
NSA seeks to build quantum computer that could crack most types of encryption - JunkDNA
http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_print.html
======
tptacek
1\. $80MM isn't even in the ballpark of what it would cost to build a quantum-
theoretic machine that could break IFP (RSA) or DLP (DH, DSA) crypto.

2\. $80MM is way, way past the threshold believed to be required to break the
most widely deployed public-key crypto, RSA-1024. Put differently: there are
venture capitalists who could successfully fund an effort to break the most
widely-deployed public key crypto.

3\. If it is feasible to build a quantum-theoretic machine to break RSA, it is
vitally important that the NSA attempt to do so; such work is at the very core
of their mission.

I have no insight into what's actually happening behind this disclosure, but
the price tag on it suggests to me that it's just a research project.

Since NSA is the kind of organization that historically spends $80MM on paper
clips, the number suggests to me that quantum-theoretic attacks on IFP and DLP
crypto aren't currently a serious thing. But that's a wild guess.

~~~
sillysaurus2
What would you use as an RSA replacement? Beyond that, is there a technique
that's still relatively simple like RSA (humor me) but impervious to publicly-
known quantum attack vectors like Shor's algo?

~~~
rdtsc
I was going to jump in and say ECC

[https://en.wikipedia.org/wiki/Elliptic_curve_cryptography](https://en.wikipedia.org/wiki/Elliptic_curve_cryptography)

but, searching I found that it is apparently vulnerable to quantum computing
attacks (wikipedia points me to: Nielsen, Michael A.; Chuang, Isaac L. Quantum
Computation and Quantum Information. p. 202) and also found this:

[http://www.mathcs.richmond.edu/~jad/summerwork/ellipticcurve...](http://www.mathcs.richmond.edu/~jad/summerwork/ellipticcurvequantum.pdf)

~~~
scythe
Elliptic curve cryptography is logically equivalent to prime-factorization
cryptography in a sense: both are special cases of the _hidden subgroup
problem_. DLP is also a version of the hidden subgroup problem. Any variant of
HSP can be broken by a quantum computer using a variant of Shor's algorithm.

~~~
venomsnake
How broken is the question - NSA cracks 2048 keys we just double the key size
and are safe for 3-4 more years, or making it so trivial it doesn't matter how
big the key size is.

------
crystaln
This is the sort of code-breaking the NSA _should_ be doing. If breaking
encryption algorithms is possible with quantum computers, we should figure out
how to do it before any other nation-state or hacker does. This discovery
would hopefully push forward encryption standards toward less breakable
encryption.

What we should not do is use those discoveries to illegally spy, but rather to
improve our security. Unfortunately, the NSA has lost credibility in
contributing to encryption standards, so how that would happen is unclear.

Breaking encryption with new technology is entirely different than subverting
encryption technologies intentionally or using their asymmetrical powers to
tap into communication systems. Any attacks that can be discovered will
hopefully first be discovered by relatively good actors (US intelligence)
rather than relatively bad ones (Chinese intelligence.)

~~~
yuliyp
If the NSA was able to break RSA, there's about a .1% chance they'd tell
people about it.

~~~
crystaln
If the NSA broke RSA, they'd know that it was only a short matter of time
before other intelligence agencies did the same, so it would be pretty stupid
of them to not hint to industry that they should upgrade their algorithms.

While the NSA wants communications to be vulnerable to them, they certainly
don't want communications to be vulnerable to others.

------
EthanHeilman
This is the first leak that lower bounds the NSA's capabilities. It suggests
that the NSA does not have a quantum computer.

If the NSA did have a quantum computer they might fund a project like this as
it would be suspicious not to.

 __EDIT: __The more I think about this, the less it says about the NSA
capabilities. They may attempt multiple paths to QC. The classification
document that WashPo released
([http://apps.washingtonpost.com/g/page/world/classifying-
nsa-...](http://apps.washingtonpost.com/g/page/world/classifying-nsa-quantum-
computing-efforts/692/)) outlines Level A (public) and Level B (classified)
research. All this shows is that the NSA is dedicating at least ~0.8% of their
budget to QC.

~~~
dnautics
I think you mean "upper bounds" the NSA's capabilities.

~~~
EthanHeilman
You are correct, but now hn will not let me edit it.

------
topynate
Both NSA and GCHQ have quite the history of co-opting smart mathematicians to
create secret _theoretical_ advances in cryptography and cryptanalysis, which
could well be relevant given a quantum computer with the following three
properties:

* Fully general. By this I mean capable of solving BQP problems in polynomial time. This excludes D-Wave machines, for example.

* Sufficiently large. 100 qubits would probably enable qualitative advances in cryptanalysis.

* Low enough error rate. This is a slightly redundant requirement, as too high an error rate would provably prevent the computer from being asymptotically faster than classical - which is what we care about.

The last requirement is due to the quantum threshold theorem[1]. Briefly,
there is an error rate below which quantum computing is possible and above
which it is not. The precise value is not known but it is probably over 1%
and, at least for some kinds of circuits, under about 40%. That means that at
the theoretical level, the task is to create a model of computation that has
as high a threshold limit as possible, and then to design an error correcting
scheme that comes close to that limit. This is something that a secret agency
could plausibly do in-house.

However, there is then the question of implementing the model of computation
in a physical system, with a sufficiently low error rate. NSA, GCHQ etc. are
not known to have this sort of experimental expertise - they would probably
have to contract it out (and indeed this is the major piece of new information
in the article). The history on fundamental advances over civilian technology
shows that this normally depends on co-opting basically the entire research
community working in the field - as in radar, nuclear weapons, stealth etc.
This is not at all the case for experimental quantum computing, which is not
in practice treated as a 'sensitive' field.

Thus it is my opinion that the NSA may well already have some theoretical
tricks up its sleeve that it can use in the future for a decent edge, but is
unlikely to get the opportunity to use them before quantum computing becomes
considerably more feasible in the unclassified world.

[1]
[https://en.wikipedia.org/wiki/Quantum_threshold_theorem](https://en.wikipedia.org/wiki/Quantum_threshold_theorem).
Bounds lifted from
[http://arxiv.org/abs/0802.1464](http://arxiv.org/abs/0802.1464).
Qualifications: I studied the mathematics of quantum computing as a Masters
student, although I can't claim to still be current on the state of the art.

~~~
Snail_Commando
If you had to pick, say, three books (or the online equivalent) on quantum
computing that are relatively accessible to an educated layman, which ones
would you recommend?

~~~
topynate
I can tell you the book that got me excited about quantum computing: The
Fabric of Reality, by David Deutsch. It ranges over a much, much wider field
than just QC, but if you want to understand how one of the best theoreticians
thinks then there is no better book. Comprehensible by a smart 13 year old (as
I was when I read it).

If you have some mathematical maturity, I heartily recommend Quantum Computing
since Democritus, by Scott Aaronson. The book's web page is at
[http://www.scottaaronson.com/democritus/](http://www.scottaaronson.com/democritus/),
where you will also find freely available the lecture notes on which the book
is based. Scott Aaronson's blog
([http://www.scottaaronson.com/](http://www.scottaaronson.com/)) is also a
very valuable source of insider knowledge on QC, much of it targeted at a
broader audience. I recommend his "Ask Me Anything!" posts for a good breadth
of topics and technicality.

Schrödinger's Killer App by Jonathan P. Dowling is a pleasant alternative to
Fabric of Reality if the latter is too out-there for your tastes. No
equations, but it definitely has some conceptual meat on it.

------
ck2
When the limit to breaking encryption becomes only cost and not technical
hurdles, we have a huge problem.

Because there is no limit to tax dollars the government would be willing to
spend to spy on it's own citizens. Congresspeople are already happy to line up
to throw money at the spy machinery which is the new arm of the industrial war
complex.

~~~
joshfraser
It's not even tax dollars. The Federal Reserve is at the root of many of our
problems -- congressional spending, the industrial war complex & NSA spying --
none of it would be possible if we weren't able to create money out of thin
air.

~~~
samstave
Thus illustrating exactly who is running the world and why when Occupy started
up they actually drafted plans to have LEOs assassinate the "leaders" of
Occupy.

This underscores the need to revive Occupy.

~~~
orthecreedence
Not to be a jerk, but Occupy was ineffective. Let it RIP. It spent so much
time being leaderless they couldn't decide what the hell they wanted.

We have to be more targeted about the changes we want. "We're pissed off about
lots of stuff and you better fix it all _or else_!" isn't going to work.

At this point though, it's almost like the house is completely engulfed in
flames. Which section do we put out first?

\- The corrupt banking and money system? Our capitalist system is an immense
ponzi scheme. Economists act like you can have infinite growth. Forever.
They're delusional. At some point, you run out of people's back to crawl on
top of and your system collapses.

\- On top of that, we have a one-party system: the capitalist-imperialist
party. _It is impossible to get a non-capitalist-imperialist elected in the
United States!_ We need a voting system overhaul, but good luck getting that
when everyone is bickering about abortion and gay marriage. The system has
successfully turned us against ourselves on issues that do not affect the
overall outcome of the nation, leaving the people in charge to do whatever
they feel like.

\- We have a government agency with a bottomless pit of money spying on
_everybody_ , effectively cutting off our freedom of speech (who is going to
speak out against the government when a giant eyeball hovering over them at
all times?) At this point, there's no ring to cast into the volcano either.
Even if the NSA's activities are ruled unconstitutional, _who 's going to stop
them?_

\- Our country's leaders are spending millions to create more terrorists by
bombing countries in the middle east with drones. You take out some kid's
house and family with a drone, what do you expect is going to happen? They'll
thank you for keeping the streets safe? No, they grow up to be a "terrorist."

I hate to be one of those "the sky is falling" nerds, but if it takes as much
work and pressure as it has to get the people around you to barely even raise
an eyebrow at what's going on, you know you're not headed for something good.

~~~
samstave
Great post. I totally agree, and it is for these reasons I loathe anyone who
defends the actions of the USG/NSA.

I also find it incredibly naive of others who make statements, here on HN and
elsewhere, that the US is NOT a real tyranny as compared to others like
Russia/CHina/Whatever.

Sure it is - its just much much more successful at population control.

~~~
orthecreedence
Exactly. Our propaganda isn't posters of people marching in support of our
glorious nation. It's much more subtle. Instead you just make people think
they're free when really, they are only free to march along the dotted line.
Free to buy what they want. Free to watch 500 channels. The government doesn't
even need to enforce it because it's engrained in our culture. Try bringing up
how failingly stupid US capitalism is or how broken the voting system is and
people spend every breath they have bitching you out for being unamerican. I
feel like we got really close to people waking up a little bit around when the
2008 crash happened, but since then it's been business as usual for the most
part, unfortunately.

------
PavlovsCat
Apologies for being extremely clueless, I don't even understand advanced math,
not to mention encryption, not to mention "quantum stuff" \- that's why I ask
here: is it theoretically possible (or could it be in the future) to use
quantum computers for encryption, too? If so, would that reduce options for
breaking it to "brute force on the quantum level"? Does this question even
make sense?

~~~
topynate
I don't know of any research into this area, but it's conceivable that you
could have an encryption algorithm that is polynomial time (given the key!) on
a quantum computer but exponential time classically, _and_ that has some
better security guarantees given certain common assumptions. However, quantum
algorithms of any sort are difficult enough to invent that we'll likely end up
using classical algorithms that 'look' hard to break with quantum computers,
i.e. ones where prime factoring doesn't help.

The real quantum defence appears to be something rather different. Quantum
cryptography
([https://en.wikipedia.org/wiki/Quantum_cryptography](https://en.wikipedia.org/wiki/Quantum_cryptography))
uses polarised photons to create _very_ strong guarantees that your
communication is secure. We can say that if you do the engineering correctly,
the laws of physics would have to be violated to intercept your messages.

~~~
tptacek
The "quantum cryptography" you describe here isn't a defense against quantum
cryptanalysis; it's more like a novelty act.

[http://rdist.root.org/2008/10/24/quantum-cryptography-is-
use...](http://rdist.root.org/2008/10/24/quantum-cryptography-is-useless/)

------
jrwoodruff
Full version of the article, with sane paragraph measures and distracting
teasers and social features.

[http://www.washingtonpost.com/world/national-security/nsa-
se...](http://www.washingtonpost.com/world/national-security/nsa-seeks-to-
build-quantum-computer-that-could-crack-most-types-of-
encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html)

------
redthrowaway
Good. That's their job. I'm not worried about the NSA using quantum computing,
as fiscal realities dictate that it would have to be narrowly targeted at a
small subset of the encrypted information out there. I'm fine with them
recovering plaintext from pgp-encrypted emails sent between suspected al-Qaeda
members. I'm not fine with them break encryption en masse and compromising the
integrity of the Internet.

~~~
bashinator
I thought the whole point of using quantum computing to break crypto, is that
you can break encryption (e.g. RSA private keys) en masse for the same or less
cost than traditional computing requires to break them one-at-a-time.

------
bitsteak
"Physicists and computer scientists have long speculated about whether the
NSA’s efforts are more advanced than those of the best civilian labs. Although
the full extent of the agency’s research remains unknown, ___the documents
provided by Snowden suggest that the NSA is no closer to success than others
in the scientific community.___"

Nothing to see here but false outrage and surprise, move along.

------
veganarchocap
Wait what? The NSA is still going? Surely it should be shut down after its
discovery, and the mass outrage it caused worldwide.

The fact they're continuing their work, is blatant contempt and disregard for
not just the citizens of the U.S. but for the rest of the world, too. American
tax payer money goes to fund this, it's absolutely criminal. They're expecting
you to pay for them to spy on you, for you 'safety'. We need counter measures
or to target them directly. They need taking down.

It's absolutely insane, 'okay, you caught us! But we don't care!' is the
message this act emits.

------
f_salmon
Or:

How to reduce the value of the Internet as much as possible for everybody.

Nice, really nice.

------
throwawayusa
I honestly don't understand why the NSA bothers with this. All they have to do
is claim that someone is a threat and they are then able to seize said person,
secret them away, and make them an unperson in some government facility that
we've yet to learn about.

~~~
msoad
What they want is information of such person BEFORE they were accused with the
crime. Therefor they need all the information of everyone!

------
gamebak
I didn't know when it was going to happend but i knew it would. That 80m
investment is nothing, imagine if they will use it to crack sha256 from
bitcoins ? A 9-10 billion "business" opened for them. Plus, privacy = lost

~~~
tptacek
Quantum cryptanalysis doesn't meaningfully threaten SHA256.

~~~
nly
But it does threaten ECDSA used by Bitcoin.

------
cowardlyanon
PSYOPS101 - Make it public that you seek something you already have.

------
dandare
I, for one, welcome our new quantum overlords.

Seriously, I don't think it's illegitimate to pursue new technologies that
would render the old ones obsolete.

------
2810
so Bitcoin is doomed?

~~~
dionyziz
If we have quantum computers, yes. By that time, we'll upgrade our elliptic
curve algorithms to post-quantum cryptography however.

------
BostX
RLY? OMG, who would expect that?!?!

