[krastanov]

Just to be clear, this has barely anything to do with any crypto-currency organization. It is a really regrettable framing for an event that should be of great interest to anyone dealing with cryptography, not just the fairly restricted group of crypto-currentcy enthusiasts.

If scalable quantum computers can be built (which seems probable, as we are progressing fast in the number of qubits we can keep together), then certain restricted types of public key encryption will be broken by quantum hardware (all currently used public key encryption actually). We know other public key encryption algorithms exist that can run on classical computers and still not be broken by quantum computers. In many ways they are less tested and less practical, so for a while NIST has been sponsoring the development of such quantum-resistant running-on-classical-computers public-key algorithms. The usual name for this is post-quantum encryption.

[tialaramex]

> which seems probable, as we are progressing fast in the number of qubits we can keep together

Are we? Every so often I check back to see how well they're doing with actually running Shor's algorithm. In 2012 they managed to find that 21 = 3 x 7. And today... 21 = 3 x 7. That doesn't sound like progressing fast.

Quantum annealing is doing well for itself, but it isn't any sort of threat to encryption.

[krastanov]

We definitely are getting closer. Look at any graph of "qubit lifetime" and you will see how we have orders of magnitude improvements. (a quick google search gives me page 9 of https://hpcuserforum.com/presentations/tuscon2018/QCOverview...). We still need a couple more orders of magnitude before the qubits are useful, but the signs of exponential progress are unmistakable.

I would not take any experiment performing Shor's algorithm today or in the past particularly seriously, since they would probably be showing something fine tuned for the particular instance of the problem (e.g. 21). We do not have anything that can be called an "error-corrected logical qubit", and we need this before we can make serious claims about running algorithms like Shor's.

[mlyle]

So if we extrapolate out the current curve 2 more orders of magnitude, it looks good. Therefore we can conclude it's looking possible? ;)

[beambot]

For historical precedence, see "Moore's Law"

Talking to experts in the field, we're doubling the number of functional qbits (ie accounting for error correcting requirements) about every 12 months right now. Looks like current number is 16-qbits, where many algos get "really interesting" around 1000 qbits (and functional even before that). So 5-6 years until a potential total transformation in computing paradigms. Quantum is in a similar place as deep learning in 2012.

[mlyle]

Exponents don't continue forever in the real world.

It's anyone's guess to how far we go, but generally extrapolating a curve far off the current reading is a case of innumeracy.

[beambot]

Obviously. However, Moore's Law held for 40+ years. We are at 16 qbits in quantum vs single silicon chips with 1.2Trillion transistors. Clearly some room for growth, especially given the $Billions in annual investment being poured into quantum.

[paggle]

There are some areas where 100x improvement is almost inevitable: self-driving cars, facial recognition, etc. You don’t need to be a genius to see it.

[krastanov]

Yes, two or more orders of magnitude of improvement are very much expected by most researchers in this field, simply because the current state of the hardware is infantile compared to what we know is possible (it just takes a lot of work to put all the different improvements in a single experiment).

[mlyle]

That's a completely different argument. "Researchers think we'll get two more orders of magnitude in a reasonable time" is quite different from saying "if we extrapolate this curve, we'll get there in 5 years". After all, exponents describe growth until they don't-- eventually we reach physical or economic limits (Moore's law has tapered off; bacteria in a dish of agar show exponential growth until they don't anymore, etc.)

I highly doubt we'll get there in 5 years, myself.

[Avamander]

We can conclude that if we're optimists.

[solveit]

We conclude it's looking possible because fundamental physics says it should be possible.

[sweeneyrod]

Damn, looks like I should stop using 21 as my PK then.

[nielsole]

Not sure what algorithm you use for encryption, but 21 doesn't look like a prime. Maybe run a Miller Rabin test on it? ;)

[sweeneyrod]

It's the modulus of my RSA PK, so the product of two large primes rather than a prime itself. Of course, I can't say what the factors are, otherwise anyone could crack it even if they don't have a quantum computer!

[neuralzen]

Just XOR 21 times, problem solved!

[myle]

Always with the same mask, to make sure it is applied well.

[olliej]

That list is still going though I don’t have it handy (I’ll try to update with the mailing list).

There are a number of problems that are well established with strong security proofs vs classical and quantum algorithms - the problem is that the key and message sizes are fairly terrible for practice currently.

On the plus side all the current symmetric ciphers are still pretty solid against quantum machines (Grover’s search is a sqrt improvement so would simply require a doubling in key size, but I suspect in practice not necessary)

[Causality1]

We seem to be getting better at using quantum computers for hard math. What I'm curious about is when we'll be able to use them for easy math. How many qubits do we need to run Doom Quantum?

[krastanov]

Quantum computers are (conjectured to) outperform classical computers in a very restricted set of problems. These problems happen to be extremely important (e.g. protein folding and some forms of linear algebra), but for tasks that are already efficiently solved by classical computers you probably will never use a quantum computer (maybe in many decades this will change, when it becomes as "trivial" to construct quantum CPUs as it is to construct classical CPUs)

[marcus0x62]

Or the subset of users who need what a quantum computer can offer add something analogous to a GPU to their general purpose computer.

[The_rationalist]

> which seems probable, as we are progressing fast in the number of qubits we can keep together Probable? Ridiculous:

×there are still no hardware implementation of a single logic gate despite what? 40 years of research? ×stability of qubits are pathetic. ×no software stack (almost) ×Number of qubits are ridiculous and 40 years of research can't even make a consensus on how much qubits are needed for beating a CPU on at least one task. Even if quantum could(I strongly doubt that and quantum speedup has never been shown empirically) reduce complexity on some algorithms, the constant factor has no way to be handled with 50qbits, more like 1000000 qbits at minimum. ×no sign of needed breakthrough in error correcting codes.

I consider quantum speedup to be theoretically flawed, based on an interpretation of quantum mechanics needing "parallel worlds" which necessitate a misunderstanding of causality to make sense.

I consider quantum speedup to be flawed in practice too as order of magnitude of order of magnitude progress is needed and the trend is: no progress or very slow progress.

Thus quantum computing is like a vaporware, which take funds that would be far better allocated at e.g medicine, AGI, or ASICS.

[semi-extrinsic]

While I agree that QC is far from cracking any encryption today or in the near future; this

> theoretically flawed, based on an interpretation of quantum mechanics needing "parallel worlds"

is patently false. There is nothing in QC that would stop working under the good ole' Copenhagen interpretation.

In fact, if there was even a theoretical possibility that a QC experiment would work only in some QM interpretations, they would no longer be interpretations, but falsifiable hypotheses.

[im3w1l]

Copenhagen postulates collapse, no? If collapses turn out to happen at problematic times or because of problematic conditions, it could potentially doom quantum computers.

In contrast, many worlds says basically: There is no collapse. Ever.

The fact that no one has found what triggers collapse yet is to me evidence that Copenhagen is false.

Pilot wave theory on the other hand is, afaiu completely equivalent to many worlds, but less philosophically convincing.

Where many worlds says there is only the wave function, pilot wave says there is a wave function but also the material world. And material world is a sort of "view" of the wave function. Continuously rederived from it. But the interesting thing is, this material world has no causal consequences. All causality stems from the wave function and its evolution. This is the compromise to get same predictions as many worlds.

[krastanov]

Various interpretation postulate collapses under specific conditions, while other formalisms postulate something mathematically/observationally equivalent at mathematically/observationally equivalent conditions. In particular "problematic collapses" are a thing all quantum computing researchers have to deal with in their work. It is one of the largest subfields of this research program actually (practical quantum error correction).

[semi-extrinsic]

> The fact that no one has found what triggers collapse yet is to me evidence that Copenhagen is false.

It' just the same as "no one has found what triggers a split between worlds, and why the physical reality we observe is following this particular one of the many worlds".

[The_rationalist]

Well if Occam's razor is not enough, you must know that both many world interpretation of QM and hortodox view of QM are refuted. The one remaining is the statistical one that is: QM is a map not the territory, QM descriptions are description of optimal use of our knowledge (or lack of) on a system. Sufficient knowledge of the environment allow use of classical mechanics. Quantum paradoxes do not exists because e.g the phenomenon such as two simultaneous antithetic state (e.g a cat dead and alive) are just intermediate QM calculations results that have no reality but are useful for calculations. Sadly QM are invaded by BS artists and "philosophers" which prefer fun magic to serious rigorous truths. Source: https://www.google.com/url?sa=t&source=web&rct=j&url=https:/...

[semi-extrinsic]

It is a travesty to put forward such unfounded claims, and then point to as source a paper by the great Anthony Leggett on the use of condensed matter systems to probe the quantum measurement problem.

What you are claiming is merely the proposition of "hidden variables" aka "local realism", a theory which has been thoroughly rejected by experimental measurements [1,2,3].

[1] https://www.nature.com/articles/nature15759

[2] https://doi.org/10.1103%2FPhysRevLett.115.250401

[3] https://doi.org/10.1103%2FPhysRevLett.115.250402

[krastanov]

I think it is rather misleading to state "40 years of reasearch" the way you are doing it. It was only in the late 90s that there was theoretical reasons to believe quantum error correction is feasible. And your goalpost of logical gates completely disregards the enormous (more than 6 orders of magnitude) exponential progress in the lifetime of physical qubits (see sibling comments for references). We still need a couple more orders of magnitude before things work out at the "logical gate layer", but it is dishonest to disregard the progress up to now.

[McTossOut]

There's a very intuitive inductive argument that places quantum computers ahead of classical computers.

Basically that quantum interactions are more fundamental to the universe than more terse ones, stochastic randomness or presence/absence.

If a computing device (in a universe) is built to compute using more fundamental substance (to that universe) it should stand to reason it is more efficient.

If you model a photon, does your model ever move as fast as the photon?

[The_rationalist]

I would like to understand what you mean but I can't, could you rephrase / exemplify?

"Basically that quantum interactions are more fundamental to the universe than more terse ones, stochastic randomness or presence/absence." What does more fundamental means? Presence, absence and randomness are included in the set of quantum interactions they are not of a different nature.

" If a computing device (in a universe) is built to compute using more fundamental substance (to that universe) it should stand to reason it is more efficient." What does fundamental substance mean? I don't understand this paragraph.

"If you model a photon, does your model ever move as fast as the photon?" My model does not move. If you meant that my mental visual simulation of a photon moving is slower than a photon moving, yes obviously, it's slowness and lack of accuracy is just a limitation of my brain. How is that related to quantum speedup?

Help me understanding you, I would really like to believe in quantum speedup but the explanation needs to be sound.

[McTossOut]

I'll reiterate that I was just hoping to share my intuition behind the subject but I'll try and point you in the right direction.

I mean that the relationship between Newtonian mechanics and Quantum mechanics is such that the matter described by Newtonian mechanics is composed of matter whose precise behavior is exclusively described by quantum mechanics, that is that underlying matter is fundamental to the macro behavior.

I'm by no means a physicist, but a formal treatment of this kind of relationship (and predicted consequences) is captured in Constructor Theory (as David Deutsch who may have been early in identifying this was able to formalize this in the much more precise language of physics)

Intuitively, if you took a whiffle ball (or pair of whiffle balls, or some other ensembleoof whiffle balls sufficient to represent a system's state) in your hands, and a little obstacle course representing, say, beam splitters, and with each in your hands somehow made these classical implements behave like photons, you would have little hope of doing this at light speed.

[The_rationalist]

Well thanks for the effort, that was interesting.

In general I have issues understanding many QM explanations as I disagree with all interpretations of QM except the statistical one. You might be interested to read this Nobel prize paper with test the limits of quantum mechanics and refute in a sound manner, common interpretations. https://www.google.com/url?sa=t&source=web&rct=j&url=https:/...

[ridewinter]

The only truly safe encryption is quantum encryption. Any classical encryption algorithm should be breakable with quantum computers, even if we haven’t figured it out yet like with Shor’s.

[zazagura]

Citation needed? Symmetric encryption algorithms like AES (with at least 256 bit key) are considered safe even against quantum computers, based on some reasonable math/qm assumptions.

[charleslmunger]

Yeah, so far as I know the only algorithm that provides an asymptomatic speedup (for AES or similar symmetric key crypto) over a classical computer is Grover's algorithm. That would reduce a 256 bit key to 128, which is hardly disastrous.

[ridewinter]

All of that seems to only be “medium” secure in face of future quantum computing.

“It's been estimated that 6,681 qubits would be required to run use Grover's algorithm to break AES-256 bit encryption.”

https://www.theregister.co.uk/2019/03/14/quantum_encryption_...

[zrm]

Not only that, there are asymmetric encryption algorithms not vulnerable to Shor's algorithm, we're just not using them yet (because they're slower and haven't been as well-studied as RSA or ECC).

[mikeash]

Obvious counterexample: one-time pads.

Even if you don’t go that extreme, there’s no indication that e.g. AES is breakable.

[kokx]

What do you mean with quantum encryption? QKD (Quantum Key Distribution)?

Though the concept seems nice, it has quite a few issues in practice. Such as distance between coupled devices, and the need to have a dedicated physical communication line.

Oh and before you think you can just chain several devices to get longer distances: this opens you up to classical MitM attacks.

Source: https://www.nature.com/articles/npjqi201625