
Quantum computers will break the encryption that protects the internet - jkuria
https://www.economist.com/science-and-technology/2018/10/20/quantum-computers-will-break-the-encryption-that-protects-the-internet
======
air7
This is a non-issue IMO. Contrary to popular belief QCs are not magical
oracles that can do arbitrary exponential calculations in polynomial time.
Instead QCs can do only very specific things better than conventional
computers and there are a surprisingly low number of known algorithms for QCs
even though people have been looking. While it's true that Shor's algorithm
allows a QC to potentially factor integers in polynomial time breaking RSA,
there are other popular encryption schemes with no known quantum weaknesses
and there's a whole field called Post-Quantum Cryptography looking at this
property explicitly.

And just like upgrading SSL 3.0->TLS 1.1->TLS 1.2->TLS 1.3 was done due to
discovered weaknesses yet mostly transparently and with no Y2Kish hype of "the
internet is broken", so will we upgrade to quantum resistant algorithms if and
when QCs become a reality.

~~~
atq2119
You probably mean well, but this is dangerous misinformation. There are _no_
popular _public-key_ encryption schemes that are safe against quantum
computing.

The only popular public-key encryption schemes are based on RSA and ECC, both
of which are broken by variants of Shor's algorithm.

Yes, popular symmetric cryptography is safe to the best of our knowledge, but
that doesn't help much since virtually all symmetric crypto that is actually
applicable at scale relies on some initial public-key crypto for
bootstrapping.

And yes, there's research into post-quantum public-key cryptography, but it's
pretty underwhelming so far. It seems possible, but at a horrible loss of
performance (keys are sized on the order of kilobytes or more, as opposed to
32 bytes for ECC).

I'm pretty pessimistic about the consequences of quantum computing, to be
honest.

~~~
calhoun137
"Damgerous misinformation" to say quantum computers are not magical oracles?
The entire subject of QC is literally a hoax! The only danger is that if
people dont think they are magical they might want to cut off the funding. If
I were to say I know a magical oracle who can break encryption with pure
thought, it wouldnt be much different than the kinds of claims you hear about
quantum computers on a daily basis. I used to do experimental physics for many
years, all of my colleages and I thought quantum computers were a joke. Main
stream physics people understand there is an intense debate over whether or
not its even possible to build a quantum computer. Nothing to see here, its
just the QC hype train doing its thing.

~~~
Misdicorl
There isn't a debate about whether it's possible since it's already been
done... Your comment is either lacking context to explain what you really mean
or simple fabrication. Neither is acceptable

~~~
calhoun137
What I meant was the debate which has been taking place in the main stream of
physics for many years now is whether or not its possible to build a quantum
computer on the scale where it can do anything useful. In the article we read:

>> When Dr Shor made his discovery such computers were the stuff of science
fiction. But in 2001 researchers at ibm announced that they had built one,
programmed it with Shor’s algorithm, and used it to work out that the prime
factors of 15 are three and five. This machine was about the most primitive
quantum computer imaginable.

The context which was lacking is that I meant on a large scale and not simply
the most primitive thing. And no I am not fabricating anything, see here [1]
for some of the main stream discussion by someone who is more articulate and
knows more about it than me.

Let's keep in mind that just this week it was announced that a grad student
figured out an algorithm to verify that the computations done by hypothetical
quantum computers actually are giving a correct answer [2].

I seriously don't think you know what you are talking about when it comes to
the idea that its "already been done", D-Wave is not a "quantum computer" in
the sense of this article or shors algorithm.

However, you are correct that my comment was overly hyperbolic and lacking
context. Next time this comes up on here I will try to do a better job and not
use phrases like "its a hoax" because to be honest, its not a hoax, it might
be possible one day they will exist. I personally believe at that point there
will be so many other advances that non quantum computers will simply
outperform everything else.

[1] [https://www.quantamagazine.org/gil-kalais-argument-
against-q...](https://www.quantamagazine.org/gil-kalais-argument-against-
quantum-computers-20180207/)

[2] [https://www.quantamagazine.org/graduate-student-solves-
quant...](https://www.quantamagazine.org/graduate-student-solves-quantum-
verification-problem-20181008/)

~~~
Misdicorl
Thanks for the additional response. I agree that there are fundamental
technical questions that are very difficult.

As an aside, I'm actually well versed in the difference between quantum
annealing and Turing like computation as I got my PhD in an ultra cold atomic
physics lab.

------
adriand
It's interesting to look at this through the lens of startup creation. Here is
an example of something where there will clearly be customers that need
assistance from technologically sophisticated companies. Quote:

"Mr Steel says one of his clients has thousands of apps that need updating. As
chips migrate into everything from cars and children’s toys to lighting
systems and smart electricity meters, the amount of work will only grow."

The need is clear and there is even a timeline. NIST is planning to release
proposals for quantum-resistant algorithms in 2024. According to the article,
Brian LaMacchia, an expert from Microsoft, predicts availability of a
“cryptographically interesting” quantum computer in 2030 to 2040.

The question is, when does it become sensible to start a company intended on
serving the millions of other companies who will need assistance making this
sort of transition? It feels too early now, but is it? Are there sensible
steps to be taken now? If you're reading this and you happen to be fifteen
years old, thinking about what you might want to launch when you get out of
university, is this something worth diving into?

The uncertain timeline carries considerable risk, but if you wanted a shot at
building a sustainable company that might be worth tens of millions in two
decades, this problem seems like an obvious candidate.

~~~
DenisM
Are you imagining something akin to the Y2K-style surge in COBOL consulting
jobs? I imagine it could be lucrative, but I also imagine most companies will
just drag their feet as long as they can, so it will be a frustrating sales
experience as it always is absent a clear deadline or at least significant
time pressure.

------
dschuetz
I'd like to see quantum computers actually do anything practical, anything at
all, instead of making wild promises of what they might or might not be
capable of. Stop promising, start delivering.

~~~
WilliamEdward
Do you keep up with the development of QCs at all or are you just an eager
consumer? They're only able to make QCs with a small number of qubits at the
moment and can't add more without running into sound disruption issues so it's
a ways away from being able to do anything practical.

~~~
brokenmachine
I'm far from convinced about QC yet, but the first transistor was in 1947 and
now the CPU in my phone has over 3 billion. Looks like they took 30 years to
get from that first transistor to the TMS 1000 with 8,000 transistors on it.

[https://en.wikipedia.org/wiki/Transistor_count#Microprocesso...](https://en.wikipedia.org/wiki/Transistor_count#Microprocessors)

I just thought that was interesting...

------
torbjorn
Breaking crypto makes for a good headline but the most important application
of QCs will be simulating quantum states, eg modeling molecular interactions.
And obviously there is plenty of work that remains to be done in this nascent
field.

Also obligatory link to the best quantum computing blog out there:
[https://www.scottaaronson.com/blog/](https://www.scottaaronson.com/blog/).
Very good at dispelling hype.

~~~
DenisM
Adding to that: I heard that in modern chemistry there are trillions of
experiments to be run and not enough time to run them all. Using QC to cull
the search space can lead to discovery of some very interesting compounds.
This could be “the industrial revolution” of the field.

------
elbybasolis
I’m concerned with the ability of conventional computers to keep up with
cryptography in the quantum age of computation. But can’t we just jack up the
current algorithms to have higher order problem sets to solve? In other words
can’t we turn something like a SHA-256 into a SHA-2048 and take a hit on the
time complexity to generate such cryptographic (in this case a hashing
algorithm) products? Can’t we just scale up the problem size and assume that
the solution will be exponentially more difficult to solve?

~~~
bsaul
I'm not an expert at all, but fwiu quantum computers makes cryptographic
encryption a linear problem.

~~~
elbybasolis
In that case can we start computing cryptographic products with quantum
computers such that there is no gap? If we reduce the time complexity of
factoring a prime number to linear wouldn’t we be able to produce larger
cryptographic products? Effectively going back to where we started but with
more computing power? Surely this would require easy access to quantum
computation to be practical and thus a gap in power, but necessity would drive
the market to make this type of power more mainstream.

~~~
rollcat
> In that case can we start computing cryptographic products with quantum
> computers such that there is no gap?

QC solves one kind of problems, that are hard for classical computers, but not
another (see all the links to post-quantum crypto in the comments). OTOH there
will be a very large window during which QC will be cheap enough to rent by
the hour on AWS, but equipping every lightbulb with a QC will be prohibitively
expensive (think current GPU prices).

------
singletoon
This is no news for the academia, more particularly for theoretical
mathematicians. It's a well known fact that RSA and all other cryptography
methods based on basic number theory results, will become useless with the
appropriate usage of QC. Mathematicians have already suggested that non-
commutative group-based cryptography is the appropriate solution to this
issue. Yet, there's no ideal group that seems to be the right fit, for the
proper implementation of these new, secure algorithms. The braids group used
to be an ideal example, until it was found to be linear, thus heavily exposed
to linear-based type of attacks. So, the only part that remains unsolved is
which group could be ideally defined to support the theory that addresses this
issue. Mathematicians are already aware of this challenge, perhaps this post
by The Economist suggests that more funding should be given for the according
research.

------
randomsearch
Some context: breaking encryption standards will likely take _millions_ of
qubits.

Current state of the (disputable) art: less than twenty.

~~~
true_tuna
And there are methods to defend crypto against QC. New algorithms will become
more popular as quantum computers become more capable. It is a problem we will
face someday and it’s good to start thinking about it and working on it now.

------
sudoaza
Whats new about this?? We'we known for years, it's still years away and we
already have post quantum crypto to replace all thise...

~~~
NotANaN
Not just years; decades. About a quarter of a century.

------
blablabla123
5 years ago most people didn't care about encryption. Most websites, disks,
E-Mails, USB sticks, downloads were unencrypted - this hasn't changed much.
Not to mention the software pool on closed-source Hardware. I'm not exactly
sure who would have to be afraid of what. :-)

------
edoo
I wonder if you could significantly increase the qubits required by layering
or interleaving cryptographic functions.

By interleaving I almost imagine something like an AES algorithm where the
rotated bits actually reference new keys and ciphers that are actually used on
the data.

------
writepub
QCs will likely break existing crypto currencies. Which begs the question - if
someone does own a QC how much crypto can they steal without devaluing the
currency in the process.

------
gaze
Why are we so worried about quantum computers when there's backdoored random
number generators (Dual-EC DRBG) and stuff in play? I just don't understand
it.

~~~
Cyphase
You're falling into the fallacy of relative privation. "Why are we so worried
about __________ when __________?", implying that you can't be concerned about
both.

------
wavegeek
At one point I thought I had found a fast factoring algorithm but I found that
the internet no longer much depends on the difficulty of factoring large
numbers and stopped work on the project.

Elliptic Curve encryption for example does not depend (AFAIK) on the
difficulty of factoring. (please tell me if this is wrong)

~~~
moefh
Elliptic curve crypto (the kind that is in common use, like ECDH) is just as
broken by quantum computers as RSA.

The quantum algorithm that breaks RSA (Shor's algorithm) does it by
efficiently solving the hidden subgroup problem[1] for finite Abelian groups.
This can be used for factoring integers (which breaks RSA) and also for
solving discrete logarithms (which breaks elliptic curve crypto).

[1]
[https://en.wikipedia.org/wiki/Hidden_subgroup_problem](https://en.wikipedia.org/wiki/Hidden_subgroup_problem)

------
tychomaz
Still waiting for this to happen.

------
basicplus2
I think we are safe for a while..aint no quantum computers around yet

~~~
ShaneCurran
The problems arise when data is intercepted now. Sure, some encrypted
information won’t be useful/sensitive once the advent of cryptographically
significant quantum computers comes but if any packets are simply stored now
and saved for the future, that encryption will be rendered broken and the
information leaked once there’s a practical Shor’s/Grover’s implementation.

~~~
DenisM
Perfect Forward Secrecy ensures that future leakage of the private key does
not betray secrecy of past communications.

~~~
tialaramex
PFS is not magic, it depends on exactly the same type of trapdoor algorithm as
other asymmetric cryptography but using randomly chosen keys which are then
forgotten. Forgetting the keys + Breaking them being too hard = Forward
Secrecy. If someone finds out the key later, they can decrypt the messages,
just as if they'd been told it at the time.

A Quantum Computer that breaks say, 2048-bit RSA also breaks the PFS-enabled
Diffie-Hellman style key exchanges, it's almost exactly the same trick, a
variant of the Discrete Logarithm Problem.

------
anon4738383
If QC were able to factor primes, discover alternative inversions of
noninvertible matrices... the obvious uses would be monetization, hacking and
other legal and illegal crimes: crypto mining and hacking banking and finance.

