The move, recently proposed by influential researcher Scott Aaronson, is an entire turnaround from the strict 90-day disclosure policies Google’s Project Zero pioneered twenty years ago and an accepted norm that has driven security research for even longer. Other researchers are already criticizing the dearth of details.
“I believe it’s alarmist to assert an instantaneous security risk from an algorithm that requires a pc that doesn’t exist,” Matt Green, a professor at Johns Hopkins University who studies cryptography, said. “On condition that the stakes listed here are so low (for a similar reason) I’d classify it as less harmful, and more on the hype side. I believe it’s more of a PR trick than a serious concern anyone has.”
Google can also be facing scrutiny for specializing in the harm CRQC poses to cryptocurrencies—an obsession of vocal influencers and the present White House—quite than on TLS implementations, DocuSign signatures, digital certificates, or every other variety of more general applications that affect larger populations of individuals.
“While CRQCs definitely do pose a threat to blockchain-based technologies based on classical ECC algorithms, they are only certainly one of many systems in our modern world that must transition quickly to PQC,” LaMacchia said, referring to post-quantum cryptography. “Especially when reading a few of the policy proposals at the tip of the white paper, I’m just dumbfounded that Google is targeted on policy frameworks for solving problems that appear unique to the cryptocurrency space (e.g., salvaged digital assets) and never the final threat that CRQC pose to all our systems that use public-key cryptography.”