## MIT's New 5-Atom Quantum Computer Could Make Today's Encryption Obsolete (pcworld.com) 179

An anonymous reader writes:

*In traditional computing, numbers are represented by either 0s or 1s, but quantum computing relies on atomic-scale units, or "quibits," that can be simultaneously 0 and 1 -- a state known as a superposition that's far more efficient. It typically takes about 12 qubits to factor the number 15, but researchers at MIT and the University of Innsbruck in Austria have found a way to pare that down to five qubits, each represented by a single atom, they said this week. Using laser pulses to keep the quantum system stable by holding the atoms in an ion trap, the new system promises scalability as well, as more atoms and lasers can be added to build a bigger and faster quantum computer able to factor much larger numbers. That, in turn, presents new risks for factorization-based methods such as RSA, used for protecting credit cards, state secrets and other confidential data. "If you are a nation state, you probably don't want to publicly store your secrets using encryption that relies on factoring as a hard-to-invert problem," said Chuang. "Because when these quantum computers start coming out, [adversaries will] be able to go back and unencrypt all those old secrets."*
## Quantum computers were "5 years away"... in 1972! (Score:1, Insightful)

Way back in 1972, before many Slashdotters were even born, I remember hearing about how quantum computers were just "5 years away".

Then in 1977, I remember hearing about how quantum computers were just "5 years away".

Then in 1982, I remember hearing about how quantum computers were just "5 years away".

Then in 1987, I remember hearing about how quantum computers were just "5 years away".

Then in 1992, I remember hearing about how quantum computers were just "5 years away".

Then in 1997, I remember hearing abou

## Re:Quantum computers were "5 years away"... in 197 (Score:5, Funny)

Now they're just 5 atoms away.

## Quantum Computer and Chinese (Score:1)

Issac Chuang is a Chinese

Having a Chinese in a leading role developing cutting edge quantum computer only means China will be one of the first nation to deploy quantum computers

## Re: (Score:1)

Issac Chuang is a Chinese

Having a Chinese in a leading role developing cutting edge quantum computer only means China will be one of the first nation to deploy quantum computers

That's odd. I'm pretty sure he is an American.

## Re: (Score:1)

Quantum is the new Alchemy

http://www.crystalinks.com/alc... [crystalinks.com]

## Re: (Score:2)

Alchemy is the new alchemy, too.

http://www.scientificamerican.... [scientificamerican.com]

## Re: (Score:2)

"Except that quantum things are real", but not until you open the box. Before that they are both real and not real.

## Re: (Score:2)

Except that quantum states are potential realities until measured. Then reality is the only one that ever was with the exception that it's been observed by entities that give a shit about the *potential state* to begin with.

## Re: (Score:3)

Meanwhile, in my Universe they've existed since the 90s and now even my local University has a few qubits. When I was a kid, all we had was a few q*berts.

## Re: (Score:2)

I was alive in 1972, albeit just 15. I attended a fairly well-to-do preparatory school. At that school we actually had a connection with a distant university, a forerunner of the Internet. I was not nearly as interested in computers then as I am today, but that's okay because I'm not professing to be an expert on the subject.

What I am saying is that if there were any serious talk about quantum computers in 1972 then there's a good chance I'd have heard about it. I was (and still am) an avid fan of science f

## Re: (Score:2)

Yeah, it looks like some mention of it in the 60s (according to Wikipedia) and then not much of anything until the 1980s and it does look like Feynman was speculating about fifty years out (if I remember the talk well enough). So no, no serious discussion of it in the 1970s was speculating that it was five years out. At least not that I can find. Your link doesn't change that.

## Re: (Score:2)

Fusion has been 40 years away for longer than that.

## Re: (Score:2)

## Re: Quantum computers were "5 years away"... in 1 (Score:1)

In 100 years we won't have the energy to tun this techno-based world anymore so we'll have reverted back to agriculture. No computers. No technology. No science, except for basic biology and simple weather forecasts.

## Re: (Score:2, Insightful)

Two things. First, exponential growth can't continue indefinitely. Second, once all the easy problems are solved, the ones left will require 90% of the total time. We have the lessons of AI and fundamental physics, where all the "easy" problems were solved decades ago, both disciplines becoming pretty stagnant since. Ergo, for all we know, the world 100 years from now might not look all that different.

## Re: (Score:2)

Not all encryption. -some- encryption, namely RSA and public key based algos that can be factored with Shor's algorithm. We will just wind up moving to UOV (Unbalanced Oil and Vinegar), lattice-based crypto, new ECC based encryption, or another method, and life will go on, just like it did when MD5 was weakened, and DES's short key space was found to be easily run through.

Life will go on.

As for symmetric encryption (AES, IDEA, BLOWFISH), quantum crypto won't do much for this, so there is no need to worry

## Re:whipslash, can you fix that abusive modding? (Score:5, Insightful)

## Re: (Score:2)

I would like to suggest that the moderation process be revised, so that usernames are kept hidden until the moderator is finished. This should certainly help prevent the bias against ACs. The validity of a comment should have nothing to do with the poster's history.

Admirable, but a malicious moderator can just as easily log in anon with another browser to match up comments with users.

## gotta get the encrypted data first (Score:1)

You first have to get a copy of the encrypted data before you can start trying to hack it. Are there any governments that actually store their state secrets in a fashion where they rely purely on encryption? Encryption tends to be an extra layer.

## Re: (Score:2)

Which is exactly what the summary says: "you probably don't want to publicly store your secrets".

## Re: (Score:3)

"Don't publicly store your secrets".

FTFY

## Re:gotta get the encrypted data first (Score:5, Interesting)

## Re: (Score:1)

Assuming of course the concept of "Quantum Computing" proves it's legitimacy and this hypothetical scenario could be implemented with a suitable number of bits to work with.

Until proven otherwise I am lumping all near-magical claims of quantum-super-computing the same status of Alchemy in the medieval era of bilking governments for money and jobs.

## Re: (Score:2)

Hmm... As I mentioned in an above post, one of the things that I've read was a paper that did indicate some value. In theory, at least, one can use quantum computing to ensure there's no MitM attack/interception. So, the communication (as a process) might be secured.

## Re: (Score:2)

I would be more interested in using something like that to communicate from one side of the solar system to the other or further yet without the restriction of the speed of light on the propagation of radio waves.

## Re: (Score:2)

## Re: (Score:2)

The problem is that to be accurate you should have said "nation states shouldn't store this stuff online". But we keep running across stories of where one or the other has done so. Not frequently, but often enough. Perhaps once every other year. And those are the occasions we hear about.

Now aside from this there are all those occasionally lost laptops or hard disks that are sold without reformatting or...

People aren't perfect. Mistakes happen. And secrets occasionally get published...sometimes even un

## Re: (Score:2)

I am a mathematician but I am not a cryptologist, not even remotely. I am also a bit of a geek with some extensive computer knowledge that includes things like securing (hardening really, nothing is ever secure so long as it is functional) computers and networks, though such was a matter of necessity and not an academic pursuit.

One of the things that has intrigued me is how, exactly, we'll be able to secure our data once quantum computing becomes widely available at reasonable costs. I've read a few papers

## Re: (Score:3)

>how, exactly, we'll be able to secure our data once quantum computing becomes widely available

Look here [nist.gov]

Summary..

Encryption and symmetric signing will need to double the key size for the same security bound.

RSA, ECDH and ECDSA will be insecure.

So key management goes back to the pre-DH days.

## Re: (Score:2)

## Re: (Score:2)

## Re: (Score:2)

## Re: (Score:2)

There are. They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.

However a remain a skeptic on effective factoring or DLP breaking quantum computers happening. I will stick to working to solve the much more immediate problems of crypto - weak RNGs, excess complexity in protocols, untrustable curves, fragile PKI models and clonable identities. There's plenty of time to fix those before physicists can build a freezer cold enough

## Re: (Score:2)

They don't have a great history of remaining either unbroken very long, unencumbered by patents or having key sizes that are reasonable.

Yes they do. Lamport signature and extensions (merkel etc) are totally secure as long as the hash function is secure. And McEliece has been around a long time and not been broken. Neither has patents. So no idea what your talking about.

## Re: (Score:2)

Wild McEliece was broken as were several other variants. That's a reason to suspect McEliece won't survive very long

The most important problem to solve it key agreement protocols based on public key crypto to replace DH and RSA if quantum computers become practical. Hashes just need to increase their output size. So signing isn't a big problem and Merkel trees are thus fine.

However Lamport keys are around 128Kibits each, so a key pair is 256Kibits. So the key size is not reasonable.

## Re: (Score:2)

## Re: (Score:2)

Try implementing these things in power efficient hardware. Huge keys suck both from an efficiency point of view and a side channel point of view.

## Re: (Score:2)

And well it is

## Re: (Score:2)

## Re: (Score:2)

## Re: (Score:2)

A problem is that even for a theoretically perfect solution, you are depending on a perfect implementation. Recently most cryptographic problems have stemmed from faulty implementation, and the more complicated something gets, the more likely the implementation will be faulty.

But the real answer seems to be "if you want a secret to be secure, don't share it". There always seems to be some way to discover a shared secret.

## Re: (Score:2)

Next note that it has no real effect on symmetric encryption. Also t

## Re: (Score:2)

internet search with the following keywords: Hillary, emails

## Totally misleading title (Score:3, Interesting)

Seriously /., you are insulting to the community.

## Re: (Score:2)

the number 15

You managed to crack my luggage combo, insensitive clod!

## Re: (Score:2)

Luckily, this univers is chock FULL of atoms. All we could possibly need!

## Re:Totally misleading title (Score:4, Funny)

Luckily, this

universis chock FULL of atoms. All we could possibly need!But it's, apparently, short on "e"s. :-)

## Re: (Score:2)

I've got extras - take what you need. eeeeeeeeeeeeeeeeeee

## Re:Totally misleading title (Score:5, Funny)

Much apprciatd. My own storag of 's was gtting dangrously low. I trid to buy thm from an onlin sourc, but that sal fll to pics. Who knw it would b so hard to locat a vndor to purchas xtra 's from?

## Re: (Score:2)

They explicitly talked about it being scalable. But I do wonder what amount of error correction will be needed as they increase the length, and, of course, about the speed and the cost.

I have my doubts about this particular approach ever being practical (as in a reasonable degree of accuracy on a reasonable problem at a reasonable cost). Of course, but different applications reasonable will have a different value, but still...

This looks to me like another laboratory benchtop quantum computer, slightly mor

## Re: (Score:2)

As I recall the last piece of technology documented to require a hot cup of tea was the infinite improbability drive, which while capable of revolutionizing space travel, was not exactly a computational device.

## Re: (Score:2)

Incorrect. You are thinking of the Bambleweeny 57 Submeson Brain. Your geek card has been revoked :)

## Re: Totally misleading title (Score:2)

That is some seriously hot tea. Superheated in fact. Better be carefull...

## Re: (Score:2)

1.) It says could, not will.

2.) Says right in the article that this particular design holds some promise on scalability.

3.) Poor reading comprehension skills is just insulting to our entire species at this point.

## Re: (Score:2)

Sure, but going from 5 to a few hundred, or a few thousand, doesn't seem like an impossibility.

Think about juggling knives. There is plenty of people who can do 5. There are some which can do 7. Will you assume that going to hundreds or few thousand doesn't seem like an impossibility?

## Re: (Score:2)

And just what exactly about atoms make you think that shining some lasers on them is anything like juggling knifes ?

## Re: (Score:2)

In the way that keeping them in proper state/entanglement/whatever gets more complex - like adding more knives for a single juggler, rather than adding new jugglers next to each other, each handling independent, small set of knives.

## Quantum computers won't break RSA (Score:5, Insightful)

I am still pretty convinced that the "quantum computer"-hype is based on fundamentally flawed assumptions, and that they won't break RSA (or other practical problems) of any reasonable size, that are not also easily solved with conventional computers.

Just because a model works with probabilities of "uncertain states" does not mean reality will reveal a "solution" based on all possible combinations of such states in no time. There is no compelling evidence yet that a quantum computer will find solutions quicker than it takes the real, physical hardware of that computer to take on all relevant input state combinations.

I'm prepared to bet the safety of my encrypted data on that, and I am convinced that 40 years from now, we'll look back at the hype around quantum computers the same way we today look back on the era of analog computers in the 1960s/1970s, when it was a plausible approach to solve some (back then hard-to-compute-digitally) equations, like for numerical calculus, by building physical systems (electronic circuits) that were known to behave in a way that equations could be solved by carefully adjusting some input voltages, then measuring some output voltage. We know that the precision achievable by such analog computers is very limited, and see the same problem preventing "quantum computers" from ever providing solutions that need to process a significant amount of information.

## Re:Quantum computers won't break RSA (Score:5, Informative)

While you could be right that the necessary technology still won't be available in 40 years, the quantum world is fundamentally different from the analog world. In the analog world, noise and other errors determine an absolute limit as to how much precision you can achieve. In the quantum world, there is the miracle of quantum error correction that can compensate for errors. It is quite amazing mathematically that linear transformations performed by quantum gates can correct errors, but the mathematics works (I have worked through it myself, it's not terribly hard, requiring only linear algebra) and small error-correcting qubit circuits have been demonstrated.

Most important is the threshold theorem [wikipedia.org] that says if we can reduce the noise in a qubit below about 1 part in 10^5 (IIRC), error correction can allow a quantum computer to grow to an unlimited number of qubits. That's when the revolution will start.

## Re:Quantum computers won't break RSA (Score:5, Interesting)

That is naive. You assume maintaining entanglement gets less than linearly more difficult and that noise is independent of the number of qbits. Both are not reasonable assumptions.

## Re: (Score:2)

Think of computers and the internet 20 years ago: Pentium 133s and 28.8 modems. In 2000 T1 connections (1.54 MB) cost $1000.00/mth and who knows how much to install. Now I got a better c

## Re: (Score:2)

Actually, exponential growth for computer speeds has stopped a while ago and was never as good as advertised before. The thing is that actual experts understand that many important problems cannot be parallelized and hence single-thread performance is what determines speed. That has mostly stalled in the last 10 years or so.

Kurzweil is an incompetent moron with a grand vision he sells well. Kind of a bit like Trump, although I do not think Trump is stupid enough to believe the things he says. With Kurzweil

## Re: (Score:2)

The key concept to grasp is not the Kurzweilian AI and human/robot mind melds. The key concept is that exponential growth is a hard thing to grasp. O

## Re: (Score:2)

Gluing a large number of processors together is an excellent thing for many problems, but not all. Moreover, we're getting reasonably close to fundamental limits. Silicon traces have to be a certain number of atoms wide, and communications are limited by lightspeed, since no signal can go farther than 30cm in a nanosecond. There's still advances we can make, and we can come up with more ingenious techniques for getting more out of what we can do, but performance improvements are going to slow down fairl

## Re: (Score:2)

But I credit Kurzweil for

## Re: (Score:2)

It isn't clear to me that we can make computers a million times more powerful than what we've got. There's obviously room for advancement still, but I'd be mildly surprised if they got to a thousand times as powerful as what we have now, except for specialized applications. (My current home computers are, very roughly, a million times as powerful as my original personal computer, a TRS-80, which I got roughly forty years ago.)

Moreover, this doesn't translate into a great improvement in some problems wi

## Re: (Score:2)

## Re: (Score:2)

Exactly, thank you. Error correction is not magic. Error correction is what keeps QC research going (very, very slowly) at this time, because without it there would be absolutely no point.

## Re: (Score:3)

It took centuries for computing devices to go from the Abacus to the Hollerith tabulator. Along the way they gradually but steadily progressed. Mechanical computation devices got more and more advanced (read a bit of the history of mechanical computers -there were some very fascinating and surprisingly powerful ones over the centuries) - and when we reached their limits they were gradually replaced by electrical devices which were in turn slowly replaced by electronic devices (a line you can draw roughly at

## Re: (Score:2, Informative)

Quantum computing is dependent on exactly one dubious assumption: That there is no [hard] limit to the complexity of a physical interaction.

If we can have unlimited complexity, then we can have quantum circuits which are as good as [credibly] advertised; if we can not, then, at best, all we get out of it is a means to optimize a few computations.

## Re: (Score:2)

I agree. At this time, we cannot even know whether the physics itself holds up. Factoring 15 is something that can be done with a conventional analog computer, no actual quantum effects needed. So there are two hard road-blocks to this ever threatening RSA of real sizes: a) it may not actually be possible to use quantum effects for computations and what we currently observe may be something different and b) quantum computers may not scale to the required bit-sizes, ever. We see these hard scalability limits

## Re: (Score:2)

Also, this only breaks RSA style encryption. Good old fashioned shared key systems are immune to this, and many modern systems only use RSA-type encryption for the initial sharing of a secret key to both parties.

## Re: (Score:2)

As with most things, the devil is in the details. With a TLS/SSL connection handshake, if you can break the RSA key exchange portion you can recover the symmetric encryption key that is used for the remainder of the connection. A man-in-the-middle attacker can easily record all packets in a connection without alerting either party. If they later break the RSA encryption, they can easily and efficiently decode the rest of the data stream.

Enter the DH (Diffie-Hellman) and ECDH (Elliptical Curve DH) key exc

## Re: (Score:2)

I have done quite a bit of reading. I wouldn't say that it's over-hyped so much as it's poorly understood. It's a bit like science and science journalism, at least as near as I can tell.

## Re: (Score:2)

## Where TFA? (Score:1)

The link points to a science article which is closed.

Why are we advertizing an article that can't be read?

## For an actually good summary of this research (Score:5, Informative)

## Improvement to Shor's algorithm, no new technology (Score:5, Informative)

If you actually read the scientific article (which is available as a preprint unter [1]), what the authors discuss is how to significantly improve Shor's algorithm, the quantum algorithm for factorizing prime numbers. They show that the number of qubits needed to perform Shor's algorithm is actually quite a bit lower than what previous versions of the algorithm required - and they claim that their version is much more scalable than previously known versions.

They demonstrate their algorithm by factorizing the number 15 using trapped ions. That elementary qubit operations can be performed with trapped ions has already been demonstrated [2], that part is nothing new. Factoring the number 15 with Shor's algorithm is has also been done before. But since their algorithm doesn't need nearly as many qubits as the previous formulation of Shor's algorithm, specifically they only need to have a single ancillary qubit in addition to the qubits required to represent the number to be factorized (in contrast to 3n ancillary qubits), and given the fact that the quantum Fourier transform operation that was previously required to be performed on the ancillary qubits is difficult to pull of in practice while keeping quantum coherence, they argue that their algorithm will be much easier to implement in real quantum systems.

So their research is actually a big step forward when it comes to a potential actual practical realization of Shor's algorithm, and what they did is still very impressive (even the experimental part of their work), but their work doesn't address the problem of actually scaling up the number of qubits: 5 bits have been done before, and while their work means that less qubits are needed, it's not like even a (512+1+error correction) qubit computer with quantum coherences is around the corner (note that to break 512 bit RSA you don't need a quantum computer). Furthermore, there's a huge debate in the community as to what the best design for a scalable qubit architecture is: the authors of this paper seem to follow the school that wants to use ion traps, but there are also other approaches to implementing qubits: superconducting qubits (in various variants), spin qubits (including nuclear spins), semiconducting qubits, adiabatic quantum computation, and a couple more. A lot of people in the community are working on all of these different approaches, and it is not clear to me which of these will be the most effective way to implement a quantum computer in the end. And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

To reiterate: the paper is a breakthrough, because (if we leave out error correction for the moment, which increases the number of qubits required) to factor a 1024 bit RSA key, one would previously have needed 1024 + 3 * 1024 qubits and a very difficult to pull off quantum operation (quantum Fourier transform) on 3 * 1024 qubits simultaneously. This paper reduces that to 1024 + 1 qubits, where the KQFT operation only has to be applied to the 1 additional qubit. We still don't know how to actually manufacture a quantum computer that maintains coherence well enough with that many qubits, so there's no need to start panicking when it comes to this, but these kind of improvements do show that research towards asymmetric cryptography that is safe against quantum computing is required - and that we should really start implementing these kinds of algorithms NOW, so that when somebody actually has breakthrough in this regard, we have the technology in place to switch at that point. A good starting point for people that are interested is the pqcrypto.org site [3] and the excellent talk by Dan Bernstein and Tanja Lange at 32c3. [4]

[1] http://arxiv.org/abs/1507.08852

[2] https://en.wikipedia.org/wiki/Trapped_ion_quantum_computer

[3] http://pqcrypto.org/

[4] https://www.youtube.com/watch?v=6XeBvdm8vao

## Re: (Score:3)

And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

Could also very well be "never". Just look at the lengths CPU manufacturers have to go to get to 5GHz. A bit more is likely feasible, but, say, 100GHz is likely completely infeasible unless a mythical new technology presents itself. It has not, despite now 50 years of intense research, so what we currently have in CPUs may very well be close to the end of the line in this universe. It is quite likely that quantum computing (if it even works at all, factoring 15 could well be some other effect), runs into pr

## Re: (Score:2)

>something nearing the temperature of the surface of the sun if left uncooled, how the hell do you cool that?

Hold it against Hillary's tit ?

## Re: (Score:2)

the quantum algorithm for factorizing prime numbers.That problem may be simpler than you think.

## Re: (Score:2)

Probably one of the best comments I have ever read on /.

## Martin Gardner's Finest Puzzle Offering (Score:2)

Well done abstract.

Large number factorization is one of integral-nature's greatest frontiers. I find it amazing that within my lifetime a curiosity of mathematics of interest to theorists and puzzle-makers has become the keystone of privacy in the world. For me there was a single 'Eureka' moment. Along with many others I caught a glimpse of today's world back in August 1977 thanks to a column by Martin Gardener in Scientific American:

"A new kind of cipher that would take millions of years to break" Read i [medargin.com]## scalability (Score:5, Insightful)

## Re:scalability (Score:5, Informative)

That key has eluded researchers for a few decades now. It looks very much like there is an upper limit on the number of qbits that can be entangled in practice if computations are to be performed and as if that upper limit is somewhere around 100. With that, not even very old and outdated RSA-768 is threatened.

That is why these stories are so utterly demented. They are akin to claiming the invention of the logic gate will make 2048-bit computers possible that run at 1000GHz. As we now see in practice, 64 bit at 5GHz is pretty much the viable limit for low-cost and it does not go much further with extreme hardware. In reality, things do not scale after a certain limit and for quantum computing, that limit will be very low.

## But what if we add more lasers? (Score:4, Funny)

## That is such utter and complete nonsense (Score:5, Insightful)

First, most encryption is not even really affected. For block-ciphers a working and large enough QC halves the key-length. AES-256 would still be perfectly secure and AES-128 would still be hard (but maybe possible) to break. And second, factoring RSA-2048 (which is regarded as too short today) would need around 2200 qbits to factor with this "breakthrough". They are at 5 qbits now. Where where they 10 years ago? Oh, right, at the same low number. If progress is made at this rate, they will be able to break RAS-2048 in x years, where x goes towards infinity, i.e. _never_.

This is about as valid as claiming the invention of paper threatens RSA, after all you can do attacks far faster with paper than with stone tablets.

Can we please stop the moronic and false "success" stories about quantum computing?

## Fund research via Bitcoin (Score:3)

With such monstrous computing power, they could mine bitcoins and fund their R&D entirely through Bitcoin mining.

## Hmmmmmm (Score:2)

Okay, this may be a foolish question, but if you encrypted something and then encrypted it again (with a different key) how would you know when you had gotten through the first layer of encryption? How would you know that you'd successfully decrypted the first layer?

The first set of decrypted info would still presumably look like encrypted data (or random shit), so how would you know that it had actually been decrypted?

## This new computer sponsored by... (Score:2)

## Topplin' da Dominoes! (Score:3)

## Re: (Score:2)

## Once the quantum world is able to factor 15 (Score:2)

the encryption world will just start using 16.

## News Flash! (Score:5, Insightful)

## I kud you not (Score:2)

I think I need to hack the Drumphinator to also replace all instances of the word "could" in headline font with "kud", as in "I kud you not".

## Just five atoms? (Score:2)

Careful, make sure you don't lose it.

## Re: (Score:2)

## Re: (Score:2)

If your full-disk encryption protects the symmetric volume key using certificates (e.g., users with Smart Cards), then you are still vulnerable.

There are a lot of use cases where symmetric keys are protected or transferred using asymmetric encryption, so breaking RSA will have far-reaching consequences.

Your personal workstation is probably not one of those cases. That doesn't mean it isn't a big deal for everyone regardless.

## Re: (Score:2, Insightful)

Surely they mean Decrypt, right? I mean, these are supposed to be the best and brightest, MIT "creme de la creme", right?

Isaac Chuang is professor of physics and professor of electrical engineering and computer science at MIT. He is NOT professor of English at MIT. So step the fuck off, Chris Boyd. And stop unnecessarily capitalizing your Ds.

## Re: (Score:2)

From the lack of scaling in the last 20 years or so of quantum computing research, I would put 50 years for low RSA bit-counts (e.g. 768 bits, requiring > 1000 qbits if you take error correction into account) as lower limit. It may also well be "never".