MIT's New 5-Atom Quantum Computer Could Make Today's Encryption Obsolete

An anonymous reader writes: In traditional computing, numbers are represented by either 0s or 1s, but quantum computing relies on atomic-scale units, or "quibits," that can be simultaneously 0 and 1 -- a state known as a superposition that's far more efficient. It typically takes about 12 qubits to factor the number 15, but researchers at MIT and the University of Innsbruck in Austria have found a way to pare that down to five qubits, each represented by a single atom, they said this week. Using laser pulses to keep the quantum system stable by holding the atoms in an ion trap, the new system promises scalability as well, as more atoms and lasers can be added to build a bigger and faster quantum computer able to factor much larger numbers. That, in turn, presents new risks for factorization-based methods such as RSA, used for protecting credit cards, state secrets and other confidential data. "If you are a nation state, you probably don't want to publicly store your secrets using encryption that relies on factoring as a hard-to-invert problem," said Chuang. "Because when these quantum computers start coming out, [adversaries will] be able to go back and unencrypt all those old secrets."

Quantum computers were "5 years away"... in 1972!

[Anonymous Coward]

Way back in 1972, before many Slashdotters were even born, I remember hearing about how quantum computers were just "5 years away".

Then in 1977, I remember hearing about how quantum computers were just "5 years away".

Then in 1982, I remember hearing about how quantum computers were just "5 years away".

Then in 1987, I remember hearing about how quantum computers were just "5 years away".

Then in 1992, I remember hearing about how quantum computers were just "5 years away".

Then in 1997, I remember hearing abou

Re:Quantum computers were "5 years away"... in 197

[50000BTU_barbecue]

Now they're just 5 atoms away.

Quantum Computer and Chinese

[Anonymous Coward]

Issac Chuang is a Chinese

Having a Chinese in a leading role developing cutting edge quantum computer only means China will be one of the first nation to deploy quantum computers

Re:

[Anonymous Coward]

Issac Chuang is a Chinese

Having a Chinese in a leading role developing cutting edge quantum computer only means China will be one of the first nation to deploy quantum computers

That's odd. I'm pretty sure he is an American.

Re:

[Hylandr]

Quantum is the new Alchemy

http://www.crystalinks.com/alc... [crystalinks.com]

Re:

[Aighearach]

Alchemy is the new alchemy, too.

http://www.scientificamerican.... [scientificamerican.com]

Re:

[kwbauer]

"Except that quantum things are real", but not until you open the box. Before that they are both real and not real.

Re:

[Hylandr]

Except that quantum states are potential realities until measured. Then reality is the only one that ever was with the exception that it's been observed by entities that give a shit about the *potential state* to begin with.

Re:

[Aighearach]

Meanwhile, in my Universe they've existed since the 90s and now even my local University has a few qubits. When I was a kid, all we had was a few q*berts.

Re:

[KGIII]

I was alive in 1972, albeit just 15. I attended a fairly well-to-do preparatory school. At that school we actually had a connection with a distant university, a forerunner of the Internet. I was not nearly as interested in computers then as I am today, but that's okay because I'm not professing to be an expert on the subject.

What I am saying is that if there were any serious talk about quantum computers in 1972 then there's a good chance I'd have heard about it. I was (and still am) an avid fan of science f

Re:

[KGIII]

Yeah, it looks like some mention of it in the 60s (according to Wikipedia) and then not much of anything until the 1980s and it does look like Feynman was speculating about fifty years out (if I remember the talk well enough). So no, no serious discussion of it in the 1970s was speculating that it was five years out. At least not that I can find. Your link doesn't change that.

Re:

[Impy the Impiuos Imp]

Fusion has been 40 years away for longer than that.

Re:

[RockDoctor]

Elementary failure of physics (or history) knowledge : Quantum computers were only seriously proposed in the early 1980s. Fiction authors may have used the term earlier, but without meaning.

Re: Quantum computers were "5 years away"... in 1

[Anonymous Coward]

In 100 years we won't have the energy to tun this techno-based world anymore so we'll have reverted back to agriculture. No computers. No technology. No science, except for basic biology and simple weather forecasts.

Re:

[Anonymous Coward]

Two things. First, exponential growth can't continue indefinitely. Second, once all the easy problems are solved, the ones left will require 90% of the total time. We have the lessons of AI and fundamental physics, where all the "easy" problems were solved decades ago, both disciplines becoming pretty stagnant since. Ergo, for all we know, the world 100 years from now might not look all that different.

Re:

[castionsosa]

Not all encryption. -some- encryption, namely RSA and public key based algos that can be factored with Shor's algorithm. We will just wind up moving to UOV (Unbalanced Oil and Vinegar), lattice-based crypto, new ECC based encryption, or another method, and life will go on, just like it did when MD5 was weakened, and DES's short key space was found to be easily run through.

Life will go on.

As for symmetric encryption (AES, IDEA, BLOWFISH), quantum crypto won't do much for this, so there is no need to worry

Re:whipslash, can you fix that abusive modding?

[RuffMasterD]

Shit happens when you post AC. If you won't own your comment and risk your reputation on it, then don't complain when it gets modded -1.

Re:

[Culture20]

I would like to suggest that the moderation process be revised, so that usernames are kept hidden until the moderator is finished. This should certainly help prevent the bias against ACs. The validity of a comment should have nothing to do with the poster's history.

Admirable, but a malicious moderator can just as easily log in anon with another browser to match up comments with users.

gotta get the encrypted data first

[Anonymous Coward]

You first have to get a copy of the encrypted data before you can start trying to hack it. Are there any governments that actually store their state secrets in a fashion where they rely purely on encryption? Encryption tends to be an extra layer.

Re:

[dohzer]

Which is exactly what the summary says: "you probably don't want to publicly store your secrets".

Re:

[Hylandr]

"Don't publicly store your secrets".

FTFY

Re:gotta get the encrypted data first

[currently_awake]

Governments, corporations, and groups of people need to communicate securely. Quantum crypto breaking destroys the one way math based crypto systems but other systems still exist and will still be secure. Given the low cost of bulk data storage we might consider moving to one time pads.

Re:

[Hylandr]

Assuming of course the concept of "Quantum Computing" proves it's legitimacy and this hypothetical scenario could be implemented with a suitable number of bits to work with.

Until proven otherwise I am lumping all near-magical claims of quantum-super-computing the same status of Alchemy in the medieval era of bilking governments for money and jobs.

Re:

[KGIII]

Hmm... As I mentioned in an above post, one of the things that I've read was a paper that did indicate some value. In theory, at least, one can use quantum computing to ensure there's no MitM attack/interception. So, the communication (as a process) might be secured.

Re:

[Hylandr]

I would be more interested in using something like that to communicate from one side of the solar system to the other or further yet without the restriction of the speed of light on the propagation of radio waves.

Re:

[RespekMyAthorati]

Or let Hillary anywhere near it.

Re:

[HiThere]

The problem is that to be accurate you should have said "nation states shouldn't store this stuff online". But we keep running across stories of where one or the other has done so. Not frequently, but often enough. Perhaps once every other year. And those are the occasions we hear about.

Now aside from this there are all those occasionally lost laptops or hard disks that are sold without reformatting or...

People aren't perfect. Mistakes happen. And secrets occasionally get published...sometimes even un

Re:

[KGIII]

I am a mathematician but I am not a cryptologist, not even remotely. I am also a bit of a geek with some extensive computer knowledge that includes things like securing (hardening really, nothing is ever secure so long as it is functional) computers and networks, though such was a matter of necessity and not an academic pursuit.

One of the things that has intrigued me is how, exactly, we'll be able to secure our data once quantum computing becomes widely available at reasonable costs. I've read a few papers

Re:

[TechyImmigrant]

>how, exactly, we'll be able to secure our data once quantum computing becomes widely available

Look here [nist.gov]

Summary..
Encryption and symmetric signing will need to double the key size for the same security bound.
RSA, ECDH and ECDSA will be insecure.

So key management goes back to the pre-DH days.

Re:

[Bob the Super Hamste]

Also NIST wanted 256 bit keys for all entrants into the AES competition for that exact reason so AES, SERPENT, and TWOFISH should all be ok unless there is a break that is discovered in any of them and then you would be screwed

Re:

[Bob the Super Hamste]

From reading that it would appear that the problem is that the key schedule in AES 256 is substantially worse than the one used in AES128. So yes it would appear to be weaker. Also it would seem that cracking AES256 is the holy grail as it is the standard and was pushed so hard so it has a rather large target on it while AES 128 and AES 192 have been ignored more since they are likely less used. Personally I wouldn't recommend using AES 128 in hopes of it preventing attack from quantum computers as it would

Re:

[delt0r]

There are quantum resistant signing and public key methods. So no. It won't be pre DH days.

Re:

[TechyImmigrant]

There are. They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.

However a remain a skeptic on effective factoring or DLP breaking quantum computers happening. I will stick to working to solve the much more immediate problems of crypto - weak RNGs, excess complexity in protocols, untrustable curves, fragile PKI models and clonable identities. There's plenty of time to fix those before physicists can build a freezer cold enough

Re:

[delt0r]

They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.

Yes they do. Lamport signature and extensions (merkel etc) are totally secure as long as the hash function is secure. And McEliece has been around a long time and not been broken. Neither has patents. So no idea what your talking about.

Re:

[TechyImmigrant]

Wild McEliece was broken as were several other variants. That's a reason to suspect McEliece won't survive very long

The most important problem to solve it key agreement protocols based on public key crypto to replace DH and RSA if quantum computers become practical. Hashes just need to increase their output size. So signing isn't a big problem and Merkel trees are thus fine.

However Lamport keys are around 128Kibits each, so a key pair is 256Kibits. So the key size is not reasonable.

Re:

[delt0r]

Its not 1980s anymore. We are not on 9600 baud rate modems. Hell i was offered 10GBit fiber for my domestic internet just yesterday, the server farm i am looking uses 100Gbit! I have over 10T of disk space on my desk. Also there are schemes to reduce key size and sig size in Lamport. Finally McEliece with Goppa codes is old and hasn't been broken and lots of people have been trying recently (lots of papers in the last few years) as well, there is even now a signature scheme using it. Not sure where you keep

Re:

[TechyImmigrant]

Try implementing these things in power efficient hardware. Huge keys suck both from an efficiency point of view and a side channel point of view.

Re:

[delt0r]

We have. The shit cheap chip cards struggle with any real security anyway. Yea who knew that if you be cheap you get cheap security. I worked on some 12 odd years ago, i was on contract with a different system a month or so ago, and you know what. The performance hasn't increased at all. However the memory had, and you know what, McEliece is faster than even ECC. So ECC was out, too slow. In the end we went for a shared secret key. Not much choice for how fast the thing was suppose to work.

And well it is

Re:

[delt0r]

It is also horrendously cumbersome and impractical for many real world cases.

Re:

[Bob the Super Hamste]

For Public key crypto there is still Lattice-based crypto [wikipedia.org] which so far does not have a break on either a classical or quantum computer. For symmetric key (AES, SERPENT, TWOFISH) schemes they will still be good, but only use the 256 bit key versions as that puts the lower bounds on energy requirements to crack them near the total output of the Sun over its entire lifetime even on a quantum computer. Yes quantum computers can do some things amazingly fast but for symmetric key crypto the work is changed from

Re:

[HiThere]

A problem is that even for a theoretically perfect solution, you are depending on a perfect implementation. Recently most cryptographic problems have stemmed from faulty implementation, and the more complicated something gets, the more likely the implementation will be faulty.

But the real answer seems to be "if you want a secret to be secure, don't share it". There always seems to be some way to discover a shared secret.

Re:

[delt0r]

First note that quantum computers that can even think about cracking the current crop of encryption are *thousands of qubits away*. Not 5. Quantum computers are exponentially difficult to build. And a 1000bit quantum computers is 100% totally absolutely useless for a job that requires 1001qbits. Also that 1 extra bit makes it about 2 times harder to build. We are talking about a rock abacus compared to a modern 15nm process CPU/GPU here.

Next note that it has no real effect on symmetric encryption. Also t

Re:

[kwbauer]

internet search with the following keywords: Hillary, emails

Totally misleading title

[AchilleTalon]

Factorization of the number 15 won't render modern encryption obsolete at all. To rendre encryption obsolete, they will need much more than 5 atoms and be able to factorize much more larger numbers.

Seriously /., you are insulting to the community.

Re:

[PPH]

the number 15

You managed to crack my luggage combo, insensitive clod!

Re:

[AmazingRuss]

Luckily, this univers is chock FULL of atoms. All we could possibly need!

Re:Totally misleading title

[fahrbot-bot]

Luckily, this univers is chock FULL of atoms. All we could possibly need!

But it's, apparently, short on "e"s. :-)

Re:

[93 Escort Wagon]

I've got extras - take what you need. eeeeeeeeeeeeeeeeeee

Re:Totally misleading title

[Jason Levine]

Much apprciatd. My own storag of 's was gtting dangrously low. I trid to buy thm from an onlin sourc, but that sal fll to pics. Who knw it would b so hard to locat a vndor to purchas xtra 's from?

Re:

[HiThere]

They explicitly talked about it being scalable. But I do wonder what amount of error correction will be needed as they increase the length, and, of course, about the speed and the cost.

I have my doubts about this particular approach ever being practical (as in a reasonable degree of accuracy on a reasonable problem at a reasonable cost). Of course, but different applications reasonable will have a different value, but still...

This looks to me like another laboratory benchtop quantum computer, slightly mor

Re:

[silentcoder]

As I recall the last piece of technology documented to require a hot cup of tea was the infinite improbability drive, which while capable of revolutionizing space travel, was not exactly a computational device.

Re:

[dave420]

Incorrect. You are thinking of the Bambleweeny 57 Submeson Brain. Your geek card has been revoked :)

Re: Totally misleading title

[silentcoder]

That is some seriously hot tea. Superheated in fact. Better be carefull...

Re:

[bfpierce]

1.) It says could, not will.

2.) Says right in the article that this particular design holds some promise on scalability.

3.) Poor reading comprehension skills is just insulting to our entire species at this point.

Re:

[abies]

Sure, but going from 5 to a few hundred, or a few thousand, doesn't seem like an impossibility.

Think about juggling knives. There is plenty of people who can do 5. There are some which can do 7. Will you assume that going to hundreds or few thousand doesn't seem like an impossibility?

Re:

[silentcoder]

And just what exactly about atoms make you think that shining some lasers on them is anything like juggling knifes ?

Re:

[abies]

In the way that keeping them in proper state/entanglement/whatever gets more complex - like adding more knives for a single juggler, rather than adding new jugglers next to each other, each handling independent, small set of knives.

Quantum computers won't break RSA

[ffkom]

I am still pretty convinced that the "quantum computer"-hype is based on fundamentally flawed assumptions, and that they won't break RSA (or other practical problems) of any reasonable size, that are not also easily solved with conventional computers.

Just because a model works with probabilities of "uncertain states" does not mean reality will reveal a "solution" based on all possible combinations of such states in no time. There is no compelling evidence yet that a quantum computer will find solutions quicker than it takes the real, physical hardware of that computer to take on all relevant input state combinations.

I'm prepared to bet the safety of my encrypted data on that, and I am convinced that 40 years from now, we'll look back at the hype around quantum computers the same way we today look back on the era of analog computers in the 1960s/1970s, when it was a plausible approach to solve some (back then hard-to-compute-digitally) equations, like for numerical calculus, by building physical systems (electronic circuits) that were known to behave in a way that equations could be solved by carefully adjusting some input voltages, then measuring some output voltage. We know that the precision achievable by such analog computers is very limited, and see the same problem preventing "quantum computers" from ever providing solutions that need to process a significant amount of information.

Re:Quantum computers won't break RSA

[ortholattice]

While you could be right that the necessary technology still won't be available in 40 years, the quantum world is fundamentally different from the analog world. In the analog world, noise and other errors determine an absolute limit as to how much precision you can achieve. In the quantum world, there is the miracle of quantum error correction that can compensate for errors. It is quite amazing mathematically that linear transformations performed by quantum gates can correct errors, but the mathematics works (I have worked through it myself, it's not terribly hard, requiring only linear algebra) and small error-correcting qubit circuits have been demonstrated.

Most important is the threshold theorem [wikipedia.org] that says if we can reduce the noise in a qubit below about 1 part in 10^5 (IIRC), error correction can allow a quantum computer to grow to an unlimited number of qubits. That's when the revolution will start.

Re:Quantum computers won't break RSA

[gweihir]

That is naive. You assume maintaining entanglement gets less than linearly more difficult and that noise is independent of the number of qbits. Both are not reasonable assumptions.

Re:

[GLMDesigns]

Kurzweil is and others of the ilk (I'm one of them) is trying to get people to realize that exponential growth is non-intuitive. If growth continues at the much the present pace then in 15-20 years computers will be 1000 times as powerful as they are today. What can be done with that which is close to unimaginable today.

Think of computers and the internet 20 years ago: Pentium 133s and 28.8 modems. In 2000 T1 connections (1.54 MB) cost $1000.00/mth and who knows how much to install. Now I got a better c

Re:

[gweihir]

Actually, exponential growth for computer speeds has stopped a while ago and was never as good as advertised before. The thing is that actual experts understand that many important problems cannot be parallelized and hence single-thread performance is what determines speed. That has mostly stalled in the last 10 years or so.

Kurzweil is an incompetent moron with a grand vision he sells well. Kind of a bit like Trump, although I do not think Trump is stupid enough to believe the things he says. With Kurzweil

Re:

[GLMDesigns]

Exponential growth has stopped? Perhaps, if you're talking about Moore's law. CPU speed hasn't increased much for about 10 yrs. But there are multi-core processors now. Take a look at the list of the fastest computers. (see below) What would you call a chart plotting it's performance? I see something approximating exponential growth. (7 doubles in 10 years)

The key concept to grasp is not the Kurzweilian AI and human/robot mind melds. The key concept is that exponential growth is a hard thing to grasp. O

Re:

[david_thornley]

Gluing a large number of processors together is an excellent thing for many problems, but not all. Moreover, we're getting reasonably close to fundamental limits. Silicon traces have to be a certain number of atoms wide, and communications are limited by lightspeed, since no signal can go farther than 30cm in a nanosecond. There's still advances we can make, and we can come up with more ingenious techniques for getting more out of what we can do, but performance improvements are going to slow down fairl

Re:

[GLMDesigns]

I don't know how much longer it's going to last (exponential growth) but if it lasts for another 30 years at this pace then computers will be 1,000,000 times more powerful than they are now - with incredible ramifications for every field. Again, I'm not claiming true AI here but ... something. And it's something I can't imagine - cellular repair; gene therapy; VR learning tools, a dystopian all-powerful, nanny-state brooking no dissention; the end of scarcity; ... I don't know.

But I credit Kurzweil for

Re:

[david_thornley]

It isn't clear to me that we can make computers a million times more powerful than what we've got. There's obviously room for advancement still, but I'd be mildly surprised if they got to a thousand times as powerful as what we have now, except for specialized applications. (My current home computers are, very roughly, a million times as powerful as my original personal computer, a TRS-80, which I got roughly forty years ago.)

Moreover, this doesn't translate into a great improvement in some problems wi

Re:

[delt0r]

No he hasn't. If the error rate is a *constant* then error correction can work, with a *lot* more qbits i mite add. That is if the total "error" is simply proportional to the number of qbits. However that is *not* how the physics works, in fact there is quite a lot of evidence that the error rate goes up faster than proportional to the number of qbits, so if i add a qbit i need to add 2 more error correcting qbits which requires 4 more error correcting qbits..... This makes a quantum computer over a particu

Re:

[gweihir]

Exactly, thank you. Error correction is not magic. Error correction is what keeps QC research going (very, very slowly) at this time, because without it there would be absolutely no point.

Re:

[silentcoder]

It took centuries for computing devices to go from the Abacus to the Hollerith tabulator. Along the way they gradually but steadily progressed. Mechanical computation devices got more and more advanced (read a bit of the history of mechanical computers -there were some very fascinating and surprisingly powerful ones over the centuries) - and when we reached their limits they were gradually replaced by electrical devices which were in turn slowly replaced by electronic devices (a line you can draw roughly at

Re:

[Anonymous Coward]

Quantum computing is dependent on exactly one dubious assumption: That there is no [hard] limit to the complexity of a physical interaction.

If we can have unlimited complexity, then we can have quantum circuits which are as good as [credibly] advertised; if we can not, then, at best, all we get out of it is a means to optimize a few computations.

Re:

[gweihir]

I agree. At this time, we cannot even know whether the physics itself holds up. Factoring 15 is something that can be done with a conventional analog computer, no actual quantum effects needed. So there are two hard road-blocks to this ever threatening RSA of real sizes: a) it may not actually be possible to use quantum effects for computations and what we currently observe may be something different and b) quantum computers may not scale to the required bit-sizes, ever. We see these hard scalability limits

Re:

[JoeMerchant]

Also, this only breaks RSA style encryption. Good old fashioned shared key systems are immune to this, and many modern systems only use RSA-type encryption for the initial sharing of a secret key to both parties.

Re:

[RatherBeAnonymous]

As with most things, the devil is in the details. With a TLS/SSL connection handshake, if you can break the RSA key exchange portion you can recover the symmetric encryption key that is used for the remainder of the connection. A man-in-the-middle attacker can easily record all packets in a connection without alerting either party. If they later break the RSA encryption, they can easily and efficiently decode the rest of the data stream.

Enter the DH (Diffie-Hellman) and ECDH (Elliptical Curve DH) key exc

Re:

[KGIII]

I have done quite a bit of reading. I wouldn't say that it's over-hyped so much as it's poorly understood. It's a bit like science and science journalism, at least as near as I can tell.

Re:

[delt0r]

Well i think over hyped and misunderstood are the problem. Just look at mainstream articles on quantum teleportation...

Where TFA?

[Anonymous Coward]

The link points to a science article which is closed.

Why are we advertizing an article that can't be read?

For an actually good summary of this research

[JoshuaZ]

For an actual summary of this research see http://www.scottaaronson.com/blog/?p=2673 [scottaaronson.com] by Scott Aaronson who is a quantum computing expert. The key thing here is that they factored 15 with high probability without having to sort of cheat by making a circuit that was more likely to work if one suspected that 15 had factorization resembling 3*5. As usual, this is getting completely overblown by the popular press. It is an important step towards actually making quantum computers that can factor big numbers, but it is nowhere near anything that would make RSA or other factoring based crypto obsolete.

Improvement to Shor's algorithm, no new technology

[Anonymous Coward]

If you actually read the scientific article (which is available as a preprint unter [1]), what the authors discuss is how to significantly improve Shor's algorithm, the quantum algorithm for factorizing prime numbers. They show that the number of qubits needed to perform Shor's algorithm is actually quite a bit lower than what previous versions of the algorithm required - and they claim that their version is much more scalable than previously known versions.

They demonstrate their algorithm by factorizing the number 15 using trapped ions. That elementary qubit operations can be performed with trapped ions has already been demonstrated [2], that part is nothing new. Factoring the number 15 with Shor's algorithm is has also been done before. But since their algorithm doesn't need nearly as many qubits as the previous formulation of Shor's algorithm, specifically they only need to have a single ancillary qubit in addition to the qubits required to represent the number to be factorized (in contrast to 3n ancillary qubits), and given the fact that the quantum Fourier transform operation that was previously required to be performed on the ancillary qubits is difficult to pull of in practice while keeping quantum coherence, they argue that their algorithm will be much easier to implement in real quantum systems.

So their research is actually a big step forward when it comes to a potential actual practical realization of Shor's algorithm, and what they did is still very impressive (even the experimental part of their work), but their work doesn't address the problem of actually scaling up the number of qubits: 5 bits have been done before, and while their work means that less qubits are needed, it's not like even a (512+1+error correction) qubit computer with quantum coherences is around the corner (note that to break 512 bit RSA you don't need a quantum computer). Furthermore, there's a huge debate in the community as to what the best design for a scalable qubit architecture is: the authors of this paper seem to follow the school that wants to use ion traps, but there are also other approaches to implementing qubits: superconducting qubits (in various variants), spin qubits (including nuclear spins), semiconducting qubits, adiabatic quantum computation, and a couple more. A lot of people in the community are working on all of these different approaches, and it is not clear to me which of these will be the most effective way to implement a quantum computer in the end. And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

To reiterate: the paper is a breakthrough, because (if we leave out error correction for the moment, which increases the number of qubits required) to factor a 1024 bit RSA key, one would previously have needed 1024 + 3 * 1024 qubits and a very difficult to pull off quantum operation (quantum Fourier transform) on 3 * 1024 qubits simultaneously. This paper reduces that to 1024 + 1 qubits, where the KQFT operation only has to be applied to the 1 additional qubit. We still don't know how to actually manufacture a quantum computer that maintains coherence well enough with that many qubits, so there's no need to start panicking when it comes to this, but these kind of improvements do show that research towards asymmetric cryptography that is safe against quantum computing is required - and that we should really start implementing these kinds of algorithms NOW, so that when somebody actually has breakthrough in this regard, we have the technology in place to switch at that point. A good starting point for people that are interested is the pqcrypto.org site [3] and the excellent talk by Dan Bernstein and Tanja Lange at 32c3. [4]

[1] http://arxiv.org/abs/1507.08852
[2] https://en.wikipedia.org/wiki/Trapped_ion_quantum_computer
[3] http://pqcrypto.org/
[4] https://www.youtube.com/watch?v=6XeBvdm8vao

Re:

[gweihir]

And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

Could also very well be "never". Just look at the lengths CPU manufacturers have to go to get to 5GHz. A bit more is likely feasible, but, say, 100GHz is likely completely infeasible unless a mythical new technology presents itself. It has not, despite now 50 years of intense research, so what we currently have in CPUs may very well be close to the end of the line in this universe. It is quite likely that quantum computing (if it even works at all, factoring 15 could well be some other effect), runs into pr

Re:

[silentcoder]

>something nearing the temperature of the surface of the sun if left uncooled, how the hell do you cool that?

Hold it against Hillary's tit ?

Re:

[colinrichardday]

the quantum algorithm for factorizing prime numbers.

That problem may be simpler than you think.

Re:

[mrthoughtful]

Probably one of the best comments I have ever read on /.

Martin Gardner's Finest Puzzle Offering

[TheRealHocusLocus]

Well done abstract.

Large number factorization is one of integral-nature's greatest frontiers. I find it amazing that within my lifetime a curiosity of mathematics of interest to theorists and puzzle-makers has become the keystone of privacy in the world. For me there was a single 'Eureka' moment. Along with many others I caught a glimpse of today's world back in August 1977 thanks to a column by Martin Gardener in Scientific American: "A new kind of cipher that would take millions of years to break" Read i [medargin.com]

scalability

[e**(i pi)-1]

The key will be scalability. Its an interesting experiment as it taps into the fundamentals of computing. It could however well be that the effort of keeping things disentangled grows exponentially (something which Shor's algorithm does not address). Like in dynamical systems theory, where computing the 10th iterate of f(x)=4x(1-x) with some initial condition like x=0.4 is no problem. It gives 0.297... already for a a hundred iterations the result become ambiguous and the answer becomes hardware and software dependent. No error correction can bypass these fundamental sensitive dependence of initial condition difficulty. So, it could well be that it is possible to factor a 10^10 digit number nicely but that things become more and more difficult larger numbers like integers with 100reds of digits and that RSA will remain save from quantum computer attacks. But who knows? The nice thing is that if it will be faster, one will be able to demonstrate it by factoring otherwise not yet factored numbers.

Re:scalability

[gweihir]

That key has eluded researchers for a few decades now. It looks very much like there is an upper limit on the number of qbits that can be entangled in practice if computations are to be performed and as if that upper limit is somewhere around 100. With that, not even very old and outdated RSA-768 is threatened.

That is why these stories are so utterly demented. They are akin to claiming the invention of the logic gate will make 2048-bit computers possible that run at 1000GHz. As we now see in practice, 64 bit at 5GHz is pretty much the viable limit for low-cost and it does not go much further with extreme hardware. In reality, things do not scale after a certain limit and for quantum computing, that limit will be very low.

But what if we add more lasers?

[SciCom Luke]

https://what-if.xkcd.com/13/ [xkcd.com]

That is such utter and complete nonsense

[gweihir]

First, most encryption is not even really affected. For block-ciphers a working and large enough QC halves the key-length. AES-256 would still be perfectly secure and AES-128 would still be hard (but maybe possible) to break. And second, factoring RSA-2048 (which is regarded as too short today) would need around 2200 qbits to factor with this "breakthrough". They are at 5 qbits now. Where where they 10 years ago? Oh, right, at the same low number. If progress is made at this rate, they will be able to break RAS-2048 in x years, where x goes towards infinity, i.e. _never_.

This is about as valid as claiming the invention of paper threatens RSA, after all you can do attacks far faster with paper than with stone tablets.

Can we please stop the moronic and false "success" stories about quantum computing?

Fund research via Bitcoin

[skaag]

With such monstrous computing power, they could mine bitcoins and fund their R&D entirely through Bitcoin mining.

Hmmmmmm

[JustAnotherOldGuy]

Okay, this may be a foolish question, but if you encrypted something and then encrypted it again (with a different key) how would you know when you had gotten through the first layer of encryption? How would you know that you'd successfully decrypted the first layer?

The first set of decrypted info would still presumably look like encrypted data (or random shit), so how would you know that it had actually been decrypted?

This new computer sponsored by...

[l0n3s0m3phr34k]

Setec Astronomy

Topplin' da Dominoes!

[Dutchmaan]

I used my quantum computer to solve the problem of cold fusion, which allowed me to finish my flying car design!..

Re:

[RespekMyAthorati]

Congratulations on your flying carpet!

Once the quantum world is able to factor 15

[tgibson]

the encryption world will just start using 16.

News Flash!

[eepok]

Things that don't yet exist may make things that currently exist obsolete.

I kud you not

[epine]

I think I need to hack the Drumphinator to also replace all instances of the word "could" in headline font with "kud", as in "I kud you not".

Just five atoms?

[marciot]

Careful, make sure you don't lose it.

Re:

[AchilleTalon]

Yep, but public key encryption is the method needed to exchange keys to setup symmetric encryption between two parties. So, if you can decrypt the initial exchange, you can grab the private keys for the symmetric encryption.

Re:

[EndlessNameless]

If your full-disk encryption protects the symmetric volume key using certificates (e.g., users with Smart Cards), then you are still vulnerable.

There are a lot of use cases where symmetric keys are protected or transferred using asymmetric encryption, so breaking RSA will have far-reaching consequences.

Your personal workstation is probably not one of those cases. That doesn't mean it isn't a big deal for everyone regardless.

Re:

[Anonymous Coward]

Surely they mean Decrypt, right? I mean, these are supposed to be the best and brightest, MIT "creme de la creme", right?

Isaac Chuang is professor of physics and professor of electrical engineering and computer science at MIT. He is NOT professor of English at MIT. So step the fuck off, Chris Boyd. And stop unnecessarily capitalizing your Ds.

Re:

[gweihir]

From the lack of scaling in the last 20 years or so of quantum computing research, I would put 50 years for low RSA bit-counts (e.g. 768 bits, requiring > 1000 qbits if you take error correction into account) as lower limit. It may also well be "never".