Q Day is Coming

Google is dramatically shortening its readiness deadline for the arrival of Q Day, the point at which existing quantum computers can break public-key cryptography algorithms that secure decades’ worth of secrets belonging to militaries, banks, governments, and nearly every individual on earth.

In a post published on Wednesday, Google said it is giving itself until 2029 to prepare for this event. The post went on to warn that the rest of the world needs to follow suit by adopting PQC—short for post-quantum cryptography—algorithms to augment or replace elliptic curves and RSA, both of which will be broken.

The end is nigh

“As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline,” wrote Heather Adkins, Google’s VP of security engineering, and Sophie Schmieg, a senior cryptography engineer. “By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.”

Separately, Google detailed its timeline for making Android quantum resistant, the first time the company has publicly discussed PQC support on the operating system. Starting with the beta version, Android 17 will support ML-DSA, a digital signing algorithm standard advanced by the National Institute for Standards and Technology. ML-DSA will be added to Android’s hardware root of trust. The move will allow developers to have PQC keys for signing their apps and verifying other software signatures. [...]

So what’s spooking Google so much?

Wednesday’s hard deadline came as a surprise to many cryptography engineers, including those who have been active in the PQC transition for years.

“That is certainly a significant acceleration/tightening of the public transition timelines we’ve seen to date, and is accelerated over even what we’ve seen the US government ask for,” Brian LaMacchia, a cryptography engineer who oversaw Microsoft’s post-quantum transition from 2015 to 2022 and now works at Farcaster Consulting Group, said in an interview. “The 2029 timeline is an aggressive speedup but raises the question of what’s motivating them.”

Google didn’t lay out the rationale for the revision in either of its posts. A spokeswoman didn’t immediately provide answers to questions sent by email.

Estimates for when Q Day will arrive have varied widely since the mid-1990s, when mathematician Peter Shor first showed that a quantum computer of sufficient strength could factor integers in polynomial time, much faster than classical computers. That put the world on notice that RSA’s days were limited. Follow-on research showed quantum computers provided a similar speed-up in solving the discrete log problem that underpins elliptic curves. [...]

In preparation for Q Day, cryptographers have devised new encryption algorithms that rely on problems that quantum computers don’t have an advantage over classical computers in solving. Rather than factoring or solving the discrete log, one approach involves mathematical structures known as lattices. A second approach involves a stateless hash-based digital signature scheme. The National Institute of Standards and Technology has advanced several algorithms that have yet to be broken and are presumed to be secure.

In 2022 the NSA set a deadline for PQC readiness in national security systems by 2033 and for 2030 for a few specific applications.

by Dan Goodin, Ars Technica |  Read more:

Image: JuSun/Getty

[ed. So does this mean we don't need passwords anymore? Or the old ones won't work? I can't tell. Tech companies have been telling us that'd happen for years, too. It's coming! And, how does strong AI affect any of this? If I have to change all my passwords everywhere I'm going to go crazy.]