[Cryptography] Looks like Poe's Law will need an update
Phillip Hallam-Baker
phill at hallambaker.com
Thu Jun 6 14:26:02 EDT 2024
On Sat, May 4, 2024 at 4:04 PM Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
> Without using a search engine, is the headline "Google launches $5m prize
> to
> find actual uses for quantum computers" (a) clever satire from The Onion or
> (b) real news from New Scientist?
>
> (Posted here because it's at least somewhat relevant to the cryptography
> field, given the obsession with post-magic cryptography).
>
> Peter.
>
There is no shortage of applications for a real quantum computer.
Finding an application for the devices IBM and Google have managed to make
is a different matter entirely. Adding QBits is easy, keeping coherence
long enough to make actual use of them is hard.
As far as I am aware, every 'quantum supremacy' claim so far has been
demolished within 24 months by someone developing a better conventional
algorithm.
OK, so writing standards is an exercise in pedantry and so is the
interpretation of quantum mechanics at this level. Just like the
economists, the physicists tend to believe that their models are reality
rather than an approximation of reality. I was an experimentalist and what
made our day was proving the theory bods wrong...
I remain skeptical as to large scale quantum computing even being possible.
The standard model describes all the observed behaviors of the known
particles on a small scale. But remains incompatible with relativity.
Recently someone was asking *WHY* light slows down in a dense medium. Had a
dozen physicists trying to answer that and nobody managed it, every
'explanation' turned out to merely be a restatement of 'WHAT'.
The untested hypothesis here is that quantum systems are capable of
infinite entanglement. Well, what if there is a limit? What if the
Heizenberg interpretation is merely a consequence of that limit?
The issues are even more murky when we are dealing with superconducting
supercomputers which are not even quantum systems. No, sorry, what you have
there is a macro system that exhibits similar properties to a quantum
system. You are not demonstrating an ability to superscale beyond what
conventional VLSI can do because you have far more atoms than you have
possible system states.
Of course we should investigate quantum computing. But don't mistake it for
an engineering exercise, it is not, it is basic research.
>From the point of view of cryptography there are only three questions that
we need to ask.
1) What would the consequences of a CRQC being built without transitioning
to PQC?
This is an eschaton level threat, basically the whole global financial
system is under threat. Consequences are in the 'too bad to estimate'
2) What is the probability of that risk being realized within the next X
years?
The supercold machines don't scale, each doubling in capability is costing
a lot more than double. But trapped ion machines are capable of
superscaling in principle. If someone ever builds one, we are in trouble.
That is still at least ten years out and might well remain ten years out
indefinitely. But there is always that 1% chance of a CRQC.
3) How much does it cost to deploy PQC algorithms in critical systems in
the next ten years?
At this point, the cost is pretty minimal. None of the really critical
systems are constrained performance devices. For the few applications that
are, we can employ techniques that employ hybrid symmetric/asymmetric
schemes like the ones I developed when I was at VeriSign, the patents
should be running out on those.
The bigger problem is actually the systems that have never had
cryptographic security but desperately need it, systems like CANBUS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240606/804c03d4/attachment.htm>
More information about the cryptography
mailing list