> ECC algorithms with smaller key sizes would be more vulnerable to a
quantum attack, as it would require a currently theoretical quantum computer with fewer qubits than would be required for an RSA key with the same cryptographic strength [25].
This is what keeps me skeptical about ECC. RSA is really chunky, and maybe that's a fundamental advantage from an information theory perspective. Compromising on the crypto scheme because we can't fit inside UDP seems like a cursed path.
If we are looking at the RSA factoring challenge (https://en.wikipedia.org/wiki/RSA_Factoring_Challenge) then 768 bits is done. Breaking RSA 1024 is assumed to be possible but has not been demonstrated in public.
So maybe quantum computers should first complete some of these RSA challenges with less compute resources than done classically before considering any claims about qubits needs as practical.
All of this in the context of DNSSEC or other system using signatures. For encryption the story is different.
This is what keeps me skeptical about ECC. RSA is really chunky, and maybe that's a fundamental advantage from an information theory perspective. Compromising on the crypto scheme because we can't fit inside UDP seems like a cursed path.
[25]: https://arxiv.org/abs/1706.06752
So maybe quantum computers should first complete some of these RSA challenges with less compute resources than done classically before considering any claims about qubits needs as practical.
All of this in the context of DNSSEC or other system using signatures. For encryption the story is different.