The largest number factorised on a quantum computer is 8,219,999 on a D-Wave machine (a quantum annealer, so not capable of running Shor's, but capable of being an actual shipping product you can use, unlike gate model machines).

https://www.nature.com/articles/s41598-024-53708-7

> Overall, 8,219,999 = 32,749 × 251 was the highest prime product we were able to factorize within the limits of our QPU resources. To the best of our knowledge, this is the largest number which was ever factorized by means of a quantum annealer; also, this is the largest number which was ever factorized by means of any quantum device without relying on external search or preprocessing procedures run on classical computers.

You should read the article you posted before you write a comment. Hint: check P_F=0 in tables 2, 3 and 4.

"Factored" is doing a lot of lifting here and is borderline deceptive. Plenty of researchers have long ago pointed out that this won't scale, see M Mosca for reference.

I'm aware; I don't think gate model machines have demonstrated much potential of scaling in practice any time soon so this is more of a lark to show how unimpressive the current Shor's attempts have been

The D-Wave machine doesn't benefit from the quantum speedups discussed in the article

This is quantum annealing and it has nothing to do with Shor (I should have been precise sorry).

It is not clear at all that quantum annealing provides any speedup compared to a classical computer.

Yeah that was the first line of my comment.

Annealing is in fact proven to be able to do certain things faster than any classical CPU; whether you can make use of that particular feature is a different question. If you're into spinglasses, maybe

As long as a hybrid approach is taken what is there to worry about? Whereas not adopting PQC in a timely manner is obviously a gamble.

I agree, but the blog post was specifically ruling out hybrid approach.

> I'm really concerned by the current rush for PQ solutions and what are the real intentions behind it.

You had written. As long as we're in agreement that rushing PQ appears to be the appropriate choice. The only question is the precise form it should take, with the author arguing that hybrid would be unacceptably slow to roll out due to various social and bureaucratic reasons.

He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.

I think it is pretty direct from my comment that if you use a hybrid approach (done correctly) you can rely on the hardness of dlog based assumption and therefore my comment on potential weakness of PQ assumptions can be ruled out. In this way we disagree that rushing PQ is the appropriate choice if it rules out dlog based security.

> He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.

This is exactly what I'm pointing out as extremely dangerous. My take was that the risk of seeing a quantum computer breaking dlog in a near future isn't stronger than breaking PQ assumptions in a near future.

You seem to just be rehashing what we already clearly agree on. Obviously if you view classically breaking PQ algorithms as higher likelihood than QC breaking classical then you are going to disagree with the premise.

Can you actually back up your prediction that crypto related QC will remain either relatively ineffective or extremely expensive in the medium term?

The requirement for favoring hybrid isn't that "you view classically breaking PQ algorithms as higher likelihood than QC breaking classical", but you think that the likelihood than QC breaking classical is less than a billion times more than the likelyhood of classically breaking PQ.

Hybrid has essentially no cost, so we should favor it as long as it has a greater than negligible chance of providing protection. IMO the likelihood of CRQCs breaking ECC is pretty high (>50% by 2040) and the odds of classically breaking lattices is low (<1% by 2050), but creating a 0.5% chance of breaking cryptography for the entire world seems way to high when we have a free mitigation right here.

Not so. One of the core premises of the article that we're discussing here is that hybrid is proving to be quite difficult for entirely nontechnical reasons.

I agree that my previous wording was sloppy to the point of error. The point I was trying to communicate was that we already had agreement that an elevated assessment of the chance of a classical attack against a given PQ algorithm would lead to one disagreeing with the aforementioned premise that we should switch to a PQ only scheme making use of said algorithm. Rehashing that is just stating the obvious.

What wasn't presented was any reasoning to back an elevated risk assessment for any particular PQ algorithm, of which there are several. So at that point the "argument" amounts to little more than "nuh-uh, that risk assessment is wrong" which isn't exactly convincing or insightful.

> hybrid is proving to be quite difficult for entirely nontechnical reasons.

This is hard to square with the reality that hybrid systems are already widely deployed while pure PQC aren't/