On Fri, 2025-06-13 at 13:50 -0400, James Bottomley wrote: > I agree it's coming, but there's currently no date for post quantum > requirement in FIPS, which is the main driver for this. The driver is the CNSA 2.0 document which has precise deadlines, not FIPS. That said ML-KEM and ML-DSA can already be validated, so FIPS is also covered. > Current estimates say Shor's algorithm in "reasonable[1]" time requires > around a million qubits to break RSA2048, so we're still several orders > of magnitude off that. Note that you are citing sources that identify needed physical qbits for error correction, but what IBM publishes is a roadmap for *error corrected* logical qbits. If they can pull that off that computer will already be way too uncomfortably close (you need 2n+3 error corrected logical qbits to break RSA). > Grover's only requires just over 2,000 (which > is why NIST is worried about that first). Grover can at most half the search space, so it is not really a concern, even with the smallest key sizes the search space is still 2^64 ... so it makes little sense to spend a lot of engineering time to find all places where doubling key size break things and then do a micro-migration to that. It is better to focus the scarce resources on the long term. > > Regards, > > James > > [1] you can change this by a couple of orders of magnitude depending on > how long you're willing to wait -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc
