If we are looking at the RSA factoring challenge (https://en.wikipedia.org/wiki/RSA_Factoring_Challenge) then 768 bits is done. Breaking RSA 1024 is assumed to be possible but has not been demonstrated in public.
replySo maybe quantum computers should first complete some of these RSA challenges with less compute resources than done classically before considering any claims about qubits needs as practical.
All of this in the context of DNSSEC or other system using signatures. For encryption the story is different.
A CRQC makes both RSA and ECDLP practically irrelevant. The qubit thresholds between available ECC and RSA-2048 don't look meaningful. If you're worried about QC, get comfortable with lattices.
replyOf course, this part of the NIST recommendation doesn't matter, because DNSSEC is moribund. If we want post-quantum record authenticity, we should go back to the drawing board and come up with something that doesn't depend on UDP (and that doesn't carry DNSSEC's 1994-vintage offline-signer compromise and all-or-nothing zone signature compromise).
Yeah if we will ever see a CRQC...but nevertheless we will migrate to PQC as it will be forced via regulations thx to lobby work by Mosca and friends
reply