Quantum computing exists in a sort of superposition with regard to cryptography – it's both a pending threat and a technology of no immediate consequence for decryption.
Now, two well-known cryptographers are preparing to wager on how this state of uncertainty will collapse into a measurable outcome.
For the past ten years, the US National Institute of Standards and Technology (NIST) has been pushing for the development of Post-Quantum Cryptography (PQC), based on the belief that some day, quantum computers will be capable of decrypting data encrypted with legacy algorithms.
There's some skepticism about that. Last year, Peter Gutmann, a professor of computer science at the University of Auckland, New Zealand, dismissed PQC in an interview with The Register. He noted that quantum computers have yet to factor the number 35 (6 bits) due to their inability to correct errors. Elliptic Curve Cryptography private keys have a default key length of 256 bits, so quantum computers still have a long way to go.
But a week ago, Google said it revised its estimates for the quantum computing resources required to solve the logarithm problem (ECDLP-256) upon which elliptic curve cryptography is based. Running Shor's algorithm – the quantum method used to solve factoring and discrete logarithm problems – would take about 20 times fewer physical qubits than previously estimated, Google researchers claim.
That doesn't clarify when a quantum computer might be cryptographically relevant. NIST wants quantum-vulnerable algorithms ousted by 2035. No one is certain whether that's a reasonable estimate, though security vendors insist the quantum threat is nigh.
But Google's claimed advance and intermittent reports of quantum progress like those published on Thursday by ETH Zurich suggest the concerns being raised should be dealt with sooner rather than later – unless you have rejected recent quantum research as unsound.
Filippo Valsorda, a cryptography engineer and open source maintainer who worked previously for Google, this week cited Google's shot across the bow and adjacent research in a blog post, arguing that the transition to PQC needs to move faster.
Alluding to Gutmann's contrarian take as shallow, Valsorda pointed to statements by Scott Aaronson, chair of computer science at the University of Texas at Austin and one of the leading experts on quantum computing, that emphasize the urgency of treating PQC seriously.
"In summary, it might be that in 10 years the predictions will turn out to be wrong, but at this point they might also be right soon, and that risk is now unacceptable," Valsorda wrote.
Matthew Green, an associate professor of computer science at the Johns Hopkins University, took note of Valsorda's post and in a reply to a Bluesky thread said, "I think this is a good precautionary analysis but I'd bet huge amounts of money against a relevant quantum computer by 2029 or even 2035."
Valsorda and Green discussed the matter politely, with Green noting that a one-sided approach would be just to buy some bitcoin and post the public key – the implication being that a cryptographically relevant quantum computer (CRQC) would be able to decrypt the Elliptic Curve Digital Signature Algorithm (ECDSA) protecting that private key, enabling the theft of the funds.
But the bitwise pair appears instead to have settled on a two-sided affair, outlined in a wager proposal drawn up by Green.
The bet is for $5,000. Valsorda will pay if a shared secret from ML-KEM-768 – a recently approved quantum-resistant algorithm – is recovered from a public key and ciphertext, either from a classical or quantum attack. And Green is on the hook to pay if a shared secret from X25519 – a widely used elliptic curve algorithm – is recovered from a pair of public points on the curve, whether through classical or quantum means.
In theory, X25519 should be easier for a CRQC to defeat than ML-KEM-768, which is designed to offer a more robust defense against quantum cryptanalysis. So Green is essentially betting that advances in cryptanalysis will reveal weaknesses in Module-Lattice-Based Key-Encapsulation (ML-KEM) before quantum systems come into play.
As of Wednesday morning Pacific Time, the bet was not yet official. Valsorda told The Register in an email that unforeseen events got in the way, but he expects the wager will be formalized soon.
"Life got in the way, I think we'll pen it today or tomorrow," he said.
The clock is ticking. ®
Source: The register