"At 10% threshold, assuming a 10-μs code cycle and non-local connections, one key can be generated every 10 minutes using 6000 modules with 1152 physical qubits each."
1152 qubits sounds like the D-Wave chips. So does that mean 6000 D-wave chips ?
Even if you reverse the calculation, that would be 60000 minutes on 1 chip, which is about 42 days only, so.
Quantum Too Good
The paper is about digital gate-based quantum computers. These have almost nothing in common with D-Wave's analogue quantum annealers. They certainly cannot run Shor's algorithm (they don't run algorithms at all).
If I remember correctly, the chips in D-Wave machines are for specific problems (optimization problems mostly), so it seems very unlikely they can run the quantum circuits proposed in the article.
The D-Wave ones surely can't (theoretically unproven if it's doing anything 'useful', even if 'quantum').The ones that others have, theoretically can in the 'awesome future', but as yet can't (too noisy).
Hype aside - the largest number factored using Shor on a physical device is 21 (unclear if they actually used the result of the factoring to design the circuits like they did with 15).
That seems like a damning critique, but the reality is that quantum capabilities can and likely will advance as a series of step functions. The quantum machines we can build now are so noisy that we can’t even factor 3 digit numbers. However low nois quantum computers are on the drawing board and would bring many order of magnitude improvements nearly overnight.
About 5 years ago I wrote my master thesis on quantum computing, specifically on the construction of quantum circuits. As these circuits are generally unitary matrices an interesting question is: Given a set of gates that operate on one qbit or two qubits (controlled gates) and a target unitary matrix (e.g. fourier transform or the hamiltonian of a physical system of interest such as an Ising model), can we find an optimal/minimal arrangement of those gates to approximate or exactly match the target matrix.
Back then I modelled the quantum circuit as a set of unitaries (by parametrizing them through their generator), that operate on one or two qubits, set a limit to the amount of steps and the amount of controlled gates and then threw different optimization algorithms at it. I got the best performance using simple dense neural networks. What's cool is that I could generate a training set really quickly since I could just randomly build tensor products of unitary matricies to create billions of unitaries of up to 7 qubits in minimal time and then just see how close I can get given a fixed length for the quantum circuit and a fixed number of control gates.
I really liked this approach and it was fun to work on. However it was ultimately
limited as the size of the matrices scales exponentially with the number of qubits.
I have a feeling the quantum-crypto conversation is going to take off like a rocket after IBM does their Quantum System 2 presentation later this year.
So its mostly just public-key encryption and its been a known issue since about 1994. We are still nowhere near making quantum computers that can crack them so its not an urgent thing. There has been a lot of research into alterantives though.
Forward secrecy does not provide any value against cryptography compromise. Quite the opposite as it depends on the security of the cryptography over the long term to insure old messages stay inaccessible after the key is forgotten.
Forward secrecy addresses this specific attack:
* Someone builds a archive of your encrypted messages, possibly without your knowledge or consent.
* That someone then gets access to your secret key material.
* They can then decrypt their archive.
The session keys are exchanged by the asymmetrical systems that the imagined quantum computer would be able to break. So the attacker gets the session keys directly. So for, say, signal, they only have to break a new key exchange which doesn't happen all that often. They can just run the hash ratchet after that. Even for TLS that does a new session key per connection, that connection might last a fair time. The 10 min can be spread over multiple connections for this proposal. We are hardly talking about a massive increase of difficulty.
I mean, it depends a little bit on what your threat model is. If it takes a week to break a key, and you have hundreds of thousands of tls sessions without knowing which is the relavent one, it is definitely something. But yeah it seems like it would quickly become a minor hurdle once real quantum computers become a thing and presumably have their own moore's law.
I agree with you that the statement is overly broad, but the person is referring to asymmetric cryptography in the past tense, making me read it as not about PQC because PQC is indeed the fix for the stated problem but must be applied first and until then, indeed we've always known QC are going to be an issue that needs solving.
But its still bleeding edge. Its been used for experimental purposes but always in combination with a traditional algorithm (so if its broken the traditional algo still secures things). Its definitely not trusted yet.
Crypto does not, for a lot of reasons, but biggest I can think of is that hashing is still one-way, public keys are hidden (until used, which is why it is important to expose your public key only when using funds).
When there is a viable ECC attack vector, it will not be much effort to migrate to a more mature PQC. Better to wait as long as possible, maybe even have a crypto built on PQC to field test it with money on the line -- a few billion in market cap goes a long way to incentivizing breaking the crypto involved.
Kind of goes without saying when nobody has built a quantum computer of the type we are talking about. No general purpose error corrected quantum computer has been used to do anything because they don't exist yet.
I don't think that's common knowledge. It's commonly accepted truth in the industry, but particularly when most people think of military/spies as secretly X years ahead (pick a number) of what the public knows is possible, the tech sector in general can't be expected to know this. It's good to add this in a thread with a headline that sounds like anyone using ecc keys might have a big problem.
That particular demonstration is interesting, but it's not a general-purpose error-corrected quantum computer. It's a single-purpose quantum computer that simulates a quantum process with fewer gate operations than a classical computer needs to simulate the same process.
That's not true. There is such a thing as a completely general set of quantum gates, which combined with qubit memory, would make for a general quantum computer capable of computing any unitary transformation to a certain accuracy.
Not fully general, no. There is no such thing like a "Turning machine" for quantum computers. There are classes of algorithms like Shor's, Grover's, and quantum annealing which can be used to solve large many instances of related problems.
This is kinda like how matrix diagonalization can be used to solve any problem which is expressible as a linear system of equations, and to some degree any continuous function can be approximated by a linear system, so a BLAS + LAPACK accelerator is a "universal simulation engine."
You could probably build a generic Shor's algorithm quantum computer that is able to both factor integers and break elliptic curve keys. But the same quantum computer wouldn't be usable for Grover's algorithm to find the presage of a cryptographic hash. This is what I mean by there not being a "universal quantum computer" in the same way a Turing machine is a universal classical computer. Quantum computers by their very nature are ASIC implementations of specific algorithms, even though those algorithms might have some multi-domain applicability.
That really isn't true. If you have the CNOT gate, controlled rotation and phase shift, you can implement any operation on a set of qbits. If you then have quantum registers, you have a truly universal quantum computer, as you can then use registers to chain operation arbitrarily.
This computer would be able to do Shor, Grover, QAOA, as well as any classical algorithm of course. If you're interested, I can try to describe the proof of universality, it's just a bit of linear algebra. Otherwise, you can look up "Solovay-Kitaev theorem".
1152 qubits sounds like the D-Wave chips. So does that mean 6000 D-wave chips ?
Even if you reverse the calculation, that would be 60000 minutes on 1 chip, which is about 42 days only, so. Quantum Too Good