The move, recently proposed by influential researcher Scott Aronson, is a complete change from the strict 90-day disclosure policies introduced by Google’s Project Zero two decades ago and an accepted norm that has driven security research for even longer. Other researchers are already criticizing the lack of details.
“I think it’s dangerous to claim there is no immediate security risk from an algorithm that requires a computer that doesn’t exist,” said Matt Green, a Johns Hopkins University professor who studies cryptography. “Given that the stakes are so low here (for the same reason) I would classify this as less harmful, and more of a publicity stunt. I think this is more of a PR move than anyone’s serious concern.”
Google is also facing scrutiny for focusing on the harm CRQC could do to cryptocurrencies rather than TLS implementation, DocuSign signatures, digital certificates, or any other common applications that impact large populations of people – an obsession of vocal influencers and the current White House.
“While CRQCs certainly pose a threat to blockchain-based technologies based on classical ECC algorithms, they are just one of many systems in our modern world that need to quickly transition to PQC,” LaMacchia said, referring to post-quantum cryptography. “Especially when reading some of the policy proposals at the end of the white paper, I am simply struck by how Google is focusing on a policy framework to solve problems that seem unique to the cryptocurrency space (e.g., escrow digital assets), and not the general threat that CRQC poses to all of our systems that use public-key cryptography.”
<a href