MIT's New 5-Atom Quantum Computer Could Make Today's Encryption Obsolete

An anonymous reader writes: In traditional computing, numbers are represented by either 0s or 1s, but quantum computing relies on atomic-scale units, or "quibits," that can be simultaneously 0 and 1 -- a state known as a superposition that's far more efficient. It typically takes about 12 qubits to factor the number 15, but researchers at MIT and the University of Innsbruck in Austria have found a way to pare that down to five qubits, each represented by a single atom, they said this week. Using laser pulses to keep the quantum system stable by holding the atoms in an ion trap, the new system promises scalability as well, as more atoms and lasers can be added to build a bigger and faster quantum computer able to factor much larger numbers. That, in turn, presents new risks for factorization-based methods such as RSA, used for protecting credit cards, state secrets and other confidential data. "If you are a nation state, you probably don't want to publicly store your secrets using encryption that relies on factoring as a hard-to-invert problem," said Chuang. "Because when these quantum computers start coming out, [adversaries will] be able to go back and unencrypt all those old secrets."

Re:Quantum computers were "5 years away"... in 197

[50000BTU_barbecue]

Now they're just 5 atoms away.

Totally misleading title

[AchilleTalon]

Factorization of the number 15 won't render modern encryption obsolete at all. To rendre encryption obsolete, they will need much more than 5 atoms and be able to factorize much more larger numbers.

Seriously /., you are insulting to the community.

Re:Totally misleading title

[fahrbot-bot]

Luckily, this univers is chock FULL of atoms. All we could possibly need!

But it's, apparently, short on "e"s. :-)

Re:Totally misleading title

[Jason+Levine]

Much apprciatd. My own storag of 's was gtting dangrously low. I trid to buy thm from an onlin sourc, but that sal fll to pics. Who knw it would b so hard to locat a vndor to purchas xtra 's from?

Quantum computers won't break RSA

[ffkom]

I am still pretty convinced that the "quantum computer"-hype is based on fundamentally flawed assumptions, and that they won't break RSA (or other practical problems) of any reasonable size, that are not also easily solved with conventional computers.

Just because a model works with probabilities of "uncertain states" does not mean reality will reveal a "solution" based on all possible combinations of such states in no time. There is no compelling evidence yet that a quantum computer will find solutions quicker than it takes the real, physical hardware of that computer to take on all relevant input state combinations.

I'm prepared to bet the safety of my encrypted data on that, and I am convinced that 40 years from now, we'll look back at the hype around quantum computers the same way we today look back on the era of analog computers in the 1960s/1970s, when it was a plausible approach to solve some (back then hard-to-compute-digitally) equations, like for numerical calculus, by building physical systems (electronic circuits) that were known to behave in a way that equations could be solved by carefully adjusting some input voltages, then measuring some output voltage. We know that the precision achievable by such analog computers is very limited, and see the same problem preventing "quantum computers" from ever providing solutions that need to process a significant amount of information.

Re:Quantum computers won't break RSA

[ortholattice]

While you could be right that the necessary technology still won't be available in 40 years, the quantum world is fundamentally different from the analog world. In the analog world, noise and other errors determine an absolute limit as to how much precision you can achieve. In the quantum world, there is the miracle of quantum error correction that can compensate for errors. It is quite amazing mathematically that linear transformations performed by quantum gates can correct errors, but the mathematics works (I have worked through it myself, it's not terribly hard, requiring only linear algebra) and small error-correcting qubit circuits have been demonstrated.

Most important is the threshold theorem that says if we can reduce the noise in a qubit below about 1 part in 10^5 (IIRC), error correction can allow a quantum computer to grow to an unlimited number of qubits. That's when the revolution will start.

Re:Quantum computers won't break RSA

Quantum computing is dependent on exactly one dubious assumption: That there is no [hard] limit to the complexity of a physical interaction.

If we can have unlimited complexity, then we can have quantum circuits which are as good as [credibly] advertised; if we can not, then, at best, all we get out of it is a means to optimize a few computations.

Re:Quantum computers won't break RSA

[gweihir]

That is naive. You assume maintaining entanglement gets less than linearly more difficult and that noise is independent of the number of qbits. Both are not reasonable assumptions.

Re:Quantum computers won't break RSA

[silentcoder]

It took centuries for computing devices to go from the Abacus to the Hollerith tabulator. Along the way they gradually but steadily progressed. Mechanical computation devices got more and more advanced (read a bit of the history of mechanical computers -there were some very fascinating and surprisingly powerful ones over the centuries) - and when we reached their limits they were gradually replaced by electrical devices which were in turn slowly replaced by electronic devices (a line you can draw roughly at the point where mechanical relays were replaced by solid-state vaccuum tubes).

But the semi-conductor revolution was waiting. It took a while to get off the ground - nearly two decades from when we built the first modern computers (in the seperates data from code sense) before transistors even appeared and another decade for them to become the standard tech. Even as they did work on semiconductors were continuing and ICs were well on their way but still a long way off.

The same pattern happened in storage - as mechanical/magnetic storage got refined and improved over time - and we are currently in the midst of the transition to solid state storage.

And right back some 2000 or more years ago there was somebody like you who said: "Fingers are still the best computing devices we have - they've been promising us that this 'abacus' thing will revolutionize computing in the near future but they still can't get the beads to reliably stay on the right side of the wire" and there's been people like you saying it about every revolution as it unfolded ever since.
Computational technology has, in fact, been a running thread right through human history - and as it improved, society did as well, the better it got- the better we could organize ourselves (what is organisation after all, but the ability to process numbers - the faster and more reliably you can do that, the better things work).

Right now our best bet, by far, for the next generation of computing is quantum. Positronic computing was mentioned by Asimov and Star Trek alike but considering a positron is the anti-particle of an electron it would offer exactly zero advantages over electrons while offering a huge containment issue (and in theory - a positronic computer would have to be built entirely out of anti-matter or the positrons would anihilate the circuitry), that one is really pure science fiction - because even though it's entirely theoretically possible it has no practical value. Biological computers are possible, but that adds a whole host of practical difficulties - a living computer is subject to diseases, it needs food and oxygen and water... it has all the difficulties, in fact, of a pet - and when you factor those in there is no real reason to believe it would be good at what computers are good at, it's more likely to be good at the things we are already good at ourselves. Nah, biological computer research is incredibly valuable - not for what it can teach us about computers but for what it can teach us about ourselves. What else is there ? Photonic computers - taking the fibre-obtics right into the CPU ? Theorectically it's possible but it has a whole host of it's own difficulties and electrons can already reach light-speed under some conditions so solving them will only offer marginal rewards - it may never be cost-effective for what it offers.

Of all the research going on - this is the only one that promises the potential of another revolution similar to the switch from vaccuum tubes to transistors. And like all the previous ones, it will be the governments and large corporations who will be early adopters - and the military perhaps first of all. You probably won't see a home quantum computer for decades, but then it took decades from ENIAC to the ALTAIR. That doesn't make ENIAC the worthless symbol of some pipe dream.

Re:Unencrypt?

Surely they mean Decrypt, right? I mean, these are supposed to be the best and brightest, MIT "creme de la creme", right?

Isaac Chuang is professor of physics and professor of electrical engineering and computer science at MIT. He is NOT professor of English at MIT. So step the fuck off, Chris Boyd. And stop unnecessarily capitalizing your Ds.

For an actually good summary of this research

[JoshuaZ]

For an actual summary of this research see http://www.scottaaronson.com/blog/?p=2673 by Scott Aaronson who is a quantum computing expert. The key thing here is that they factored 15 with high probability without having to sort of cheat by making a circuit that was more likely to work if one suspected that 15 had factorization resembling 3*5. As usual, this is getting completely overblown by the popular press. It is an important step towards actually making quantum computers that can factor big numbers, but it is nowhere near anything that would make RSA or other factoring based crypto obsolete.

Improvement to Shor's algorithm, no new technology

If you actually read the scientific article (which is available as a preprint unter [1]), what the authors discuss is how to significantly improve Shor's algorithm, the quantum algorithm for factorizing prime numbers. They show that the number of qubits needed to perform Shor's algorithm is actually quite a bit lower than what previous versions of the algorithm required - and they claim that their version is much more scalable than previously known versions.

They demonstrate their algorithm by factorizing the number 15 using trapped ions. That elementary qubit operations can be performed with trapped ions has already been demonstrated [2], that part is nothing new. Factoring the number 15 with Shor's algorithm is has also been done before. But since their algorithm doesn't need nearly as many qubits as the previous formulation of Shor's algorithm, specifically they only need to have a single ancillary qubit in addition to the qubits required to represent the number to be factorized (in contrast to 3n ancillary qubits), and given the fact that the quantum Fourier transform operation that was previously required to be performed on the ancillary qubits is difficult to pull of in practice while keeping quantum coherence, they argue that their algorithm will be much easier to implement in real quantum systems.

So their research is actually a big step forward when it comes to a potential actual practical realization of Shor's algorithm, and what they did is still very impressive (even the experimental part of their work), but their work doesn't address the problem of actually scaling up the number of qubits: 5 bits have been done before, and while their work means that less qubits are needed, it's not like even a (512+1+error correction) qubit computer with quantum coherences is around the corner (note that to break 512 bit RSA you don't need a quantum computer). Furthermore, there's a huge debate in the community as to what the best design for a scalable qubit architecture is: the authors of this paper seem to follow the school that wants to use ion traps, but there are also other approaches to implementing qubits: superconducting qubits (in various variants), spin qubits (including nuclear spins), semiconducting qubits, adiabatic quantum computation, and a couple more. A lot of people in the community are working on all of these different approaches, and it is not clear to me which of these will be the most effective way to implement a quantum computer in the end. And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

To reiterate: the paper is a breakthrough, because (if we leave out error correction for the moment, which increases the number of qubits required) to factor a 1024 bit RSA key, one would previously have needed 1024 + 3 * 1024 qubits and a very difficult to pull off quantum operation (quantum Fourier transform) on 3 * 1024 qubits simultaneously. This paper reduces that to 1024 + 1 qubits, where the KQFT operation only has to be applied to the 1 additional qubit. We still don't know how to actually manufacture a quantum computer that maintains coherence well enough with that many qubits, so there's no need to start panicking when it comes to this, but these kind of improvements do show that research towards asymmetric cryptography that is safe against quantum computing is required - and that we should really start implementing these kinds of algorithms NOW, so that when somebody actually has breakthrough in this regard, we have the technology in place to switch at that point. A good starting point for people that are interested is the pqcrypto.org site [3] and the excellent talk by Dan Bernstein and Tanja Lange at 32c3. [4]

[1] http://arxiv.org/abs/1507.08852
[2] https://en.wikipedia.org/wiki/Trapped_ion_quantum_computer
[3] http://pqcrypto.org/
[4] https://www.youtube.com/watch?v=6XeBvdm8vao

scalability

[e**(i+pi)-1]

The key will be scalability. Its an interesting experiment as it taps into the fundamentals of computing. It could however well be that the effort of keeping things disentangled grows exponentially (something which Shor's algorithm does not address). Like in dynamical systems theory, where computing the 10th iterate of f(x)=4x(1-x) with some initial condition like x=0.4 is no problem. It gives 0.297... already for a a hundred iterations the result become ambiguous and the answer becomes hardware and software dependent. No error correction can bypass these fundamental sensitive dependence of initial condition difficulty. So, it could well be that it is possible to factor a 10^10 digit number nicely but that things become more and more difficult larger numbers like integers with 100reds of digits and that RSA will remain save from quantum computer attacks. But who knows? The nice thing is that if it will be faster, one will be able to demonstrate it by factoring otherwise not yet factored numbers.

Re:scalability

[gweihir]

That key has eluded researchers for a few decades now. It looks very much like there is an upper limit on the number of qbits that can be entangled in practice if computations are to be performed and as if that upper limit is somewhere around 100. With that, not even very old and outdated RSA-768 is threatened.

That is why these stories are so utterly demented. They are akin to claiming the invention of the logic gate will make 2048-bit computers possible that run at 1000GHz. As we now see in practice, 64 bit at 5GHz is pretty much the viable limit for low-cost and it does not go much further with extreme hardware. In reality, things do not scale after a certain limit and for quantum computing, that limit will be very low.

But what if we add more lasers?

[SciCom+Luke]

https://what-if.xkcd.com/13/

Re:gotta get the encrypted data first

[Hylandr]

"Don't publicly store your secrets".

FTFY

That is such utter and complete nonsense

[gweihir]

First, most encryption is not even really affected. For block-ciphers a working and large enough QC halves the key-length. AES-256 would still be perfectly secure and AES-128 would still be hard (but maybe possible) to break. And second, factoring RSA-2048 (which is regarded as too short today) would need around 2200 qbits to factor with this "breakthrough". They are at 5 qbits now. Where where they 10 years ago? Oh, right, at the same low number. If progress is made at this rate, they will be able to break RAS-2048 in x years, where x goes towards infinity, i.e. _never_.

This is about as valid as claiming the invention of paper threatens RSA, after all you can do attacks far faster with paper than with stone tablets.

Can we please stop the moronic and false "success" stories about quantum computing?

Re:Improvement to Shor's algorithm, no new technol

[gweihir]

And scaling this up beyond 100 qubits with full quantum coherence and quantum control of qubit operations (from all reports e.g. the D-Wave machine "only" does quantum annealing with ~500 qubits, and doesn't implement a universal quantum computer) is something that's still quite a bit away. How long? I don't think anybody can really predict. Could be 5 years, could be 10, could be 50.

Could also very well be "never". Just look at the lengths CPU manufacturers have to go to get to 5GHz. A bit more is likely feasible, but, say, 100GHz is likely completely infeasible unless a mythical new technology presents itself. It has not, despite now 50 years of intense research, so what we currently have in CPUs may very well be close to the end of the line in this universe. It is quite likely that quantum computing (if it even works at all, factoring 15 could well be some other effect), runs into pretty hard scalability limits at 100 qbits or so and will never be a threat even to yesterday's RSA key lengths.

Fund research via Bitcoin

[skaag]

With such monstrous computing power, they could mine bitcoins and fund their R&D entirely through Bitcoin mining.

Topplin' da Dominoes!

[Dutchmaan]

I used my quantum computer to solve the problem of cold fusion, which allowed me to finish my flying car design!..

Re:gotta get the encrypted data first

[currently_awake]

Governments, corporations, and groups of people need to communicate securely. Quantum crypto breaking destroys the one way math based crypto systems but other systems still exist and will still be secure. Given the low cost of bulk data storage we might consider moving to one time pads.

News Flash!

[eepok]

Things that don't yet exist may make things that currently exist obsolete.

Re:Quantum computers were "5 years away"... in 197

[Aighearach]

Meanwhile, in my Universe they've existed since the 90s and now even my local University has a few qubits. When I was a kid, all we had was a few q*berts.

Re:whipslash, can you fix that abusive modding?

[RuffMasterD]

Shit happens when you post AC. If you won't own your comment and risk your reputation on it, then don't complain when it gets modded -1.

Re: Quantum computers were "5 years away"... in 19

Two things. First, exponential growth can't continue indefinitely. Second, once all the easy problems are solved, the ones left will require 90% of the total time. We have the lessons of AI and fundamental physics, where all the "easy" problems were solved decades ago, both disciplines becoming pretty stagnant since. Ergo, for all we know, the world 100 years from now might not look all that different.

Re:gotta get the encrypted data first

[TechyImmigrant]

>how, exactly, we'll be able to secure our data once quantum computing becomes widely available

Look here

Summary..
Encryption and symmetric signing will need to double the key size for the same security bound.
RSA, ECDH and ECDSA will be insecure.

So key management goes back to the pre-DH days.

Re: Quantum computers were "5 years away"... in 19

[castionsosa]

Not all encryption. -some- encryption, namely RSA and public key based algos that can be factored with Shor's algorithm. We will just wind up moving to UOV (Unbalanced Oil and Vinegar), lattice-based crypto, new ECC based encryption, or another method, and life will go on, just like it did when MD5 was weakened, and DES's short key space was found to be easily run through.

Life will go on.

As for symmetric encryption (AES, IDEA, BLOWFISH), quantum crypto won't do much for this, so there is no need to worry here.