IBM believes that commercial quantum machines will be here in about 3-5 years. If encrypted data at rest today has value or is a liability in the next 3-5 years quantum resistant keys seem important. Encrypted data streams that can be intercepted and stored should be reviewed as well. I am curious how long the WikiLeak encrypted dump will stay encrypted. Yes it will take a while to figure out how to code these attacks and match the attack to interesting data but it is a race that some will win. "IBM is set to commercialize its quantum computers in the next 3-5 years, when they can outperform existing supercomputers in terms of computing capability in some specific domains, according to Norishige Morimoto, director of IBM Research in Tokyo and global vice president at IBM. "Morimoto made the disclosure when speaking at the opening session of IBM think Summit Taipei held on May 22. "Starting its R&D on quantum computing as early as in 1996, IBM released a 5-qubit quantum computer in 2016 and unveiled the world's first 20-qubit system, dubbed IBM Q System One, at CES 2019, Morimoto said, disclosing that the company will soon launch 58-qubit quantum computers." https://www.digitimes.com/news/a20190523PD205.html -- T o m M i t c h e l l _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

On May 29, 2019, at 6:34 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > On Wed, May 29, 2019 at 2:24 AM Ron Garret <ron@flownet.com> wrote: > > On May 28, 2019, at 1:53 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > > The other point to bear in mind is that we won't know whether there is a limit to quantum entanglement until we encounter it. > > That’s true, but... > > > There is no law of physics that states we must be able to form arbitrarily complex superpositions of quantum states. That is an assumption in our current models of physics. > > That’s not quite true. (Or perhaps it’s more correct to say that it’s true, but misleading.) It’s true in the same sense that the speed of light being a constant is the same in all reference frames is an “assumption.” The evidence that this is correct is overwhelming, and the evidence that quantum mechanics applies to arbitrarily large systems of entangled states is likewise overwhelming. All attempts to find an experimental regime where quantum mechanics fails have failed. If you seek solace against the possibility of cryptographic keys falling to quantum computers you are better off looking for it in engineering constraints than in the prospect of discovering new physics. > > "All attempts to find an experimental regime where quantum mechanics fails have failed" > > That is not remotely true. We still haven't figured out how to make gravity work. Let me be more precise then: QM has been experimentally demonstrated with objects up to 10,000 AMU mass [https://arxiv.org/abs/1310.8343]. The smallest gravitational field that has ever been measured (AFAICT) was produced by a mass of ~10^22 AMU [http://jetp.ac.ru/cgi-bin/dn/e_067_10_1963.pdf] (~100 mg). That’s a gap of 17 orders of magnitude. It is known that QM and GR are mathematically incompatible with each other, so somewhere in that gap one or the other of the two theories has to give. But all attempts to find an experimental regime where either theory can be demonstrated to fail have failed, and all attempt to determine whether it is QM or GR that has to give have also failed. All I’m saying is that, given the above facts, betting the future of digital security on the hypothesis that QM fails before it gets to the point where you can implement Shor’s algorithm is unwise. Personally, my money is on gravity being quantized, and also that to demonstrate this requires a field strength on the order of what is found near the event horizon of a black hole, so we’re unlikely to see this question definitively settled in a laboratory any time soon. > More relevantly, what exactly do we mean by decoherence? what exactly is it that causes it? That has been well understood for decades now. The seminal papers on decoherence were published in 1970. For an accessible layman’s account I recommend David Z. Alberts excellent book, “Quantum Mechanics and Experience”, chapter 5. The short version of the story is that a system decoheres if any of its degrees of freedom become entangled with anything outside of the system (and note that entanglement is not an all-or-nothing phenomenon. Entanglement is a continuum.) When that happens, the system considered in isolation is no longer in a pure state and can no longer self-interfere. The more degrees of freedom a system has, the harder it becomes as a practical matter to keep all of them isolated from (i.e. prevent them from becoming entangled with) their environment. It really is just as simple as that. > The assumption here seems to be that the only reason to build quantum computers is to break RSA. No, the assumption is that breaking RSA will be catastrophic, and so the prospect of developing QC is a cause for concern in the context of a discussion list dedicated to cryptography. I certainly never meant to imply that that’s the *only* reason anyone should care about quantum computing, but it’s certainly *a* reason. > This is science, not engineering. I used to do experimental particle physics so it is science I am somewhat familiar with. But it is still not engineering and unlikely to be for another decade or two if ever. Yes, I’m not denying that. All I’m saying is that *if* there turns out to be a insurmountable obstacle to breaking crypto with QC, that obstacle is more likely to be an engineering limitation than a scientific one. rg _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

On Wed, May 29, 2019 at 8:46 AM Ron Garret <ron@flownet.com> wrote: > > On May 29, 2019, at 6:34 AM, Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > > > ..... > All I’m saying is that, given the above facts, betting the future of > digital security on the hypothesis that QM fails before it gets to the > point where you can implement Shor’s algorithm is unwise. > > anything outside of the system (and note that entanglement is not an > all-or-nothing phenomenon. Entanglement is a continuum.) When that > happens, the system considered in isolation is no longer in a pure state > and can no longer self-interfere. The more degrees of freedom a system > has, the harder it becomes as a practical matter to keep all of them > isolated from (i.e. prevent them from becoming entangled with) their > environment. It really is just as simple as that. > > The assumption here seems to be that the only reason to build quantum > computers is to break RSA. > > > No, the assumption is that breaking RSA will be catastrophic, and so the > prospect of developing QC is a cause for concern in the context of a > discussion list dedicated to cryptography. I certainly never meant to > imply that that’s the *only* reason anyone should care about quantum > computing, but it’s certainly *a* reason. > Missing in this discussion is the design of processors (silicon layout and design) by more modest quantum computers and design of quantum machines themselves. i.e. A difficult problem today is the optimization of programming languages and hardware description languages. Currently computation has been moved by silicon advances but some difficult problems will fall to clever insights. The book "Programming Perls" is a good reminder that algorithms and insights can change expectations. An attacker has control of data in and the public key so there is a lot of leverage in the hands of a determined decryption effort attempting to discover the private key. The window of risk is a long way out for some data. BTW: this has been educational. I learned a lot from this, thank you all. -- T o m M i t c h e l l _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography