
Breaking RSA Security with a Low Noise D-Wave 2000Q Quantum Annealer - adulau
https://arxiv.org/abs/2005.02268
======
osamagirl69
This is pretty impressive, they were able to factor a 17 bit number (103459 =
337 * 307) using 1635 physical qubits (arranged as 73 logical qubits) using
QUBO. In this configuration they were able to achieve an average time to
solution of just under 100ms.

That said, they did pick an 'easy' number to factor, just like most other
quantum factorization results. This number could easily be factored using
Fermat's factorization method (only the first step is required). It would have
been very interesting to see a list of all primes and the time required to
factor them (since they claim it only takes 100ms to factor the 17 bit one,
such an experiment should be able to run in a day...).

For an extreeme case of this class of 'cheating' compare to the largest number
factored on a quantum computer (1,099,551,473,989 =1,048,589 * 1,048,601)
which only actually takes 3 qubits to calculate [1]

They also estimate that in order to factor a 2048bit number it would require
just under a million logical qubits using QUBO, but didn't present a physical
implementation. Worse yet, this is still not a general algorithm and is
generally predicated on picking an easy number to factor in the first place!

[1][https://quantumcomputing.stackexchange.com/questions/9204/th...](https://quantumcomputing.stackexchange.com/questions/9204/the-
algorithm-of-the-new-quantum-factoring-record-1-099-551-473-989)

~~~
dvdkhlng
Glancing at the paper, I do not find anything that is impressive. AFAICS the
algorithm they implement is of asymptotic exponential complexity, even when
run on a quantum computer. I cannot imagine how this work would have any
effect on the field of asymmetric encryption algorithm research.

To me it looks like they took the factorization problem, which has a lot of
well-known (relatively) low-complexity algorithms and imlemented it by mapping
it onto circuit-SAT [1] (the multiplication table corresponds to a multiplier
circuit which they try to solve in reverse). Circuit-SAT is a proven NP-
complete problem. There is currently no known quantum-algorithm that solves
NP-complete problems in sub-exponential time.

Note that in the complexity hierarchy NP-complete problems are "harder" than
the factoring problem. These are generally bad problems, were not even a
quantum-computer helps (and I know of no asymmetric encryption algorithm that
is NP-complete when trying to break it, but maybe the quantum-resistant
encryption algorithms are better in that regard).

And that's even before we start talking about the limitations of quantum-
annealers and the kind of speedups they can gain over classical computers. For
a discussion of that, maybe one should start reading Scott Aaronson's blog
[2].

[1]
[https://en.wikipedia.org/wiki/Circuit_satisfiability_problem](https://en.wikipedia.org/wiki/Circuit_satisfiability_problem)

[2]
[https://www.scottaaronson.com/blog/?p=2555](https://www.scottaaronson.com/blog/?p=2555)

~~~
conformist
This.

Essentially, all the quantum annealing stuff that D-Wave does follows the
patter of mapping a problem onto a spin glass and then finding the ground
state with annealing.

The only really interesting theoretical aspect is finding good maps form hard
problems to spin glasses.

This is a nice reference:
[https://arxiv.org/abs/1302.5843](https://arxiv.org/abs/1302.5843)

------
archgoon
Well, for those looking at the comments first:

No; they do not actually factor any 1024 or 2048 bit numbers. The largest is
17 bits. Although they point out that representing the problem can be done in
a quadratic size of the input, the datapoints in the paper don't give any
reason to believe that the _time_ to finding the factors won't just be
exponential in the input.

Also, no, this is not a record for Quantum Computing; as this is a DWave
Quantum Annealing machine which needs to be evaluated by a different standard.

This seems to be more interesting if you look at it from the perspective "How
can I treat prime factorization as a optimization problem" rather than "Does
it look like Quantum Annealing Machines can factor RSA in the near term".

~~~
metalrain
What is record for PF on quantum computer? I only found some really old
results from 2014 and current records must be higher.

~~~
tialaramex
The record for Shor's algorithm is still 21 = 7 x 3

You can instead do "big" numbers like in this article with machines that can't
run Shor's algorithm, but there is no good reason to imagine these would ever
be competitive with a conventional computer like your laptop or phone.

Shor's algorithm (and similar algorithms) are definitively faster, _if_ you
can make a quantum computer to run them. That's the hard part, and as you
observe the result is no clear progress in almost a decade.

------
NoKnowledge
This study considers seven semi-primes (without justification why these seven)
and reports an average(?) runtime of factoring each with D-Wave. No
conclusions should be drawn on so few data-points. The proposed "Block
Multiplication Table Method" will only affect the constants and thus has no
effect on the asymptotics. The embedding from logical to physical qubits
appears to have an exponential gap (but again, we shouldn't draw conclusions
from so few data-points). However, if this is indeed true then even a
polynomial runtime for annealing would still result in an exponential runtime
for factoring. All in all, it eludes me why authors conclude that the obtained
results are promising.

------
rwmj
IBM and Google both claim to have 53 qubit computers, which I thought was the
edge of the technology at the moment. This machine has 1635 "physical qubits".
I'm guessing these are not the same thing. Can anyone comment on what the
difference is?

~~~
fsh
D-Wave is building "Quantum Annealers" which are not universal quantum
computers. They cannot run quantum algorithms such as Shor's algorithm and
there is serious doubt whether they can achieve any significant speed-up over
classical computers, even in principle.

------
plopilop
The authors give the following factorization with their algorithm: 231037 =
499 * 363. Not only is the product not equal to 231037, but 363 is also
clearly not a prime as it is divisible by 3.

There is no discussion whatsoever about this failure, except for "The low
noise D-Wave 2000Q factored correctly all integers N up to L_N= 17"

~~~
vlovich123
Seems like it's probably just a typographical error & should be 463*499.

------
hutzlibu
Layman question:

assuming one day RSA gets actually broken and a quantum computer or a new
algorithm can factorize prime numbers fast: would there be any alternatives
avaiable for public/private key encryption?

Or would the solution be, to use just a lot bigger prime numbers calculated
also with a quantum computer? That sounds not too promising.

~~~
dekz
[https://en.wikipedia.org/wiki/Post-
quantum_cryptography](https://en.wikipedia.org/wiki/Post-quantum_cryptography)

~~~
hutzlibu
Oh thanks.

So the answer seems: maybe.

~~~
jessriedel
My impression from talking to post-quantum cryptographers is that the answer
is "probably" or "it would be pretty surprising, though not radically
shocking, if it turns out that any public-key protocol is necessarily quantum-
vulnerable".

------
ganzuul
At what bit lenght is this approach faster than
[https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%...](https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%93Lov%C3%A1sz_lattice_basis_reduction_algorithm)
?

~~~
NoKnowledge
That is apples to oranges, you're citing a lattice reduction algorithm? Maybe
you meant the number field sieve
[https://en.wikipedia.org/wiki/General_number_field_sieve](https://en.wikipedia.org/wiki/General_number_field_sieve)?

In that case the answer is: never. We've tried to generously interpret earlier
factoring annealing results (there is nothing new in the top-posted paper) and
had to conclude that the overall method just doesn't scale well:
[https://arxiv.org/abs/1902.01448](https://arxiv.org/abs/1902.01448)

------
da-x
It's 2020, and I'm still waiting to see an impressive proof of work out out of
a quantum computer that I can easily verify on my traditional computer (two
different files with identical SHA-512, for example?).

Maybe a few years from now?

~~~
bawolff
Finding an sha-512 collision is not a problem that quantum computers can help
with, even in theory.*

Anyways, if you want something that can be verified on a classical computer
but cannot be done on a classical computer, see google's recent Quantum
supremacy experiment. However it is extremely contrived. I think the most
likely non contrived thing will be simulating simpilish quantum systems (to
help with chemistry experiments and the like), but its probably still going to
be a while before we start seeing that i think (IANA quantum scientist).

*Edit: to clarify, quantum computers can speed the process up of finding a collision in theory, just not enough to help. Normally you would need O(2^256) operations to find sha512 collision (Birthday paradox), quantum (BHT) gets you down to O(2^170), which is better, but still way to high. Most crypto assumes anything greater than 2^128 is secure by a comfortable margin.

~~~
l33tman
"Extremely contrived" is a little bit misleading since they did in fact run
random algorithms from a general set of algorithms. So it's rather the
opposite of contrived.. but I understand what you mean :)

~~~
bawolff
Contrived means "Deliberately created rather than arising naturally or
spontaneously"
[https://www.lexico.com/en/definition/contrived](https://www.lexico.com/en/definition/contrived)
. I think the problems used to demonstrate quantum supremacy very literally
meet that definition - they were largely created for the sole purpose of
demonstrating supremacy; they are not problems we naturally want to know the
answers to.

------
dmos62
I see a slight irony in how I perceive crypto conversations as very cryptic.
It's pleasant to wander into a thread like this where you can't really tell up
from down (as a relative layperson).

------
TheUndead96
oh boy

