In theory, with long-enough (perhaps too long for practical use) RSA keys, conventional factoring would be /easier/ than Shor's algorithm. Is there such a "turnover" point?

When talking about science fiction technologies, the only answer is "who knows?" You'll hear me say that a lot here.

If someone in the 1950s were to ask questions about computing technology today, the best minds of the '50s might be able to specify the physical limits of computing but none of them would have a clue as to how closely we'd approach those limits.

Sure, there's probably a turnover point. Nobody has a clue where. Nobody thinks the GNFS is approaching the asymptotic limit of factoring: we just don't have a better algorithm. Yet. A number-theoretic breakthrough would move the turnover point enormously. So would engineering breakthroughs in coherence time. So would a proof of P=NP. So would...

Who knows? The future does not come according to predictable progress. Stagnation and breakthrough is more often the case.

My estimate of each computational qubit in a massive ensemble requiring five qubits of error correction is a wild guess that seems, according to my prejudices, pretty conservative. There's zero reason to take it as authoritative, consensus, or grounded in physical limits of the universe.

So those figures are low by factor of ...?

Who knows? At present we can't build an ensemble even 1% the size needed to break RSA-4096. By the time we get to ensembles of that size, who knows what breakthroughs we'll also have made in quantum error correction?

So a quantum computer able to solve RSA-256/384/512 can also solve EC- RSA-256/384/512 with the same difficulty?

I answered this.

The US government's belief is that RSA-3072 will be sufficient for protection of Top Secret/SCI data for the next twenty-five years.

[...]

And what about the various elliptic curve cryptosystems?

I provided you with a link to the NSA's CNSA Suite 2.0. I did this hoping you would read it.

Securing TS/SCI traffic with legacy CNSA 1.0 algorithms such as ECDH, ECDSA, and RSA will be officially approved until 2033 in most roles. After that, it's all PQC.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to