Hacker News: Tyyps

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 09:23:30 +0000

I think it is pretty direct from my comment that if you use a hybrid approach (done correctly) you can rely on the hardness of dlog based assumption and therefore my comment on potential weakness of PQ assumptions can be ruled out. In this way we disagree that rushing PQ is the appropriate choice if it rules out dlog based security.

> He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.

This is exactly what I'm pointing out as extremely dangerous. My take was that the risk of seeing a quantum computer breaking dlog in a near future isn't stronger than breaking PQ assumptions in a near future.

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 09:10:47 +0000

He is assessing that the risk of seeing a quantum computer break dlog cryptography is stronger than the risk of having post quantum assumptions broken, in particular for lattices.

One can always debate but we have seen more post quantum assumptions break during the last 15 years than we have seen concrete progress in practical quantum factorisation (I'm not talking about the theory).

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 07:47:47 +0000

I agree, but the blog post was specifically ruling out hybrid approach.

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 07:44:51 +0000

This is quantum annealing and it has nothing to do with Shor (I should have been precise sorry).

It is not clear at all that quantum annealing provides any speedup compared to a classical computer.

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 04:34:46 +0000

Just a little selections of recent attacks on a few post quantum assumptions:

Isogenie/SIDH: https://eprint.iacr.org/2022/975

Lattices: https://eprint.iacr.org/2023/1460

Classical McEliece: https://eprint.iacr.org/2024/1193

Saying that you can trust blindly PQ assumptions is a very dangerous take.

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 04:25:04 +0000

Indeed anti-hybrids arguments are very dangerous takes at best. People are putting a tremendous amount of faith in very understudied assumptions, in particular given the complexity of geometric relations and the structure of current lattice based scheme.

New comment by Tyyps in "A cryptography engineer's perspective on quantum computing timelines"

Tyyps — Tue, 07 Apr 2026 04:13:23 +0000

I think people have to be extremely careful with this kind of opinion. In particular seeing such a push for post-quantum crypto while the current state of the art for quantum factorisation is 15 and 21 and the fact that current assumptions (for KEM in particular) are clearly not as studied as dlog.

It's maybe good to remember that SIDH was broken in polynomial time by a classical computer 3 years ago... I'm really concerned by the current rush for PQ solutions and what are the real intentions behind it. On a side note there might even be a world where a powerfully enough quantum computer that break 2048 bigs RSA will never exists (Hooft, Palmer... Recent quantum gravity theory).

Rational Quantum Mechanics: Testing Quantum Theory with Quantum Computers

Tyyps — Wed, 01 Apr 2026 08:51:17 +0000

Article URL: https://arxiv.org/abs/2510.02877

Comments URL: https://news.ycombinator.com/item?id=47598459

Points: 2

# Comments: 0

New comment by Tyyps in "Cops say criminals use a Google Pixel with GrapheneOS – I say that's freedom"

Tyyps — Wed, 23 Jul 2025 13:50:34 +0000

The anti-privacy movement in Europe is really concerning. In particular as general population don't really care about it, we are going toward some major shifts. I'm wondering though how this radical turn was initiated and if some lobbies are pulling the strings behind the scene...

New comment by Tyyps in "How to prove false statements: Practical attacks on Fiat-Shamir"

Tyyps — Thu, 10 Jul 2025 15:32:37 +0000

I think you are mixing the function itself and it's output, if for a given input to the function the output is uniformly random, then this is a way to derive randomness. The fact that the function itself is deterministic tells you nothing about the distribution of it's output.

New comment by Tyyps in "How to prove false statements: Practical attacks on Fiat-Shamir"

Tyyps — Thu, 10 Jul 2025 15:22:22 +0000

He is technically not wrong, most signatures can be seen has a public coin interactive proof system where you prove knowledge of a private key. They are then compiled into an non-interactive proof system via the Fiat-Shamir transform that uses a random oracle concretely instantiated using a hash function (easy to see in Schnorr signature). So at the end you are using a Hash function to generate your random coin.

New comment by Tyyps in "How to prove false statements: Practical attacks on Fiat-Shamir"

Tyyps — Thu, 10 Jul 2025 11:49:59 +0000

Hash functions are used to instantiate a random oracle (which is a theoretical object that can't be instantiated because it would be of infinite size but makes it easy to reason about) because it doesn't seems crazy as an assumption that if finding a collision between 2 hashes is hard it should be hard to predict the output of the so called hash function. However it is well known that there was some contrive counter example for protocols that are secure under the Random Oracle model and unsecure when instanciated with any hash function. The problem with this paper is that the protocol it described isn't so contrive anymore. Cryptography is a matter of assumptions and what you believe in or not. You might want to not use random oracle but you will therefore have to restrict yourself in what you can concretely build.

And the reason behind the problem outlined in the paper isn't a biased randomness problem but the fact that you can represent the hash function compared to a RO.