> [...] including transitioning blockchains to post-quantum cryptography (PQC), which is resistant to quantum attacks.

PQC is not defined as "being resistant to quantum attacks" nor does it necessarily have this property: PQC is just cryptography for which no quantum attack is known yet (for example even when no one has tried to design a quantum computation to break the cryptography). One can not demonstrate that a specific PQC altorithm is resistant to quantum attacks, it is merely presumed until proven otherwise.

▲

tromp 2 days ago | parent [-]

I think that "having no known quantum attack" is a reasonable interpretation of "quantum resistant". If there were no possible "quantum attack" (under appropriate complexity assumptions, such as EC-DLP not being in P), then we could call it "quantum proof" instead of quantum resistant.

▲

DoctorOetker 20 hours ago | parent [-]

I understand what you mean, but I think such a concept or definition would be highly misleading: "having no known quantum attack" means every novel encryption method would be automatically "quantum resistant" for having had 0 adversarial attempts to find quantum or even classical weaknesses!

There should be some measure of competence-level-adjusted man-hours of cryptographers and mathematicians trying to swing their favorite hammers at the problem; in order to estimate this "quantum resilience".

	▲	defrost 19 hours ago \| parent [-]
		In minutes, on a single computer, for example, is the lowest bar. * https://mathematical-research-institute.sydney.edu.au/quantu... * https://magma.maths.usyd.edu.au/magma/ Props to John Cannon, George Havas, Charles Leedham-Green, et al.