Thank you so much for your kind words and juicy feedback!
Google has already deployed post-quantum schemes as a test
I did not know about this, and this actually updates me on how much overhead will be needed for post quantum crypto (the NIST expert I interviewed gave me an impression that it was large and essentially would need specialized hardware to meet performance expectations, but this seems to speak to the contrary (?))
here may be significant economic costs due to public key schemes deployed “at rest”
To make sure I understand your point, let me try to paraphase. You are pointing out that:
1) past communications that are recorded will be rendered insecure by quantum computing
2) there are some transition costs associated with post quantum crypto—which are related to for example the cost of rebuilding PGP certificate networks.
If so, I agree that this is a relevant consideration but does not change the bottom line.
In terms of hardware, I don’t know how Chrome did it, but at least on fully capable hardware (mobile CPUs and above) you can often bitslice to make almost any circuit efficient if it has to be evaluated in parallel. So my prior is that quite general things don’t need new hardware if one is sufficiently motivated, and would want to see the detailed reasoning before believing you can’t do it with existing machines.
Thank you so much for your kind words and juicy feedback!
I did not know about this, and this actually updates me on how much overhead will be needed for post quantum crypto (the NIST expert I interviewed gave me an impression that it was large and essentially would need specialized hardware to meet performance expectations, but this seems to speak to the contrary (?))
To make sure I understand your point, let me try to paraphase. You are pointing out that:
1) past communications that are recorded will be rendered insecure by quantum computing
2) there are some transition costs associated with post quantum crypto—which are related to for example the cost of rebuilding PGP certificate networks.
If so, I agree that this is a relevant consideration but does not change the bottom line.
Thank you again for reading my paper!
Yep, that’s the right interpretation.
In terms of hardware, I don’t know how Chrome did it, but at least on fully capable hardware (mobile CPUs and above) you can often bitslice to make almost any circuit efficient if it has to be evaluated in parallel. So my prior is that quite general things don’t need new hardware if one is sufficiently motivated, and would want to see the detailed reasoning before believing you can’t do it with existing machines.