
How to factor 2048 bit RSA integers in 8 hours using 20M noisy qubits - vtomole
https://scirate.com/arxiv/1905.09749
======
Strilanc
I'm one of the authors on this paper and can answer questions if people have
some.

~~~
agsamek
Hi. I would like to take the opportunity to get your opinion on quantum
computing.

My understanding is that there is a significant work in theoretical quantum
computing done by you and many people. Results presented by you seems
impressive. Congratulations.

On the other hand - everything I read, hear and try to interpret about D-wave
seems like a nonsense. They show approximation computations and compare it to
classical algorithms that provide exact results. But classical approximation
algorithms work much better than their quantum computers. I do not see how
scaling this approach could lead to anything that you describe in your paper.

In this regard - is my understanding of D-wave correct or does it provide some
value that is better than classical computers?

Can d-wave or IBM's creation be used to do computations described in your
paper?

Is their approach worth anything?

[edit] Of course I'm not asking about now - my question is whether there is
anything connected to exact results (like factoring) and exponential speed-up
in d-wave approach.

~~~
Strilanc
I don't really know a lot about D-wave to be honest. I defer to Scott
Aaronson's posts [1] and to the opinion that the main criteria for success is
"solve hard problems" as opposed to "solve hard problems with a quantum
computer" [2].

[1]:
[https://scottaaronson.com/blog/?s=dwave](https://scottaaronson.com/blog/?s=dwave)

[2]: [https://youtu.be/XbFoXT73xVQ?t=355](https://youtu.be/XbFoXT73xVQ?t=355)

~~~
scottlocklin
Without hardware, you're not solving any problems. Glass bead game != solving
problems.

At no point in human history as this sort of "detailed theoretical wanking"
turned into progress in science; the hardware comes first.

~~~
sgt101
I was under the impression that theoretical physics detailing underpinning
mechanisms proceeded the transistor, nuclear weapons and fibre optics.

~~~
behringer
That's true of most inventions. We had programming and boolean logic before we
had computers. And of course we would, you can't build a boat without water to
sail on.

------
mmastrac
How plausible is it that someone could acquire this many qubits? How many
doublings away are we?

EDIT: [1] suggests D-wave could be 5640 by 2020, doubling approx. every two
years - 12 doublings = 24 years from now.

[1]
[https://en.wikipedia.org/wiki/D-Wave_Systems#D-Wave_2X_and_D...](https://en.wikipedia.org/wiki/D-Wave_Systems#D-Wave_2X_and_D-
Wave_2000Q)

~~~
HNLurker2
More than 500 qubits is enough for shore's algorithm to destroy everything

~~~
fhars
That is for perfect mathematical qbits. Real qbits are always noisy, and you
need at least 1500 real qbits to emulate a perfect qbit with reasonable
certainty, putting your number in the same ballpark as the number of 20M noisy
qbits from the article.

~~~
HNLurker2
So they can use shore's algorithm?

------
bscphil
I haven't finished reading the paper, but maybe my biggest immediate takeaway
is that significantly increasing the number of bits doesn't really help. Using
the methods discussed in the paper, 4096 bit integers can be factored in less
than 4x the amount of time needed to factor 2048 bit integers. In other words,
should this method become practical, cryptographers couldn't solve the problem
by using integers we would ordinarily consider much harder to factor.

~~~
fhars
Yes, that is why djb‘s post quantum RSA proposal uses public key sizes on the
order of one terabyte (i.e. 8 trillion bits) instead of the more common 4096
bits. I have the slight suspicion that the proposal is slightly tounge in
cheek, though.

See
[https://cr.yp.to/papers/pqrsa-20170419.pdf](https://cr.yp.to/papers/pqrsa-20170419.pdf)

~~~
throwawaymath
Yeah, that submission was absolutely a joke. It didn't get passed to round 2
of the NIST PQCrypto Standardization CFP. Bernstein and Lange intended that to
be a bit of sardonic humor poking fun at the review panel.

------
kristianp
[https://arxiv.org/abs/1905.09749](https://arxiv.org/abs/1905.09749)

------
imtringued
It doesn't look like there is even a need for quantum proof algorithms. An
Epyc CPU with 32 cores has 20 billion transistors. Even if we can build qubits
as tiny as a transistor you won't be able to break RSA with ridiculous key
lengths above 2000000 bits. In reality qubits will be bigger than transistors,
not all quibits can be active at the same time and there won't be the same
exponential growth in the number of qubits as we have seen in conventional
computers.

------
kweks
Relevant presentation on real world cipher reversing with quantum computing:

[https://www.phdays.com/en/program/reports/reversing-
cryptogr...](https://www.phdays.com/en/program/reports/reversing-
cryptographic-primitives-using-quantum-computing/)

Slides: [https://speakerdeck.com/rlifchitz/ordinateurs-quantiques-
et-...](https://speakerdeck.com/rlifchitz/ordinateurs-quantiques-et-futur-de-
la-securite)

------
rurban
How likely is it that for breaking 2048 bit RSA integers you'll just need 2048
unnoisy qbits?

That this lowered 20M requirement is just ploy to keep people using 2048 bits,
not 4K as required by GNU. It is my understanding that 2048 qbits are already
in reach to well-funded state agencies.

------
Tepix
So, is there some alternative quantum-resistant cipher ready (i.e. with open
source implementation, say on github) that we can use today to encrypt out
long-term secrets?

~~~
TheOperator
A one-time pass is still uncrackable.

Take your secret. Write it on a piece of grid paper. Fill EVERY FIELD on
another piece of grid paper with random data. Transform every character on the
first piece of paper based on the corresponding characters on the second piece
of paper and write the result on a third piece of grid paper. Then burn the
first piece of paper.

It's not possible to read the 3rd piece of paper without the 2nd now. You also
obscure the length by filling the second piece of paper with data.

~~~
throwawaymath
One-time pads are extremely impractical and error-prone. You need:

1\. A secret key as long as the plaintext.

2\. A consistent source of true randomness and a way of sampling it such that
your secret key is truly random.

3\. To never reuse a key once it's been used once.

Imagine the ramifications of retrofitting servers to use one-time pads for
TLS. Moreover, essentially everything we take for granted in cryptography
relies on constructions which use pseudorandom permutations and generators.
Even if we resolved all these problems and forged ahead in a brave new world
using stream cipher-like constructions based on one-time pads, we'd still have
to rethink all of public-key cryptography.

This impracticality is one of the major reasons we moved on from information
theoretic security to complexity theoretic security by the mid 20th century.

~~~
gpm
For what it's worth, quantum computers might give a provably correct source of
2 (random numbers).

The version I saw (requires 2 quantum devices):
[http://www.henryyuen.net/fall2018/scribe2.pdf](http://www.henryyuen.net/fall2018/scribe2.pdf)

New paper that claims to do it with only one quantum device:
[https://arxiv.org/pdf/1804.00640.pdf](https://arxiv.org/pdf/1804.00640.pdf)

------
andr
So RSA has some 10-20 years to go. Is there a quantum computing-proof
encryption algorithm, or is it just a matter of increasing key lengths?

~~~
w8rbt
Many old, hard problems are still hard even on quantum computers (SAT, TSP,
etc. cannot be solved in polynomial time on quantum computers). Factoring can
be done in polynomial time on quantum computers. FFT can be made even faster.
But again, some classic, hard problems still stand. So don't worry, quantum
computers are not magic solutions to all hard problems, just some.

------
NotTheFBI
Is this the long fabled quantum computing application that breaks asymmetric
cryptography?

~~~
34r45sdg
Its the continued advancing of the craft. Some newer techniques but an
evolution of the attack. Now all one needs is a 20 Million qubit QC..

