To reveal, or not to reveal
Craig Gidney writes:
Almost exactly one year ago, I found a way to make quantum attacks on elliptic curve cryptosystems ten times cheaper. Specifically, I found a better way to perform elliptic curve point addition on a quantum computer. I wanted to publish these improved point addition circuits, to enable cryptographers to make informed decisions about when they’d need to transition away from quantum-vulnerable cryptosystems. I’ve done this several times over the past decade. However, this time, something new happened: I got pushback on publishing.
One of the challenges facing the industry is how to disclose vulnerabilities. Often some form of coordinated vulnerability disclosure is done where affected organizations are notified in secret about the vulnerability. But, a cryptographically relevant quantum computer (CRQC) that has the ability to crack foundational elements of the internet creates a kind of universal zero-day exploit that impacts many organizations and significant components and systems. It would seem irresponsible to not disclose this broadly.
On the other hand, the path leading up to Q-Day is filled with research, laying the steps to when a CRQC can crack encryption. Researchers revealing their technique means both good and bad actors have access to the recipe. No good-intentioned researcher wants to enable criminals or other bad actors.
In Gidney’s case, he chose to publish a Zero Knowledge Proof (ZKP). Essentially, this allowed Gidney et al. to share the validity of the proof but not the mechanics of the proof. But, this does not remove the interest or desires of other researchers.
Gidney:
Saying you have a solution, but that you won’t share it, is a great way to draw attention.
He calls this a kind of Streisand Effect.
It’s also a bit like the first runner to run a sub-four-minute mile. Once it’s done, suddenly it is possible for many others. Or, more recently, a sub-two-hour marathon.
Most likely, government entities involved in surreptitious decryption will likely not reveal when they have a CRQC and its relevant techniques and can formulate successful attacks. However, in the commercial and academic spheres I assume (hope?) we will have vocal revealers warning the public (like Gidney). The obvious benefit to revealing is to mitigate the harms of broken encryption (your bank, your email, corporate secrets, infrastructure, etc). Another benefit of revealing is that it leads to more researchers working on the problems, which typically leads to better solutions and improvements, even if there is some near-term pain.
Of course, all of this can be avoided by pursuing PQC solutions today.