What is the biggest number factored using Shor's algorithm?
Last time I looked it was very unimpressive.
Edit: It's gotten worse. 21 from 2012. "Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog" say the factorization of 35 in 2019 actually failed.
> Sometimes these days, I'll survey the spectacular recent progress in fault-tolerance, 2-qubit gate fidelities, programmable hundred-qubit systems, etc., only to be answered with a sneer: "What's the biggest number that Shor's algorithm has factored? Still 15 after all these years? Haha, apparently the emperor has no clothes!" I've commented that this is sort of like dismissing the Manhattan Project as hopelessly stalled in 1944, on the ground that so far it hasn't produced even a tiny nuclear explosion... If there's a reason why you think it can't work beyond a certain scale, say so. But don't fixate on one external benchmark and ignore everything happening under the hood, if the experts are telling you that under the hood is where all the action now is, and your preferred benchmark is only relevant later.
I talked to a guy who did his doctoral degree on quantum computing and he was not worried at all. In fact he thought it was wildly overhyped, and like cold fusion, self driving cars, or string theory, always just around the corner.
So we know that quantum computers hold a real risk of being able to break a lot of encryption. We also know that changing cyphers is hard (because reasons)
But what I don't see is what I can practically do now, as either someone who is a CTO/Big Cheese™ or a lowly engineer?
> But what I don't see is what I can practically do now, as either someone who is a CTO/Big Cheese™ or a lowly engineer?
Migrate! The major TLS and OpenSSH applications already support PQC, for example.
1. Make sure you have the required dependencies (e.g., openssl 3.5+).
2. Make sure the client/server software is up to date (this might be all that's needed, e.g., OpenSSH 10.0+ enables PQC in-transit encryption by default).
3. Enable PQC support in the software (e.g., "ssl_ecdh_curve X25519MLKEM768;" in Nginx).
If you are the developer of anything that's using RSA or ECC, you can also migrate your own software, or at least make the algorithm selectable at initialization time instead of hardcoded. If you have vendors, ask them for their PQC migration roadmaps.
Note that with encrypted data you want to protect yourself against attackers that are capturing data today and waiting to break it in the future (Harvest-Now, Decrypt-Later). So migrating encryption is more urgent than migrating authentication.
TLS can already be setup to avoid store-now-decrypt-later PQC issues. That's available today, and should be implemented.
Use https://sslboard.com to inventory all your external TLS infrastructure and check for PQC readiness.
I think lobby for saner defaults (tip of the hat to Steve Gibson's term "the tyranny of the default"), configuring one's GPG config to mark certain cyphers as insecure (to prevent downgrade attacks)... and have one's (chief) information security officer write those things down as policy and maybe have a yearly onboarding workshop teaching people why it's important.
If you're a CTO, have a post quantum strategy: know what crypto you use and where it is, plan to migrate to post quantum secure ciphers over the next decade or so, or sooner if possible. If you're a lowly engineer, not very much unless you're specifically selecting technologies with crypto. In which case crypto agility (being able to switch out existing crypto when needed) is a good property to look for.
Aaronson know his stuff but I am not sure he hasn’t considered the fact that, in this current hype cycle, the quantum researchers breathlessly reporting to him on a breakthrough just around the corner are just lying to him and themselves.
I have been hearing about one more technical hurdle to solve before quantum algorithms become feasible since before I graduated. That was in 1996.
This is true, practical quantum computing is always "just a couple of years away".
At the same time, moving to more secure encryption really isn't difficult. How many times have algorithms been deprecated over the past 20 or so years? It's time to do it again.
Let's just make sure that the NSA hasn't worked in any backdoors. At latest since Snowdon, anything they work on is suspect.
There is no clear evidence that the risk of "a practical post quantum computer would arrive in the next 5 years" is greater than "post quantum scheme X is broken" for any scheme X. The only way to go is hybridation and it is quite hard from an engineering point apparently.
And in the process immediately convert huge numbers of devices into ewaste. Then check the excuse calendar again for tomorrow's reason to deprecate yet another batch of "legacy" ciphers from openSSL.
> if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning.
What is the biggest number factored using Shor's algorithm?
Last time I looked it was very unimpressive.
Edit: It's gotten worse. 21 from 2012. "Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog" say the factorization of 35 in 2019 actually failed.
https://eprint.iacr.org/2025/1237
> Sometimes these days, I'll survey the spectacular recent progress in fault-tolerance, 2-qubit gate fidelities, programmable hundred-qubit systems, etc., only to be answered with a sneer: "What's the biggest number that Shor's algorithm has factored? Still 15 after all these years? Haha, apparently the emperor has no clothes!" I've commented that this is sort of like dismissing the Manhattan Project as hopelessly stalled in 1944, on the ground that so far it hasn't produced even a tiny nuclear explosion... If there's a reason why you think it can't work beyond a certain scale, say so. But don't fixate on one external benchmark and ignore everything happening under the hood, if the experts are telling you that under the hood is where all the action now is, and your preferred benchmark is only relevant later.
So we know that quantum computers hold a real risk of being able to break a lot of encryption. We also know that changing cyphers is hard (because reasons)
But what I don't see is what I can practically do now, as either someone who is a CTO/Big Cheese™ or a lowly engineer?
Migrate! The major TLS and OpenSSH applications already support PQC, for example.
1. Make sure you have the required dependencies (e.g., openssl 3.5+).
2. Make sure the client/server software is up to date (this might be all that's needed, e.g., OpenSSH 10.0+ enables PQC in-transit encryption by default).
3. Enable PQC support in the software (e.g., "ssl_ecdh_curve X25519MLKEM768;" in Nginx).
If you are the developer of anything that's using RSA or ECC, you can also migrate your own software, or at least make the algorithm selectable at initialization time instead of hardcoded. If you have vendors, ask them for their PQC migration roadmaps.
Note that with encrypted data you want to protect yourself against attackers that are capturing data today and waiting to break it in the future (Harvest-Now, Decrypt-Later). So migrating encryption is more urgent than migrating authentication.
[1] https://blog.cloudflare.com/post-quantum-roadmap/
I thought it was a typo at first but wikipedia explained:
The Sword of Damocles is an ancient Greek moral anecdote, an allusion to the imminent and ever-present peril faced by those in positions of power.
Shor's algorithm is a quantum algorithm for finding the prime factors of an integer
Perfect.
I have been hearing about one more technical hurdle to solve before quantum algorithms become feasible since before I graduated. That was in 1996.
At the same time, moving to more secure encryption really isn't difficult. How many times have algorithms been deprecated over the past 20 or so years? It's time to do it again.
Let's just make sure that the NSA hasn't worked in any backdoors. At latest since Snowdon, anything they work on is suspect.
Duke Nukem Forever was release fifteen years ago. Some things never happen until they suddenly do.
The wolf really does eat the boy at the end of The Boy Who Cried Wolf.
We are still not factoring 21, let alone 35, let alone numbers with thousands of digits.
> if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning.