Viktor Dukhovni <[email protected]> writes: >Before I take CRQCs as a credible looming issue, a milestone I'd want to see >crossed would be an honest Shor's algorithm factorisation of a 32-bit RSA >modulus[2], but perhaps I should first have asked for a 16-bit RSA moduls >instead, as that too appears to be currently well out of reach.
One slight modification, I'd like to see a solution to the DLP for a 32-bit value, not RSA. It's far too easy to cheat with RSA, as two decades of claimed factorisations have shown, but not so with the DLP, and to decrypt TLS (and SSH, and IPsec, and OpenVPN, and Wireguard, and WhatsApp, and Signal, and ...) you need to target the DLP, not RSA. Some data points: Number of legitimate successful applications of Shor's algorithm to factorisation to date: 0 Number of successful applications of Shor's algorithm to the DLP to date: 0 Number of NIST PQC candidates that have been broken to date: About half of them. Which side would you (the readership in general I mean) place bets on? Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
