Fernando is looking for a PhD student www.iacr.org/jobs/item/4164 Fernando is excellent, you should consider applying.
03.03.2026 22:01
π 2
π 2
π¬ 0
π 0
Fernando is looking for a PhD student www.iacr.org/jobs/item/4164 Fernando is excellent, you should consider applying.
Cool! It looks like this parallelizes well, you say you can execute joint Pauli measurements. Does this work equally well if there is a lot of overlap in the support of the logical Paulis?
We donβt talk often enough about the Superman issue where, fed up with pedestrian deaths from car collisions, he sets out to try and destroy every car in the city.
Photo of a piece of cardboard with a hexagonal grid, rules handwritten on looseleaf, cardboard pieces, and a box of mini wheats labelled "Settlers of Catan"
Photo memory: a bootleg version of settlers of Catan I made from memory during summer fieldwork in 2012
The impact of Alfred Menezes in cryptography is profound. Francisco RH and I are organizing an afternoon session in Latincrypt to celebrate Alfred's career:
menezesfest.info
If you're coming to MedellΓn, consider attending!
Nice! Now (to steal Luca's joke) it's only 11 more factors of 2 to go for SQISign to be faster than MLDSA?
Screenshot of comments in code. They say: Dear programmer: when I wrote this code, only God and I know how it worked. Now, only God knows it! Therefore, if you are trying to optimize this routine and it fails (most surely), please increase this counter as a warning for the next person. Total hours wasted here = 254
This is a valid signature for user i. Then when the adversary presents a forgery (w*,c*,z*) against user j, just subtract cr_j from z* and it's a forgery for your challenger. This works... but only because the public key was not hashed into the challenge! Very bad idea!
Your challenger's public key is xP, so all the users you simulate for the multi-user adv can use PK_i=(x+r_i)P for some random r_i. If the adversary requests a signature on m from user r_i, you can send m to your challenger and get (w,c,z)=(yP,H(w||m),y+cx). Set z'=z+cr_i and return (w,c,z').
Always bothers me when you lose the 1/N factor in a multi-user security proof. Was thinking about how to dodge it; consider this for Schnorr signatures: you are an active adversary against a single challenger, with access to a multi-user adversary.
I wrote a bit about options for phones at protests, explaining the benefits and drawbacks, and added some security tips at the end.
Ursula K. LeGuin on technology
I was way miscalibrated at the time and thought the extra Toffoli count would end up using more space in the end thanks to state distillation. Not sure how typical my perspective was
Important lesson in scientific celebrity culture nonetheless
I've been reading "Burdens of proof", which makes an interesting point on this: law wants to operate on a vastly longer time scale than most file formats, for good reason.
So we have an adversary that can decrypt c to a different message with a different key? They can just compute their own tag of this other key and message, hash it, and replace the "T" part of the ciphertext?
Reasonable! When I read the screenshot you took, I see a lot of technical terms I can't contextualize. How meaningful is a "2 star relationship"? I can't tell but an expert in the field could.
Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.
It's normal and good for journalists to talk to scientists in the same field but not associated to the research, as they can offer an informed but less biased take
My current model of agriculture is we generally optimize for high yield at low labour, and there's room for high-yield and sustainable if we accept high labour inputs. Is this a plausible and useful perspective?
Oh of course not, it would be a tourist attraction. Maybe a quirky hotel
Graph of physical qubits vs. year. There is a cluster of points in the middle, with 3 lines trying to extrapolate forward, but with wide error margins.
I wouldn't say steady: arxiv.org/abs/2009.05045 tries to extrapolate and the data looks really noisy. E.g., fig. 8. If we put today's devices on this, the best would maybe on the orange line
Probably closer to 13 doublings if we look at chips with all the good properties we want. There hasn't been a consistent exponential growth yet.
Figure 14 from Gidney's paper showing a dense 3-d pipe diagram of a surface code layout of a lookup. Most of the 3-d space is used in some way.
Craig Gidney's work tackles that question: arxiv.org/abs/2505.159.... Check out the figures in the appendix: the physical qubits are used quite densely!
This work (eprint.iacr.org/2024/222) made the output bit compression efficient
If I get what you're talking about: a different technique (arxiv.org/abs/1905.100...) compresses the output bits, which is incompatible (if you compress input as well, you can factor with a classically simulatable # of qubits: likely impossible).
And on a network of quantum computers, you'd have to re-optimize the algorithm, which would push the resource estimates back up
To be clear there is no 2100 qubit device! Maybe I should rewrite that part :) but the estimates assume one device. There are known methods to network quantum devices together, but the tech is lagging behind a bit compared to the speed and quality of of one device
A 20x improvement warrants an "extra"!
A chart for quantum computers, of number of qubits versus error rate, on a logarithmic scale. Broadly it shows a large gap between current quantum computers in the bottom left, and a curve in the top right of the resources they need to break RSA.
An out-of-schedule update to my quantum landscape chart: sam-jaques.appspot.com/quantum_land..., prompted by
@craiggidney.bsky.social 's new paper: arxiv.org/abs/2505.15917.
A startling jump (20x) in how easy quantum factoring can be!
Also: much improved web design!
That'd be a killer bsky bio
