Root Causes 435: The PQC "Q Day" Is Not That Simple

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

October 25, 2024

The PQC community likes to debate when crypto relevant quantum computers will be available, which is sometimes called "Q day." In this episode we explain how radically oversimplified this concept is and dive into the nuances of what a "cryptographically relevant quantum computer" really will be.

Podcast Transcript

Tim CallanSo Jason, Q day. What is Q day?

Jason SorokoDid it used to be called the Zed date?

Tim CallanMore or less.

Jason SorokoI would say that in my mind, it has always been a range of probability. It’s not a date. It is a range of dates and a range of probability.

Tim CallanI think the simple minded definition of Q day would be the date when quantum computers become crypto relevant.

Jason SorokoThat's right.

Tim CallanI think what you're saying is exactly right. Which is there is not a date where quantum computers become crypto relevant. And why is that?

Jason SorokoWell, really to me, what it will be pragmatically is when somebody hits a panic button and everybody follows the alarm bell out the door.

Tim CallanYou mean that's going to be the date when we declare it's Q day. I think that's right. I still contend, though, that that will be a false assertion.

Jason SorokoBecause what meaning is it based off of? But my argument, the reason I say it like that is because will it really matter about a technical definition? And because I'm going to give you what I think the technical definition is, and the technical definition is actually still, we've talked about the difficulty in actually measuring it, because does it mean you can decrypt RSA-2048 message in a year?

Tim CallanSo here's the problem. If you want to say when a quantum computer becomes cryptographically relevant, you say, well relevant to what level of encryption? And then you also will say, what is your metric for success to call it relevance. So, are there secrets that are valuable and durable enough that if someone had a sufficiently powerful quantum computer that they could take a year to decrypt them, that they would be willing to do that? There are in the world. Or five years. There are in the world. Not many. And so on the other hand, are there secrets where someone would be able to invest a month - much more, a day - an awful lot more, a minute - a whole lot more. So what you wind up with, I think, is for any given secret at its level of encryption, it has its individual Q day.
And they can vary dramatically in terms of when they are. So then you go, well, all that's fine and dandy, but that's also not helpful, Tim. So what are we going to do in the real world? I think we want to ask this question when does cryptographic relevance occur because it's a big difference between, is it five years from now, or is it 30 years from now? Extremely important. A lot of decisions are made differently based on the answer to that question. What you probably have to do to do that, and I don't think I've seen this ever done, is you have to sort of agree on some benchmarks. You got to say, we're going to say for this encryption, it can be broken in this amount of time. And we're going to agree - whatever it is, a week - and we're going to agree that that doesn't apply to every circumstance, but what it does is it gets us to the point where it can start to have a meaningful conversation. So I can say, well, when does cryptographic relevance occur if we have a predefined definition we're all going to agree on and then you could go and have the debates and talk to the things and maybe it's in 2027 and maybe it's in 2037 and we fight about that. But at least we have a way to try to put a peg in the calendar, of course, by when we think this is going to happen.

Jason SorokoOne of the smartest things I ever heard about or one of the most important inputs to this question, to me, was Professor Mosca talking about the linearity of the engineering problem of creating stable qubits.
So in other words, if we really are talking about Shor's algorithm and its application, then quantum computers exist right now, but they don't have enough stable qubits to be able to solve the current, say, RSA-2048, within a reasonable amount of time. But if you follow Professor Mosca’s ideas which has followed perfectly well, even though you see these technical journalism articles that talk about, oh my god, gigantic leap in the number of quantum stable quantum bits. Well if you actually plot it on a chart, it's linear, just the way Professor Mosca said. Therefore, that means we probably won't have this Eureka unless there is truly a difference in the way engineering is done. But if you just follow the linearity, there's an inevitability that there will be a sufficient number of qubits for Shor’s algorithm within a certain amount of time, and so therefore that's the way that the stake in the ground has been made over time. What I would say, though, is from a pragmatic standpoint, and I love the way Bruno Couillard, on our podcast, talked about this. He said, when the panic button is hit, then the people who are most risk averse - we're talking about militaries. We're talking about big finance, government. Those people are gonna be like - -

Tim CallanVery, very valuable technical and business processes. I would put on that list.

Jason SorokoThose are people who say, I got secrets where I don't care that if it takes 10 years. Let's say you tell me it takes 25 years to break this. I consider that unacceptable. That's an unacceptable risk to me, and therefore I have to go post quant. For the rest of us who might be using a web browser to look a website for news, do I really care if somebody is gonna - -

Tim CallanOr access my bank account. How much money is in my bank.

Jason SorokoAnd if it takes 25 years to see what my bank account balance is - -

Tim CallanThat’s okay.

Jason SorokoBut so therefore, there is a continuum of risk adversity that is also part of this. And so, but what I'm going to say is this. I think that when the panic button is hit at the highest levels, that will cause a cascade amongst everybody. And my gut feel, and I would love to have some guests to tell me otherwise, Tim, but I think that once you have a sufficient number of qubits that would do it in 100 years, 10 years, 5 minutes, that curve is steep. In other words, the linearity at that point is still linear, but the ability to break in certain amounts of time won't even be a part of the conversation. We will deprecate RSA. We will deprecate ECC.

Tim CallanI still think there's some value in being able to come up with a set of common criteria because right now there's this disagreement about kind of foundationally how fast we're going to get there.
Setting aside all of the weaselly things you and I just said about matters on the value of the secret and the size of the encryption and all that stuff. At the end of the day, if we could sort of normalize all that, then we could have a meaningful investigation of saying, okay, this normalized benchmark, whatever it is, is that coming in 10 years? Is it coming in 20 years? Or five years or whatever? And that would help to get at a very important question that’s real immaterial that really matters, which is, how quickly is the march toward crypto relevancy occurring. And, we could have useful conversations about that. The problem I have now is, you do a survey of a bunch of experts, and something comes back, and it's all over the map in terms of when we hit cryptographic relevancy. But then I say, I don't see anything in this research to indicate that we're talking apples to apples.

Jason SorokoThat is true. That is absolutely true. Because let's throw out some actual dates that have been talked about in serious circles.
Professor Mosca himself, right, his probabilities kind of peak around 2030 timeframe. I don't think he's changed that. I'd love to talk with him and see whether or not what his current thinking is, but I think we keep asking him the same question, he might give us the same answer. 2030. He has come up with his own criteria about why, why that is. But I think that we need a wider - because we don't have agreement. We don't really have full agreement on it, but then again, I think that let's talk truly pragmatically. Like let's make a decision without having all the information first.
And that is, let's take Professor Mosca seriously, and a lot of other people who circle around that same date, who've thought about this very deeply. And I think that you and I talk a lot about certificate agility. We talk about that as the first steps in becoming crypto agile. And so therefore, with 90 day coming, 90 day certificates coming, and, mississuance events that have caused all kinds of pain recently, I think that certificate agility, if you're not doing that, you're not taking your cryptography seriously. Period. And so if you're going to take it seriously, and you do that, you've already taken the first steps towards crypto agility. But what does it mean in the real world? And I think, I think, this is just a thought, before we can really do the hard work - and we're not going to do that in this podcast - but let's do the hard work eventually as an industry of saying, what are the criteria that we can all agree upon. But I think what we have to face is this. Whether your risk continuum is, oh my God, if it's cracked in 100 years, that's unacceptable risk to me. Or most of us aren't going to wait till it takes five minutes to crack RSA-2048.
So there's that continuum. But I would say this. Bruno Couillard, who was on the podcast - and I keep bringing this up because it's a somewhat simple and profound statement that he said, in that it's probably going to take several years, three, four years, before we kind of walk out of the problem once the panic buttons hit.
So from a pragmatic, truly pragmatic standpoint, let's assume a button is hit. Well, I don't think you have to deprecate on day one. It'd be nice if you were ready ahead of time. But in reality, most people aren't. And so therefore there's gonna be three, four years before we really all truly, as all industries, have our act together. So therefore Bruno said this, and I'm going to repeat it, because it's very, very relevant to what we're talking about in this subject. That is, we're going to live for three, four years where some systems are not fully secure. Not secure.

Tim CallanWe're going to live for longer than that but okay.

Jason SorokoLet’s hope it’s in the best case scenarios. But I'm talking about like banking systems, they could last three, four years.
And so you're going to have systems that are not secure from a cryptographic standpoint for that long because they're running classic algorithms. And until everything can be swapped out, these systems are gonna be unsecure, but at least perhaps on day one, when panic button is hit, it's like, okay, well, what are the crown jewels I'm dealing with here, and is my risk continuum on the stuff that's not secure okay to be in this insecure gray zone, because it takes current quantum computers, 100 years to break 2048.
Well, then you're not too worried on day one. But, I bet you by year four, after that panic buttons hit, you're starting to worry really badly, and you might see that curve inflection point shift so that, yeah, now it's five minutes for a quantum computer to break everything, because stable qubits are just moving along.
Here's the elephant in the room, Tim, that I'm going to add to this as well, just as part of the party of confusion to all of this.

Tim CallanAre you confused yet, Listeners?

Jason SorokoWe did an attempt to explain Shor's algorithm during these Toronto sessions. I got glazed eyes, which means I probably failed, and that's fine. It was an attempt. There are people who have said, flat out, we don't think Shor's algorithm will ever be able to do what it says on the tin.

Tim CallanThere are people who said that. That's true.

Jason SorokoTherefore, with that being said is it a boogeyman? Is it a not real thing? And I'm going to say, do you really want to bet?

Tim CallanI mean, we're betting all of it. We've talked about this in the past. Like if you place that bet and you're wrong, it's back to pen and paper. And we can't go back to pen and paper.

Jason SorokoBruno talked about that. We don't want to live in that world.

Tim CallanWe can't live in that world. Like we know that world doesn't exist anymore.

Jason SorokoThat world doesn't exist. Therefore, if you take all of that soup into account, I would say this to anybody listening to this podcast is, look, take the first steps, which is, I don't think there's a serious argument to not become certificate agile. I don't think there's a serious argument against it.

Tim CallanI agree.

Jason SorokoIf your argument against investing in quantum agility is that it'll never happen – Wow! You are taking a big risk. You're gambling. And what I would say is, just assume it will happen. I don't think you need to over invest at this exact moment. Like let's talk about this. The reality of it is, CA/Browser Forum hasn't written all kinds of rules about post-quantum handshakes and certificates and - -

Tim CallanCA-Browser Forum has get those handed to it.

Jason SorokoExactly. But, on the other hand, we have Apple now with post-quantum draft algorithm, draft standards being used in iMessage.

Tim CallanWe have Chrome.

Jason SorokoChrome is now able to utilize those key exchange. Bas Westerbaan has been our podcast couple times talking about their implementation and how much traffic is now flowing over post-quantum algorithms at Cloudflare. Look, these are not dumb people. These are people with serious infrastructure where a lot of messaging happens, and they're putting into place the building blocks. And I'm really glad to see that the whole world isn't being the ostrich and putting the ostrich head in the ground and ignoring the problem. I would say though, to you as an enterprise with constrained resources, I don't have experts, first of all, from any good security practice, you must take inventory of your cryptographic assets, because those are the things you're eventually going to have to convert to quantum. So if you're not doing that step because you don't want to put in the work, because, well, Shor's algorithm will never work. I read that in an article once, and therefore I'm not going to put in the money. Wow. That is an inexcusable mistake.

Tim CallanWell, that's very risky behavior.

Jason SorokoBut I like your idea, Tim, about the okay, to make it real for people, let's put some criteria down.

Tim CallanAnd I think the lack of criteria makes it hard to have an earnest conversation about this. It is an important point, but first of all, I think people who aren't in the nuance of it, like you clearly are, do sort of imagine there's a date where suddenly something changes for everything, and that just isn't right. It depends on all of these factors. And then the second problem is, it's hard to answer it even without that problem in the mix. So, it makes discussion of it damn near impossible in a real earnest way. And, if we could just set on some similar benchmarks, that would help a lot.

Jason SorokoCompletely agreed. Maybe you and I, in a future podcast, Tim, can actually lay down what we think are some of the really pragmatic here's what we need to understand. And then, the rest of the community can come in and say, here guys, let's fill in some of the blanks from our point of view that you don't have.

Tim CallanWe could call it the RC date, the Root Causes date.

Jason SorokoComing soon to a TV near you.

Tim CallanI think this is a to be continued. Thank you, Jay.

Jason SorokoThank you, Tim.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!