | using widespread hybrid use as an argument for trust. | kickopotomus wrote: | It seems that your primary concern is that the government | (or some bad actor) will be able to install a backdoor into | PQC algorithms. Is that right? Why would PQC be more | exposed to this type of subversion than existing public-key | cryptography? | | To your point about PQC being used exclusively, post- | quantum encryption methods are designed to be resistant to | both quantum and classical attacks. That is one of the key | stated goals of the NIST post-quantum cryptography program. | eigenket wrote: | People have already said here most of what I want to say in | this comment, but just to make it as explicit as possible: | | Essentially the only reason anyone thinks that useful quantum | computation is possible is because of things called threshold | theorems, which state that as long as the noise in each qubit | is less than some small but non-zero error rate you can add | more qubits and use quantum error correction to make your | computation arbitrarily precise. In other words as long as | you're below the threshold rate quantum computers scale well. | | Of course those threshold rates are very very small, and | creating significiant numbers of qubits which are below the | threshold rates is incredibly difficult, but theoretically it | works. | upofadown wrote: | >...as long as you're below the threshold rate quantum | computers scale well. | | Last I heard, getting below that threshold was going to take | one or two orders of magnitude of noise improvement. That | seems unlikely. | | Say you were at a VC presentation and the company said that | they had this really great system and the only thing stopping | their immense success was the requirement to reduce the noise | by an order or two of magnitude. Oh, and by the way, we | already have the system very close to absolute zero. So you | ask them what they are planning to do and they tell you that | they don't have the faintest idea. Noise is always the | ultimate limit on the information that can be obtained from a | system. The most reasonable interpretation of the situation | is that a technology doesn't exist and that there is no | reason to think it would ever exist. | | But when it comes to quantum computers the optimism is | boundless. I am not sure why. | krastanov wrote: | Doesn't your argument apply to classical bits too? The more | interconnected a classical bit is, the more parasitic coupling | it will experience. That used to be an argument used against | the feasibility of classical computers in the 40s (until von | Neumann published work on fault tolerant classical computing). | | Both classical and quantum computers (1) can not "scale" | without error correction because of analog noise (although it | is less crucial on the classical side), but (2) can be build | with error correction codes integrated in them to overcome that | noise. | | Also, you do not need all-to-all connectivity between your | qubits (or bits) to build a scalable quantum (or classical) | computer. | | Edit: To add to your FM radio metaphor: you can have way more | FM radio channels if each channel is on a separate coax cable | (or in physics speak, if you multiplex not only by frequency | but by spacial mode). No need to have all your qubits be | controlled by the same optical or microwave mode, you can have | physically separate control lines for each qubit and then | eliminating cross-talk is as simple as inverting an n-by-n | matrix. | eigenket wrote: | Yes. In fact the proofs that quantum error correction works | as long as you're below a certain error rate (so-called | "threshold theorems" are very, very similar to the same | proofs that error correction works in classical computers. | andyferris wrote: | To add to the sibling comment, the reason our classical | computers work is because the individual transistor errors in | your CPU are basically zero. | | We do use "error correction" on storage (and do see bit | errors creep into data stored on disk and in RAM over time) | but not "fault tolerance" on the compute. In fact there is no | such thing as fault-tolerant classical compute - the CPU only | works if it "perfect" or "near perfect" (or if you had an | ancillary computer that was perfect to implement the | correction). Note that occasionally computers do crash due to | a bit error in your CPU, or you get a "unstable" CPU that you | need to replace. | | (We do create fault-tolerant distributed systems, where such | faults can generally be modelled and remedied as network | errors, not compute errors.) | | Quantum fault tolerance relies on the fact that you can do | "perfect" classical computation - which I find kind of | amusing! | blueplanet200 wrote: | It does not apply to classical bits in the same way. Quantum | computers derive their computational power from the qubits | being in a single quantum state across the qubits (an | entangled one, to use physics jargon.) | | This is distinct from classical computers, where you can | describe a bit without needing to describe the other bits in | the computer. You cannot describe a qubit (in a way that's | computationally useful, at least) without describing all of | them. | krastanov wrote: | But the exponential cost (the need to describe the "whole") | is there in the classical case too. | | To describe a set of classical bits completely, you need a | probability distribution over the whole system (including | possible classical correlations induced by the crosstalk | that OP spoke about). That probability distribution is a | stochastic vector that has 2^n real positive components if | we have n bits. | | To describe a set of qubits completely, you need at least a | "quantum probability distribution", i.e. a ket that has 2^n | complex components (I am skipping the discussion of density | matrices). | | Both the classical and quantum description of the bits | requires exponentially many real numbers. This exponential | behavior on its own is not enough to the explain "quantum | computational advantage". The exponential behavior is well | known in plenty of classical contexts (e.g. under the name | "curse of dimensionality") and classically solved with | Monte Carlo modeling. | | Scott Aaronson's lecture notes cover that quite well. | | At the end, the issue of crosstalk is modeled in a very | similar way in the quantum and classical case, and if it | forbids the existence of a quantum computer, it should | forbid the existence of classical ones as well. In both | cases it is the use of linear binary (or stabilizer) codes | that solves that issue. | comboy wrote: | > I firmly believe that a quantum computer capable of breaking | public key crypto will never be built. This is because as you | add more qubits, there's increased interference between them | due to the additional connections required. | | Seems weird to be assuming what's possible based on current | technical obstruction. If you trace CPUs development, or many | other technologies, many people with deep technical knowledge | were certain about some thresholds which we have long passed. | This bias even had some name which I forgot. | api wrote: | I tend to take "it's impossible" statements from scientists | seriously only when the reasoning can be _firmly_ tied to an | extremely well established physical law with no "wiggle | room." | | For example I accept that faster than light travel and | inertialess propulsion are both impossible. If either of | these things were shown to be possible, it would mean that | there are huge errors or oversights in the most well | established areas of physics. | | I also accept the conditional impossibility of things that | are just provably beyond our current ability for fundamental | reasons, like a Dyson sphere. I don't know of any physics | that says you could not build one, but for us it'd be like | dust mites building the international space station. | | For everything else I leave the door open. People have | historically underestimated creativity. | | For the first types of things, taking preparatory steps would | be irrational. We don't need to plan for the arrival of FTL | travel because we have no reason to think it will ever | arrive. | | For the latter types of things, preparing does make some | sense as long as it's not unreasonably expensive. We do have | reason to believe that a large quantum computer _might_ be | possible, so mucking around with a bit of code to defend our | security against a surprise seems rational. | Obscurity4340 wrote: | Can you explain how qubits are physically implemented in a | real-world computer? I just cannot wrap my mind around what | they're made of and how they operate in the physical reality. | woodruffw wrote: | To a first approximation, the US government uses the same | cryptography that US consumers do -- AES, SHA-2, the NIST P | curves, ECDSA, etc. are all categorized for various levels of | data integrity and confidentiality within the government. | | The same will be true of PQ signing schemes, meaning that a | backdoor would be predicated on the USG believing that they | have some _truly_ remarkable NOBUS breakthrough in PQC. That | feels unlikely to me; NSA interventions in cryptographic design | have historically gone in the opposite direction[1]. | | (This is separate from the actual design question. I don't know | as much about stateless PQ signing schemes, but the stateful | ones are mostly "boring" hash-based cryptography that's well | understood to be strong in both settings.) | | [1]: | https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's... | simcop2387 wrote: | > NSA interventions in cryptographic design have historically | gone in the opposite direction[1]. | | I'm not sure I'd say that given that there are some other | designs and things that have gone on[1][2]. Particularly the | Dual EC debacle. They have a history of helping make suspect | or down right compromised crypto if they think they can get | away with it. That said it does look like they avoid doing it | to anything that gets USA GOV approval for use internally but | it's difficult to say to what level they would actually go to | for getting a backdoor out into the world that would let them | look at other secrets. | | [1] https://en.wikipedia.org/wiki/Export_of_cryptography_from | _th... [2] https://en.wikipedia.org/wiki/Dual_EC_DRBG | woodruffw wrote: | That's fair. Maybe this is too fine of a hair to split, but | I would categorize the Dual_EC fracas as less an | intervention and more of a ham-fisted attempt to | standardize something that mainstream cryptography was | immediately suspicious of. But I suppose you could argue | that there was similar suspicion around DES from the very | beginning. | hannob wrote: | I've heard physicists raise opinions like yours (i.e. QC will | never be built for practical reasons), but I also hear ones | that say the opposite. I'd err on the side of caution. | | As for your conspiracy: The conclusion of that would be to | continue using hybrid constructions. | | Though, and I know crypto more than physics, I'd consider it as | highly unlikely. Creating backdoors that others won't find is | next to impossible. Why do I say that? Because we have some | historic evidence how "NSA wants to plant a backdoor into an | algorithm" works. Usually they've been discovered quickly. They | can still be successful, because as we have seen with dual ec | drbg, it was discovered quickly, yet nobody really cared and | industry still used the algorithm. | | But something like that won't happen in a transparent process. | You can be sure that every expert in the field had a look at | crystals-kyber. If anything about it was suspicious, we would | know. | JanisErdmanis wrote: | The transparency of the process in an essential way depends | on a number of people who can understand what is being | proposed. It seems from the outside that the lattice-based | cryptography is significantly more complex. The question is, | would anyone notice and how far-reaching are the proofs made | on their security? On what basis can one prove that a | computer with a novel algorithm could not break it? | | > As for your conspiracy: The conclusion of that would be to | continue using hybrid constructions. | | As long as ordinary crypto does not get deprecated. | | Anyway, the number of responses made me curious about this | new novel crystals-kyber. Do you have any recommendations on | the best introductory text that explains it from the bird's | view? | ghost751 wrote: | > As long as ordinary crypto does not get deprecated. | | On that note, just this month Tutanota emailed customers | that their Secure Connect product is being turned off at | the end of next month in order to focus developers on | quantum-secure encryption solutions. | | This occurs in a time when there appear to be a stark few | hosted E2EE webform-submission options that don't involve | either a) bigtech or b) fly-by-night operations. Tutanota | was a happy medium, and is getting out of that market, | apparently. | | It can make one wonder what kind of pressure might exist to | turn off a quite good, working solution to an actual | problem. If one didn't know better, it could seem that | blaming the need for quantum is just a distraction. | | The GP is not the first to make the observation in a | natural line of inquiry. HN guidelines ask to assume good | faith, and surely we know to try to. | nullc wrote: | It's perhaps telling that NSA has been rather aggressively | against the use of hybrid systems, even though they have | almost no marginal cost (an extra 56 bytes on top of 1.2kb of | PQ exchange) and are the obvious move esp while the PQ | systems are very new. | adgjlsfhk1 wrote: | The good news is that if you're willing to take a 2x slowdown | for asymmetric encryption (which basically everyone is) you can | get the best of both worlds by wrapping your quantum resistant | crypto in regular crypto. | tptacek wrote: | CRYSTALS-Kyber was designed by an academic team, not a | government (though a government standards body refereed the | competition that selected it; that competition, in turn, was | driven by technical feedback that came predominantly from | academic cryptography teams around the world). In general, with | some exceptions (like curve isogenies), the "math" behind PQ | crypto is pretty well established; it was just less attractive | than curves were for performance reasons, but is now more | attractive if you presume curves will be broken in 20 years by | QC. | keurrr wrote: | So you are claiming the protocol that Signal has adopted is | already backdoored by the government. Extraordinary claims | require extraordinary evidence. You need to provide some kind | of evidence of this. We are talking 20+ years of open and | public research on post-quantum cryptography. | WhitneyLand wrote: | I assume you're not proposing some kind of interference limit | in principle? | | Are you suggesting that limiting interference will be a | practical dead end that is prevents advancement? | | Either way that would be a pretty significant claim. There are | lots of research directions being pursued and plenty of smart | people think it's worth trying. | JanisErdmanis wrote: | > Are you suggesting that limiting interference will be a | practical dead end that is prevents advancement? | | This is a hunch I have. Regarding the "plenty of smart people | think it's worth trying", I can only provide an analogy of | the 15-14th puzzle known as the Boss puzzle at that time, for | which a substantial prize was promised for the first one who | could solve it. A lesser-known proof that it is impossible | came to surface decades later. There is a lot of inertia in | academia along those lines, where grants depend on your | ability to make a convincing argument that your path will | solve the problem. This sets up PhDs to know only to advance | but not to question as the latter does not give the prize. | miles_matthias wrote: | Appreciate how well-written and approachable this post was! | wolverine876 wrote: | That is very well-written, as someone else pointed out, though | this common explanation for laypeople needs work (I'm not blaming | Signal's blogger, who wrote it more carefully than most): | | _" Instead of bits as in a classical computer, quantum computers | operate on qubits. Rather than 0 or 1, qubits can exist in a | superposition of states, in some sense allowing them to be both | values at once."_ | | 'Instead of beads as in a classical abacus, our Quabacus operates | on Quabeads! Rather than positions 0 or 1, quabeads can be in | both positions at once!' | | Beads that are simultaneously in both positions sounds like a | f$@!#g annoying glitch and not a feature - how does that help | anyone record or calculate numbers? ('Would someone take a look a | this broken Quabacus-abacus and resolve these g#$%!m glitching | quabeads?!!!') It mocks the non-technical reader, who assumes | they must have been given enough information to understand why | it's faster and possibly how it works, but can't figure it out. | | They have not been given enough. Does anyone who perhaps | understands it better than I do want to take a stab at a new | commonplace explanation, one that connects the dots between | quantum superposition and performance (for certain calculations)? | varjag wrote: | There isn't really a great way of explaining quantum behavior | using everyday (classical) terms. Any analogy you come up with | will be deeply flawed yet unsatisfactory opaque to the reader. | | The only way is to gear up on math to the level where you can | if not reason within the theory then to at least make sense of | its presented conclusions. | sebzim4500 wrote: | I don't really understand your objection, that description | seems like about as well as you can do when trying to summarize | quantum mechanics in one sentence. | wolverine876 wrote: | It summarizes quantum mechanics, but not how it helps to | store numbers and perform certain kinds of calculations. | s17n wrote: | Given that Signal's main innovation (compared to traditional end | to end encryption) was to safeguard its users against future | compromises via the ratchet protocol, this actually seems like a | logical move for them to make. | tjrgergw wrote: | Now explain why you had to add bitcoin to signal. | contact9879 wrote: | There is no Bitcoin in Signal. Much has been written about | MobileCoin that you can find on other threads. | macawfish wrote: | Why not use something like backchannel? That way we wouldn't need | phone numbers either... | | The initial shared private key exchange could be done with more | expensive, quantum resistant cryptography but the actual | communication could be done through symmetric encryption. | | https://www.inkandswitch.com/backchannel/ | | For the key exchange itself ("PAKE") maybe something like this: | https://journal-home.s3.ap-northeast-2.amazonaws.com/site/ic... | | And for the symmetric encryption: | https://github.com/Steppenwolfe65/eAES | awestroke wrote: | Super cool. | | If current quantum computers were scaled up to more qubits, could | they break modern crypto? Or would we need both more qubits and a | new quantum computer architecture? | rjmunro wrote: | 15 was factorised on a 7 qbit computer by IBM, so yes, they | could break RSA if scaled up. I'm not sure about elliptic | curve. That was over 20 years ago: | https://research.ibm.com/blog/factor-15-shors-algorithm | | I wonder how possible it is that IBM could have already gone | further and are already cracking modern crypto in secret, e.g. | funded by the NSA. Is that a crazy conspiracy idea, or actually | a possibility? | kevvok wrote: | Algorithms using elliptic curves can also be broken using | Shor's algorithm | 0xDEF wrote: | It would be interesting to guesstimate what the NSA might be | doing by analyzing the skills they're looking for in their | job postings and the kind of open source projects they have | released. | | For example their Accumulo OSS suggests they're capturing and | storing a lot of data to analyze later. The Ghidra OSS being | a best in class reverse engineering tool also suggests that | alot of their work revolves around finding zero day | vulnerabilities. | zie wrote: | I bet at the very least, the US govt and other large govts | have some way of knowing whatever is actually possible TODAY | and have plans in place to make sure whenever it is | practical, they get the very first useful ones built. | | I would guess they probably don't have any actually useful | and in production right now, but they probably have a few | secreted away in development, so they will be ready to put | them to use if/when they do become useful. | bob1029 wrote: | > Is that a crazy conspiracy idea, or actually a possibility? | | I am investing in IBM under the assumption that this is an | actual possibility. Their public QC roadmap actually looks | like a realistic journey now. | | I strongly believe that the NSA, et. al. _currently_ have | access to a very powerful quantum computer - likely | constructed by IBM under contract. | | The game theory around this is such that it is impossible for | me to accept that there are zero secret quantum computers in | existence by now. There is too much to lose by not playing | that game as hard as you can. | eigenket wrote: | Speaking as a researcher in quantum computing (albiet | completely on the theory side, with no practical knowledge | of experiments). It seems that actually making a quantum | computer which is useful (i.e. has error rate below the | threshold you need for error correction to work) is | incredibly difficult. I wouldn't be surprised if various | secret agencies (specifically in the USA and China) have | tried, but I would be quite surprised if they had succeded. | | (I deleted my previous edit because I had misread part of | what you wrote.) | abdullahkhalids wrote: | You are probably mistaken. The number of people with the | right expertise to build QCs is very limited - only a few | hundred people with world class PhDs in quantum computing | are produced every year across the world. A small fraction | are truly innovative - the ones who can act as leaders to | build something real. | | The challenge of building QCs - as evidenced by billions of | dollars worth of research in them - is many orders of | magnitude more difficult than say the Manhattan project. | The latter put together the best of the best on the | project. You are suggesting a scenario where a tiny | fraction of the best of the best are secreted away, with | many of their past collaborators unaware of their doings, | and have successfully built a QC. | | While the many brilliant best of the best who are working | publicly, with many billions of dollars of research funding | are currently only making very slow progress. It simply | does not square. | contact9879 wrote: | Reminds me of how everyone who knew anything about the | physics academia scene in the 30s/40s knew what was going | on at Los Alamos. Second-order effects are extremely hard | to obscure. | archgoon wrote: | > If current quantum computers were scaled up to more qubits | | That depends on what you mean by "scaled up". There is a | concept of "Quantum Volume" that exists, which basically means | the depth of the longest qubit circuit you can pull off. | | https://en.wikipedia.org/wiki/Quantum_volume | | 'Simply' (it's never simple ;) ) adding qubits to a machine | does not necessarily increase its Quantum Volume. Decreasing | the noise typically will. | | However, there is a threshold at which point you can scale up | mostly indefinitely. This is what the whole Quantum Error | Correction is all about. | | https://en.wikipedia.org/wiki/Quantum_error_correction | | There is a paper | | https://arxiv.org/abs/1905.09749 | | That goes into a clear discussion of how to build a quantum | computer and the associated thresholds that would allow you to | do so. There is a minimum number of qubits needed (that work | perfectly), but the paper analyzes how many qubits you'd need | under realistic assumptions about how many noisy qubits you'd | need to get error correcting qubits at the needed reliability. | eigenket wrote: | For anyone looking for a "headline figure" from the linked | arxiv manuscript, their estimate for breaking 2048 bit RSA is | around the order of magnitude of a billion qubits. | archgoon wrote: | [dead] | sigmar wrote: | Whitepaper says: | | >PQXDH provides post-quantum forward secrecy and a form of | cryptographic deniability but still relies on the hardness of the | discrete log problem for mutual authentication in this revision | of the protocol. | | So that's why active mitm with a contemporary quantum computer is | a concern mentioned in the blog post. Of course it isn't of any | concern currently (since no one has the hardware to exploit | this), but I'm curious why they couldn't fit the crystals-kyber | method for mutual auth in this hybridized implementation? | performance concerns? | swamp40 wrote: | There are 20 bitcoin wallets worth more than a billion dollars | each. | | I think it will be pretty obvious when someone gets a quantum | computer working. | nabla9 wrote: | Bitcoin is already quantum attack resistant, unless you use un- | hashed public keys or reuse Bitcoin addresses (as some do). | | If Bitcoin would become vulnerable, its value would collapse to | zero overnight once it's known. There is limited amount of | money anyone could extract before the value collapses. | kevincox wrote: | Bitcoin wouldn't "become vulnerable". Someone would discover | the vulnerability. If this person put it to use before making | it widely known the could definitely extract a large amount | of money before the bitcoin network before the public at | large noticed (at which point the price would start to | plummet) | nabla9 wrote: | That has nothing to do with quantum resistance. | nullc wrote: | > Bitcoin is already quantum attack resistant | | That is a misleading claim. First: Any quantum key cracker | would need to be fast since the operations would all have to | be performed within the coherence time, so an attacker could | race coins as they were spent or perform small reorgs to | steal coins even if they lost the race. Secondly: The | majority of all circulating coins are stored in addresses | which have been reused. Thirdly: the common hashing scheme | you mention is 160 bits, so in the presence of quantum | computers would only have 80 bits of security against second | preimages just by using grover's algorithim and perhaps worse | with more specializatio (and, in fact, somewhat less | considering multi target attacks) which wouldn't and | shouldn't be regarded as secure. | | > If Bitcoin would become vulnerable, its value would | collapse to zero overnight once it's known. There is limited | amount of money anyone could extract before the value | collapses. | | Once its known. There have been insecure altcoins where | hackers skimmed them for many months without being noticed. | It is indeed technically finite, sure, but large. | xur17 wrote: | My understanding is that bitcoin addresses are quantum safe as | long as you do not reuse an address after spending funds sent | to it [0]. Per the linked article, this is standard practice, | so I would assume the majority of addresses are actually | quantum safe. | | And for more context: with p2pkh addresses, you are sending to | the hash of the address, and hashes are quantum safe. | | [0] | https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/qu... | sneak wrote: | It's worth way more than $20B USD to have a working quantum | computer that nobody knows about. You don't burn a weapon like | that by inducing everyone to update immediately. | keurrr wrote: | I don't think these incentives make sense at all. Government | organizations suspected to be developing quantum computers | probably have larger annual budgets than 20 billion. The | ability to undermine virtually all cryptographic systems is | unquantifiably large. | | Once the cat is out of the bag, everyone will rush to post- | quantum cryptography and all that value will be lost in a | relatively short period. Indeed, we already witnessed this in | the 2010s following the Snowden revelations when big tech, in a | concerted effort, adopted HTTPS. Now that is the standard. | | For example, "The Fiscal Year 2022 budget appropriation | included $65.7 billion for the National Intelligence Program, | and $24.1 billion for the Military Intelligence Program." | | Source: https://irp.fas.org/budget/index.html | baq wrote: | Not accounting for slippage. You'd be lucky to get 5% of their | marked value if you stole them. | rosywoozlechan wrote: | This is a myopic take, the attacker could not spend the | bitcoins because of the public ledger and the value of bitcoin | would drop to nothing once it is realized that wallets are not | secure. They'd burn bitcoin for no gain, for a loss even, | because they would reveal their capabilities and maybe even who | they are. ___________________________________________________________________ (page generated 2023-09-19 23:00 UTC)