A cryptography engineer explains why their position on post-quantum cryptography urgency has shifted dramatically. Two recent papers from Google and Oratomic show that breaking 256-bit elliptic curves may require far fewer qubits than previously thought, with Google researchers setting a 2029 deadline. The author argues the risk is now high enough to be 'dispositive' — meaning even a small probability of cryptographically-relevant quantum computers (CRQCs) by 2030 demands immediate action. Concrete recommendations include: shipping ML-DSA signatures now despite their size, treating non-PQ key exchanges as potential active compromises, abandoning hybrid classic+PQ authentication in favor of pure ML-DSA-44, and noting that symmetric encryption (128-bit keys) remains safe. Areas of concern include Trusted Execution Environments (TEEs like Intel SGX and AMD SEV-SNP), ecosystems with cryptographic identities (atproto, cryptocurrencies), and file encryption tools. The author also notes implications for Go standard library cryptography packages.
Sort: