The move, recently proposed by influential researcher Scott Aaronson, is a whole turnaround from the strict 90-day disclosure policies Google’s Project Zero pioneered twenty years ago and an accepted norm that has driven security research for even longer. Other researchers are already criticizing the dearth of details.
“I feel it’s alarmist to say a direct security risk from an algorithm that requires a pc that doesn’t exist,” Matt Green, a professor at Johns Hopkins University who studies cryptography, said. “Provided that the stakes listed here are so low (for a similar reason) I’d classify it as less harmful, and more on the hype side. I feel it’s more of a PR trick than a serious concern anyone has.”
Google can also be facing scrutiny for specializing in the harm CRQC poses to cryptocurrencies—an obsession of vocal influencers and the present White House—relatively than on TLS implementations, DocuSign signatures, digital certificates, or another variety of more general applications that affect larger populations of individuals.
“While CRQCs definitely do pose a threat to blockchain-based technologies based on classical ECC algorithms, they are only one in every of many systems in our modern world that must transition quickly to PQC,” LaMacchia said, referring to post-quantum cryptography. “Especially when reading among the policy proposals at the tip of the white paper, I’m just dumbfounded that Google is targeted on policy frameworks for solving problems that appear unique to the cryptocurrency space (e.g., salvaged digital assets) and never the final threat that CRQC pose to all our systems that use public-key cryptography.”
