Are we having fun yet?
-
@emc2 @sophieschmieg Breaking a 2048-bit RSA key will likely take a year or more of quantum compute time initially. Using the going rate of $98USD/minute for access to an (inadequate) 100-qubit machine, we can ballpark an initial cost of 8 or 9 figures.
You'd have to be absolutely certain of the value of the key you are cracking to realize a return on that kind of investment.
I can't go into too much detail (propin, ndas, etc) but the actual cost of a utility scale machine will be in the hundreds of thousands per day. The time will vary depending on the architecture, but you're looking at order months to hit the P-256 curve. RSA is more of a moving target, but expect similar.
-
@emc2 @targetdrone yeah. In fact I'm worried that in some sense slower and less accessible CRQC paradoxically pose a greater risk to the common people: if, at the extreme but imaginable end, it takes two months to break a key, and you only have one quantum computer, exploiting SNDL for random cables very quickly becomes unsatisfying. And breaking fairly few supply chain keys (CA, CT logs, identity providers, software signing etc) becomes very tempting, even if it risks giving away that you have a CRQC at your disposal. And those supply chain risks in turn put everyone at risk, not just some limited spy games between embassies.
This is very true, and in fact I would expect targeting more public infrastructure that would allow massive disruption (e.g. Central banks, public utilities in major cities, CAs, etc) to be a better ROI, if you're after disruptive effects.
-
Oh, and in case you weren't having enough fun, here are some updated resource estimates for running Shor's on elliptic curves, unfortunately weirdly focused on cryptocurrencies.
Fun fact: I almost found a soundness problem in that zero knowledge proof that was based on a quine. Unfortunately the circuit cannot produce quines.
And now also on Ars Technica:
Quantum computers need vastly fewer resources than thought to break vital encryption
No, the sky isn't falling, but Q Day is coming, and it won't be as expensive as thought.
Ars Technica (arstechnica.com)
-
A lot of people think Y2K was a hoax because there was no huge apocalyptic disaster.
For some reason they find it difficult to believe that the huge apocalyptic disaster would have happened if not for the large, costly effort to fix the bugs *before* the big day.
@argv_minus_one In fairness, for people who only have any memory of the 21st century I can understand how the idea of society coming together at scale and spending resources to tackle a foreseeable problem before it becomes a crisis might seem farfetched.
@odr_k4tana @targetdrone @sophieschmieg -
@argv_minus_one In fairness, for people who only have any memory of the 21st century I can understand how the idea of society coming together at scale and spending resources to tackle a foreseeable problem before it becomes a crisis might seem farfetched.
@odr_k4tana @targetdrone @sophieschmiegSociety didn't come together at scale. Society, for the most part, was panicked that the end of the world was nigh.
Business leaders are the ones who came together, presumably because they didn't want their businesses to abruptly screech to a halt on 2000-01-01, and hired an army of programmers to fix the bugs.
-
Society didn't come together at scale. Society, for the most part, was panicked that the end of the world was nigh.
Business leaders are the ones who came together, presumably because they didn't want their businesses to abruptly screech to a halt on 2000-01-01, and hired an army of programmers to fix the bugs.
Perhaps it's easier for business leaders to sigh and loosen the purse strings when the disaster (1) is absolutely certain to happen, and (2) will happen at an exact predetermined time.
There's no rationalizing inaction with “it'll be the next CEO's problem” when you know for sure exactly when it will happen and therefore exactly whose problem it will be.
-
@ar1 the timeline got moved in substantially. Of course things can go wrong for the physicists, but 3 years seems feasible now.
@sophieschmieg ok. Reading up on it, I think I now understand better.
-
@lcamtuf @sophieschmieg @dangoodin
If we train LLMs on encrypted data, they will decrypt everything. It might not be the original plaintext, but it will make sense for most people.You may E2E the conversation with your mom, but everyone knows how those things go, right? With a little context from your social media profiles, there are no more secrets.
-
Oh, and in case you weren't having enough fun, here are some updated resource estimates for running Shor's on elliptic curves, unfortunately weirdly focused on cryptocurrencies.
Fun fact: I almost found a soundness problem in that zero knowledge proof that was based on a quine. Unfortunately the circuit cannot produce quines.
@sophieschmieg has anyone written a description of the zero knowledge proof for people with B.S. level mathematics education? I will attempt to read the paper but would love to read anything by experts
-
@sophieschmieg has anyone written a description of the zero knowledge proof for people with B.S. level mathematics education? I will attempt to read the paper but would love to read anything by experts
@sophieschmieg ah never mind, it is simpler than I thought. Thanks for sharing your expertise and work on this area!
-
R relay@relay.infosec.exchange shared this topic
