Sam Jaques
@sejaques.bsky.social
Assistant prof at U Waterloo. Aspiring full-stack cryptographer. Loves math, plants, flashcards. Opinions reflect those of all past, present, and future employers.
Nice! Now (to steal Luca's joke) it's only 11 more factors of 2 to go for SQISign to be faster than MLDSA?
September 13, 2025 at 8:57 PM
Nice! Now (to steal Luca's joke) it's only 11 more factors of 2 to go for SQISign to be faster than MLDSA?
This is a valid signature for user i. Then when the adversary presents a forgery (w*,c*,z*) against user j, just subtract cr_j from z* and it's a forgery for your challenger. This works... but only because the public key was not hashed into the challenge! Very bad idea!
September 3, 2025 at 5:39 PM
This is a valid signature for user i. Then when the adversary presents a forgery (w*,c*,z*) against user j, just subtract cr_j from z* and it's a forgery for your challenger. This works... but only because the public key was not hashed into the challenge! Very bad idea!
Your challenger's public key is xP, so all the users you simulate for the multi-user adv can use PK_i=(x+r_i)P for some random r_i. If the adversary requests a signature on m from user r_i, you can send m to your challenger and get (w,c,z)=(yP,H(w||m),y+cx). Set z'=z+cr_i and return (w,c,z').
September 3, 2025 at 5:39 PM
Your challenger's public key is xP, so all the users you simulate for the multi-user adv can use PK_i=(x+r_i)P for some random r_i. If the adversary requests a signature on m from user r_i, you can send m to your challenger and get (w,c,z)=(yP,H(w||m),y+cx). Set z'=z+cr_i and return (w,c,z').
I was way miscalibrated at the time and thought the extra Toffoli count would end up using more space in the end thanks to state distillation. Not sure how typical my perspective was
Important lesson in scientific celebrity culture nonetheless
Important lesson in scientific celebrity culture nonetheless
July 31, 2025 at 11:28 PM
I was way miscalibrated at the time and thought the extra Toffoli count would end up using more space in the end thanks to state distillation. Not sure how typical my perspective was
Important lesson in scientific celebrity culture nonetheless
Important lesson in scientific celebrity culture nonetheless
I've been reading "Burdens of proof", which makes an interesting point on this: law wants to operate on a vastly longer time scale than most file formats, for good reason.
July 22, 2025 at 1:40 AM
I've been reading "Burdens of proof", which makes an interesting point on this: law wants to operate on a vastly longer time scale than most file formats, for good reason.
So we have an adversary that can decrypt c to a different message with a different key? They can just compute their own tag of this other key and message, hash it, and replace the "T" part of the ciphertext?
July 8, 2025 at 12:59 AM
So we have an adversary that can decrypt c to a different message with a different key? They can just compute their own tag of this other key and message, hash it, and replace the "T" part of the ciphertext?
Reasonable! When I read the screenshot you took, I see a lot of technical terms I can't contextualize. How meaningful is a "2 star relationship"? I can't tell but an expert in the field could.
Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.
Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.
July 3, 2025 at 4:03 PM
Reasonable! When I read the screenshot you took, I see a lot of technical terms I can't contextualize. How meaningful is a "2 star relationship"? I can't tell but an expert in the field could.
Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.
Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.
It's normal and good for journalists to talk to scientists in the same field but not associated to the research, as they can offer an informed but less biased take
July 3, 2025 at 3:39 PM
It's normal and good for journalists to talk to scientists in the same field but not associated to the research, as they can offer an informed but less biased take
My current model of agriculture is we generally optimize for high yield at low labour, and there's room for high-yield and sustainable if we accept high labour inputs. Is this a plausible and useful perspective?
July 3, 2025 at 3:36 PM
My current model of agriculture is we generally optimize for high yield at low labour, and there's room for high-yield and sustainable if we accept high labour inputs. Is this a plausible and useful perspective?
Oh of course not, it would be a tourist attraction. Maybe a quirky hotel
June 21, 2025 at 5:34 PM
Oh of course not, it would be a tourist attraction. Maybe a quirky hotel
I wouldn't say steady: arxiv.org/abs/2009.05045 tries to extrapolate and the data looks really noisy. E.g., fig. 8. If we put today's devices on this, the best would maybe on the orange line
June 20, 2025 at 8:55 PM
I wouldn't say steady: arxiv.org/abs/2009.05045 tries to extrapolate and the data looks really noisy. E.g., fig. 8. If we put today's devices on this, the best would maybe on the orange line
Probably closer to 13 doublings if we look at chips with all the good properties we want. There hasn't been a consistent exponential growth yet.
June 20, 2025 at 5:53 PM
Probably closer to 13 doublings if we look at chips with all the good properties we want. There hasn't been a consistent exponential growth yet.
Craig Gidney's work tackles that question: arxiv.org/abs/2505.159.... Check out the figures in the appendix: the physical qubits are used quite densely!
June 20, 2025 at 12:40 AM
Craig Gidney's work tackles that question: arxiv.org/abs/2505.159.... Check out the figures in the appendix: the physical qubits are used quite densely!
This work (eprint.iacr.org/2024/222) made the output bit compression efficient
Reducing the Number of Qubits in Quantum Factoring
This paper focuses on the optimization of the number of logical qubits in quantum algorithms for factoring and computing discrete logarithms in $\mathbb{Z}_N^*$. These algorithms contain an exponentia...
eprint.iacr.org
June 20, 2025 at 12:05 AM
This work (eprint.iacr.org/2024/222) made the output bit compression efficient
If I get what you're talking about: a different technique (arxiv.org/abs/1905.100...) compresses the output bits, which is incompatible (if you compress input as well, you can factor with a classically simulatable # of qubits: likely impossible).
June 20, 2025 at 12:05 AM
If I get what you're talking about: a different technique (arxiv.org/abs/1905.100...) compresses the output bits, which is incompatible (if you compress input as well, you can factor with a classically simulatable # of qubits: likely impossible).
And on a network of quantum computers, you'd have to re-optimize the algorithm, which would push the resource estimates back up
June 19, 2025 at 11:23 PM
And on a network of quantum computers, you'd have to re-optimize the algorithm, which would push the resource estimates back up
To be clear there is no 2100 qubit device! Maybe I should rewrite that part :) but the estimates assume one device. There are known methods to network quantum devices together, but the tech is lagging behind a bit compared to the speed and quality of of one device
June 19, 2025 at 11:23 PM
To be clear there is no 2100 qubit device! Maybe I should rewrite that part :) but the estimates assume one device. There are known methods to network quantum devices together, but the tech is lagging behind a bit compared to the speed and quality of of one device
A 20x improvement warrants an "extra"!
June 19, 2025 at 10:12 PM
A 20x improvement warrants an "extra"!