The move, recently proposed by influential researcher Scott Aaronson, is a complete turnaround from the strict 90-day disclosure policies Google’s Project Zero pioneered two decades ago and an accepted norm that has driven security research for even longer. Other researchers are already criticizing the lack of details.
“I think it’s alarmist to claim an immediate security risk from an algorithm that requires a computer that doesn’t exist,” Matt Green, a professor at Johns Hopkins University who studies cryptography, said. “Given that the stakes here are so low (for the same reason) I’d classify it as less harmful, and more on the hype side. I think it’s more of a PR trick than a serious concern anyone has.”
Google is also facing scrutiny for focusing on the harm CRQC poses to cryptocurrencies—an obsession of vocal influencers and the current White House—rather than on TLS implementations, DocuSign signatures, digital certificates, or any other number of more general applications that affect larger populations of people.
“While CRQCs certainly do pose a threat to blockchain-based technologies based on classical ECC algorithms, they are just one of many systems in our modern world that need to transition quickly to PQC,” LaMacchia said, referring to post-quantum cryptography. “Especially when reading some of the policy proposals at the end of the white paper, I am just dumbfounded that Google is focused on policy frameworks for solving problems that seem unique to the cryptocurrency space (e.g., salvaged digital assets) and not the general threat that CRQC pose to all our systems that use public-key cryptography.”
