The article discusses the hypothesis that the NSA has broken ECC classically, and is lying to us.
But conspiracy theories aside, does 3072 bit RSA fall along with 256 bit ECC with the same quantum difficulty? Don't you have to have coherence of substantially more qubits in the former case?
Loosely speaking, you need n + epsilon qubits and 4n^3 operations to break RSA-n, whereas you need ~6n qubits and 360n^3 operations to break ECC-n. For n = 256, you need around 1536 qubits, whereas you need at least 3072 for RSA-3072.
This suggests a criterion to reject P-256: it needs fewer than 2048 qubits to break. P-384 is above this threshold, at around 2.5k qubits. Hey, it's as good speculation as any.
Does this mean that barring a quantum-hard alternative we could get effectively quantum-hard crypto by using crazy key sizes like RSA-131072 or ECC-4096?
> However, it will require major advances in physics and engineering before quantum computing can scale significantly. When that happens, of course P-256 and P-384 will fall first. But, as the head of cybersecurity research at a major corporation put it, “after that it’s just a matter of money” before RSA-3072 is broken. At the point when P-384 is broken it would be unwise to use either ECC or RSA. It is not likely that the gap between quantum cryptanalysis of a 384-bit key and a 3072-bit key will be great enough to serve as a basis for a cryptographic strategy.
But conspiracy theories aside, does 3072 bit RSA fall along with 256 bit ECC with the same quantum difficulty? Don't you have to have coherence of substantially more qubits in the former case?