Module signing and post-quantum crypto public key algorithms
Simo Sorce
simo at redhat.com
Mon Jun 16 14:02:38 UTC 2025
On Fri, 2025-06-13 at 13:50 -0400, James Bottomley wrote:
> I agree it's coming, but there's currently no date for post quantum
> requirement in FIPS, which is the main driver for this.
The driver is the CNSA 2.0 document which has precise deadlines, not
FIPS. That said ML-KEM and ML-DSA can already be validated, so FIPS is
also covered.
> Current estimates say Shor's algorithm in "reasonable[1]" time requires
> around a million qubits to break RSA2048, so we're still several orders
> of magnitude off that.
Note that you are citing sources that identify needed physical qbits
for error correction, but what IBM publishes is a roadmap for *error
corrected* logical qbits. If they can pull that off that computer will
already be way too uncomfortably close (you need 2n+3 error corrected
logical qbits to break RSA).
> Grover's only requires just over 2,000 (which
> is why NIST is worried about that first).
Grover can at most half the search space, so it is not really a
concern, even with the smallest key sizes the search space is still
2^64 ... so it makes little sense to spend a lot of engineering time to
find all places where doubling key size break things and then do a
micro-migration to that. It is better to focus the scarce resources on
the long term.
>
> Regards,
>
> James
>
> [1] you can change this by a couple of orders of magnitude depending on
> how long you're willing to wait
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
More information about the Linux-security-module-archive
mailing list