
Quantum Computer Comes Closer to Cracking RSA Encryption - mhb
http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment
======
Yver
If I understand correctly, this quantum computer came closer to cracking RSA
the same way shifting in your chair gets you closer to Jupiter.

~~~
sp332
Werner von Braun oversaw development of some awfully small crummy rockets
[https://youtube.com/watch?v=Ii7uwp1SRIM](https://youtube.com/watch?v=Ii7uwp1SRIM)
(imagine the ones even before these!) but also oversaw the Saturn 5 which
lifted every person who walked on the moon. We understand the physics, now
it's a matter of engineering and funding!

~~~
IshKebab
Not necessarily. What if entangling each quabit is twice as hard as the
previous one? There's a lot of people that suspect physics may prevent quantum
computing from scaling up. See also:

[http://phys.org/news/2012-02-quantum-physicist-100k-proof-
sc...](http://phys.org/news/2012-02-quantum-physicist-100k-proof-scaled-
up.html)

~~~
sp332
But the guy who made that bet doesn't think physics prevents a quantum
computer. "Many people assumed I was a QC skeptic, and was offering the prize
because I hoped to spur research aimed at disproving QC. Which is actually an
interesting misreading"
[http://www.scottaaronson.com/blog/?p=902](http://www.scottaaronson.com/blog/?p=902)

~~~
IshKebab
Yeah I was just pointing out that there is disagreement. I think of it like
time travel - nobody has proved that it is impossible, but a lot of people
suspect that a "sensible" universe wouldn't allow it.

------
scottlocklin
I love it when people tout a result as being "only 15-30 years away." Is there
any large scale human technological research project in all of human history
which lasted 20 years and actually produced what was promised? There is no
incremental path here; any time someone says "20 years" it means they have no
idea how to do this thing.

~~~
whitegrape
The human genome project. Their goal when starting was "this will take 15
years", they completed it in 13. The Apollo program: goal of less than 9 years
(end of the decade) when it was proposed in 1961 to land a man on the moon and
return him to Earth, completed in 1969.

If you go back quite a ways, I'm willing to bet at least some of the
innovation-required Castles and Cathedrals and Pyramids of history were
completed "on schedule" with it known up front that they would take many years
to finish.

I suspect a lot of projects are accurately classified as 10-30 years away,
_given a certain level of funding and a dedicated team_. Absent that, they may
very well take twice as long or more. I always like to see what these long-
term oriented institutions like SENS and MIRI say they would do if they had x
times more money, to see that they've got a plan -- fortunately those ones do
give that information.

~~~
drjesusphd
> I suspect a lot of projects are accurately classified as 10-30 years away,
> given a certain level of funding and a dedicated team

Precisely. Take fusion for instance:

[http://i.imgur.com/sjH5r.jpg](http://i.imgur.com/sjH5r.jpg)

This is the source of the "joke" that fusion will always be 20 years away.
It's because it's been grossly under-funded ever since that prediction was
made.

~~~
Trundle
This is really interesting! Have you read the source report? I'm curious as to
why/how the predicted required budget would fluctuate so much. For such a
specialised and frontier based project, surely you'd be aiming for consistent
staffing (and thus consistent staff budgets) year on year no?

~~~
drjesusphd
My guess is that is fluctuates because there are a discrete number of new
experiments to be constructed, and these don't cost a constant amount during
their construction.

~~~
LeifCarrotson
That was my guess as well. Looking at the graphs, there are about three clear
peaks in the maximum, accelerated, and aggressive plans, muddled out a bit in
the moderate plan.

What are these three experiments? Which of them have already been done in the
existing plan? And what others might need to be added?

Also curious is the expected total cost. Eyeballing each plan average cost and
multiplying by the duration, the total costs are 6x14=84, 4x17=68, 3x22=66,
and 2.5x29=72.5 billion dollars. The accelerated and aggressive plans are more
expensive than the moderate plan!

I suppose there's some additional overhead costs associated with keeping the
program running for 29 years instead of 17, but I would have expected all the
rush orders, overtime, and extra staff to make the faster programs much more
expensive.

------
baby
Nice clickbait, Scott Aaronson on this:
[http://www.scottaaronson.com/blog/?p=2673](http://www.scottaaronson.com/blog/?p=2673)

~~~
kenny-log_ins
yep. whenever i read anything sensational about QC I immediately head over to
his blog to read about what it actually means.

------
shireboy
The irony that the SSL cert is invalid for the NSA FAQ linked to in the
article... [https://www.iad.gov:8443/iad/library/ia-guidance/ia-
solution...](https://www.iad.gov:8443/iad/library/ia-guidance/ia-solutions-
for-classified/algorithm-guidance/assets/public/upload/CNSA-Suite-and-Quantum-
Computing-FAQ.pdf)

~~~
rbut
Not entirely true.

\- Safari; Certificate is fine \- Chrome; Certificate error due to SHA-1
signatures \- Firefox; Unknown issuer

Why is the DoD root certificate in OSX but not in Firefox?

~~~
NeutronBoy
Because someone would have filed a bug on Bugzilla arguing for it to be
removed on moralistic grounds I bet.

I'm all for having principles, but you have to accept that it'll break for
your users.

~~~
jMyles
The strong argument here is that if you are giving a lock icon but knowingly
allowing decryption by a known bad actor, you are also breaking the experience
of your users.

I also agree with the weaker argument that the cert in question is essentially
for a local intranet and that the DoD can, for as long as it continues to
exist, which I find politically disagreeable, install the cert locally on its
own resources.

If it wants to publish material for broader consumption, it can get a cert
like everyone else.

~~~
Pyxl101
Trusting the cert does not, precisely, allow decryption by the certificate
authority. It rather gives the certificate authority the ability to issue
certificates for domains, which _if they are used to establish a connection_ ,
can encrypt and decrypt traffic _for that connection_.

So yes, if you trust the DoD root certificate, then the DoD as well as every
certificate authority in the world could in theory generate a valid
certificate impersonating www.google.com or any website. With a sophisticated
enough attack, they could do this just for your one visit to one particular
website, in such a way that it would be difficult for anyone to realize that
it's happening. However, though this is difficult to notice if you're not
looking for it, it's actually _really easy_ to notice if you _are_ looking for
it. If you use Chrome, then Chrome will report the certificates that it sees
back to Google, who track what certs are issued by CAs. This is how Google
noticed that Symantec issued fake certificates for Google domains in
Symantec's test environment:
[https://googleonlinesecurity.blogspot.com/2015/10/sustaining...](https://googleonlinesecurity.blogspot.com/2015/10/sustaining-
digital-certificate-security.html)

Anyway, the practical risk of trusting a DoD certificate is pretty low. To
decrypt your traffic, they'd have to man-in-the-middle intercept your
connection to a web server, and _replace_ the site's valid certificate with
their own, which would leave an obvious and flagrant trail to anyone who is
looking. This would very obviously "play their hand" and anyone with evidence
of being attacked that way by a first world government would be immediate
worldwide news in the security community. If they did this even once, they'd
need to be extremely careful not to be caught by any of the countermeasures
that detect this kind of surveillance.

That kind of attack would be a one time thing, because evidence of being
attacked through the DoD cert would cause all browser vendors and OSes to yank
support for it. CAs have been revoked for far less justified reasons than
_explicitly attacking someone_.

I find it much, much, much more likely that targets of interest will simply be
attacked and exploited through regular known security mechanisms - such as
software vulnerabilities or built-in back-doors. These things don't leave an
obvious trail and smoking gun pointing back to the perpetrator. Someone
MITMing your website visits with the DoD root certificate would stir up a
shitstorm. "Some anonymous IP broke into my computer with a 0-day and
installed a rootkit" is not particularly newsworthy by comparison. Even the
recent news of backdoors in networking product codebases is, while newsworthy,
not really that surprising these days. Active evidence of DoD interception of
someone's network traffic followed by evidence of CA certificate misuse would
drop like a nuclear bomb in the security community, _especially_ if for no
extremely well justified reason. It would be the proverbial straw that broke
the camel's back in terms of government interference with Internet security,
and would lead to a digital revolt even more severe than what Snowden's
disclosures caused. Government technical experts will be aware of this and
will use other methods, at least in any context where it could be plausibly
noticed.

To be clear, I completely believe that the government is or could passively
conduct surveillance on virtually all electronic communications. I just don't
think they'll go as far as actively intercepting and modifying a connection,
and inserting a fake certificate, within the borders of the country or in any
normal circumstance. Maybe they would do such a thing within the private
networks of North Korea, but I'd be highly skeptical of them doing it within
the US, and _with the DoD certificate of all things_. It would be too obvious
and has too poor of a risk/reward payoff compared to other methods. If they
were going to do this, they'd steal the private key from another CA and use it
instead. Because that capability could be noticed and "burned", they'd save it
for high value targets only.

So, in all practical analysis, I think it is extremely unlikely that the DoD
will attack people through their root certificate, though I concede that it's
plausible. I would be interested in feedback from others about this reasoning.

------
zer01
I have a feeling that we're going to wake up one day and there will be a
legitimate breakthrough in quantum computing, leading to RSA no longer being a
legitimate standard for security.

My question to HN: Have any of you guys attempted to come up with a plan for
if/when this happens? Are there any algorithms in suites like OpenSSL that are
quantum-resistant? Is SSL/TLS even compatible with a post-quantum world?

~~~
tptacek
There are not, not in OpenSSL. Viable post-quantum encryption is a hot
research area right now. There are a number of approaches that seem promising;
some of them, like hash-based, lattice-based, and code-based crypto, are
actually relatively old concepts that were pushed aside because RSA is more
efficient, but which regain their edge if quantum computers become viable.

[https://en.wikipedia.org/wiki/Post-
quantum_cryptography](https://en.wikipedia.org/wiki/Post-quantum_cryptography)

The trick with all of this is that there isn't all that much cryptanalysis
work of some of the more promising PQ schemes, so trying to preemptively adopt
them just in case quantum computers learn to factor numbers bigger than 15 is
likely to do more harm, in the short term, than good.

------
osterbit2
I'm familiar with the implications of quantum computing on factorization and
thus DEcryption but have heard very little about about quantum computing
enabling ENcryption until the last paragraph of this article

("...Chuang expects to see quantum encryption methods that will inscribe
sensitive data into the very states of atoms")

Very curious about current state of this research (relative to the current
state of quantum decryption)--any experts in the room?

~~~
ianopolous
Not an expert on Quantum cryptography, but an ex particle physicist here. The
basic idea is that using a quantum channel (sadly means new hardware, so not
over tcp), eavesdropping becomes impossible without destroying the quantum
state of the signal (guaranteed by the laws of Quantum Mechanics). If an
eavesdropper intercepted a message, that would be detectable and you can drop
that packet. Wikipedia has a good intro:
[https://en.wikipedia.org/wiki/Quantum_cryptography](https://en.wikipedia.org/wiki/Quantum_cryptography)

~~~
smaddox
And yet, isn't it true that MITM attacks still work, as long as the MITM has
the same hardware?

~~~
roywiggins
Theoretically, if you intercept in the middle, you destroy the pattern that
you observe. This is a physical quantum effect, and will happen no matter what
hardware you use

Since the intended use is key distribution, a MITM is fine as long as you can
detect it reliably: you can keep sending new keys until one isn't eavesdropped
upon, and then use that key.

~~~
AnthonyMouse
But how do you detect it reliably?

~~~
q4h555qh5
If someone intercepts the quantum key, it will modify it 25% of the time. If
you randomly measure (and verify publicly with the sender) a fraction of your
total key and find it unmodified, it means the rest of the key probably is
too, up to a certain security factor. By starting with a longer key and
measuring more of it (or doing privacy amplification, for example xor-ing
multiple keys together), you can get as much security as you want. It also
means the security is everlasting, meaning someone cannot retroactively break
your key in 100 years using some mega-computer.

------
warrenmar
If you want to know more about Quantum Computation, there is an edX course
([https://www.edx.org/course/quantum-mechanics-quantum-
computa...](https://www.edx.org/course/quantum-mechanics-quantum-computation-
uc-berkeleyx-cs-191x)). It goes over the Shor algorithm and the quantum
Fourier Transform that leads up to the Shor algorithm.

------
kriro
I don't think this article implies we are anywhere close to feasible quantum
computers but...if I worked on the assumption that sufficiently powerful
quantum computers exist (thought experiment), what would be my available and
usable options today? Encrypt everything I deem important enough with
symmetric encryption?

I have found this: [https://en.wikipedia.org/wiki/Post-
quantum_cryptography](https://en.wikipedia.org/wiki/Post-quantum_cryptography)

But am not sure what is considered the state of the art. Stehle-Steinfeld
seems like the most promising option from my very uninformed position.
Supersingular elliptic curves also seem to have nice properties but I have to
admit I don't even fully comprehend them. Would love for a crypto expert to
chime in :)

------
jcr
Somehow the submitted link got mangled:

[http://spectrum.ieee.org/tech-
talk/computing/hardware/encryp...](http://spectrum.ieee.org/tech-
talk/computing/hardware/encryptionbusting-quantum-computer-practices-
factoring-in-scalable-fiveatom-experiment)

The article has a broken link to the paper abstract, which is " _Realization
of a scalable Shor algorithm_ " available here:

[http://science.sciencemag.org/content/351/6277/1068](http://science.sciencemag.org/content/351/6277/1068)

And I'm yet to find a full copy of the paper anywhere, but it sure looks
interesting...

Edit: Ah, here it is:

[http://arxiv.org/abs/1507.08852](http://arxiv.org/abs/1507.08852)

There's also " _Compiling quantum algorithms for architectures with multi-
qubit gates_ " which cites the above:

[http://arxiv.org/abs/1601.06819](http://arxiv.org/abs/1601.06819)

~~~
xyzzy123
The title is also a bit clickbaity. Yes, QC are "closer" to breaking RSA...
but...

"Briefly, the new work uses Kitaev’s version of Shor’s factoring algorithm,
running on an ion-trap quantum computer with five calcium ions, to prove that,
with at least 90% confidence, 15 equals 3×5..... So, what’s new is that a QC
has now factored 15 “scalably”: that is, with much less cheating than before."
\- (Scott Aaronson).

------
Joof
Could anyone point me in the direction of how quantum hardware is currently
designed? I'd love a technical explanation.

------
DropbearRob
I've always been confused by the claims of quantum computing, I'm hoping one
of the clever folk here can steer me to an understanding. Doesn't the very
nature of superposition and uncertainty make determining when the process has
solved the problem impossible to determine? Its like, when you look at the
data, you change it, and if it wasn't solved, you've already forced it into a
state, and if it was solved, by observing it you may change it to something
else. How are these problems solved with quantum computing?

~~~
akarve
that is in part what this discovery is about: how to read out and disentangle
the solution from superposition. the roots of the answer to your question are
in "shor's algorithm," which is the original proposal for factoring integers
in polynomial time with high probability.

~~~
DropbearRob
thanks akarve, I shall read abot "shor's algorithm"

------
nickysielicki
I'm sure we'll be the first to hear when they actually do. /s

------
gt565k
Anyone know if this is the dwave quantum computer or a different one?

------
IvanK_net
After reading "a quantum computer that could someday factor any number, and
thereby crack the security of traditional encryption schemes." I understood,
that author has no idea what he's talking about.

