They are close to device-ifying the

technology. Then they will componentize

it, then they will make million petaflop

computers the size of your head.

It is scary stuff, brute force decryption

in the blink of an eye, brute force A-I.,

scary stuff, makes HAL seem like

Robbie the Robot. Do we really, really

want quantum computing?

]]>

http://arxiv.org/pdf/quant-ph/0310130

Quantum computers need the whole logic circuitry located within the quantum coherence volume. That poses the greatest technical problem at building it. But the problem with running a quantum computer is similarly serious: heat. According to optimistic calculations, a general purpose quantum computer would dissipate at least 1000 times more heat than a classical computer with the same performance.

Speed, error rate and heat form a triangle of interrelated aspects. This is the fundamental killer of Moore's law, too. Here is some more info from back around 2003:

http://www.ece.tamu.edu/%7Enoise/research_files/research_dissip.htm

Last Thursday, we had a seminar by a leading researcher at IBM and the seminar was focused on the very final stage of Moore's law, where we presently are. He said all the resources are running out to continue Moore's law with reasonable error rate, energy dissipation and costs.

Laszlo Kish

]]>If anyone (except one who has a vested interest in the hype) thinks that I'm oversimplifying, please tell me how.

]]>Such an elementary error doesn't bode well for the correctness of the rest of the quoted post.

]]>Ty my opinion, Moore’s law is only an indicator of technology, connected to miniature electronic chips. The driving force of this revolution, the computer, surfs on this miniaturization to gain speed and memory and so on…

On the optics side, we have demands on faster communication and therefore miniaturizations down to the atomic-layer-level (building up quantum dots) as well as nano-structures as wires in the sub-wavelength regime are up to date. There is a lot going on since the advent of the laser 51 years ago.

There is no need that quantum computing need to develop its own technology, we probably have it already and therefore we are far more advanced as in building up computers as 61 years ago, as the first transistor was invented.

And yes, you can use Moore’s law as an indicator, when quantum computers will be available. Despite technology gets more expensive (how the hell we will get structures of 13nm (or even less) on millions of chips…), try to extend the slope to the region where the proper description of physics is the quantum mechanics and not classical rules any longer. No doubt, classical computers with a current of 1 electron possible to switch a gate between two bits will be realized, but with so many problems in realization, because you have to fight against the quantum nature. Then a real smart way will be to construct a quantum computer to use all the benefits. Sooner or later all computers will be “quantum” anyhow.

Perhaps the motivation for recommending elliptic curve systems is key length.

From my reading, there is no strong basis to assert that EC is inherently more secure than (say) RSA or Diffie-Hellman. The main EC selling point is that the expected computational cost to break matches that of these older public key systems at smaller key sizes.

When the day comes that a 500 byte RSA key is not considered strong enough, it would (by theory) be possible to increase the computational cost of breaking the cipher by switching to an EC system without using larger keys.

This consideration may be relevant for established protocols or systems that have a built-in limit to key length.

]]>In cases such as factoring, the hard part is coming up with the factors- checking them is easily done with existing computers. So even if the result of a quantum computation is probabilistic, in these cases you can just check the answer and retry if it is wrong. Even if you have to retry quite a bit, this is still better than classical (existing nonquantum) computers.

It seems that people seem to think of quantum computers as some sort of magic device that will solve all these problems. They won’t, they’ll only solve certain problems better. The simulation of a quantum system on a classical computer experiences an exponential slow down- this doesn’t happen on a quantum computer. I think the people who predict quantum computers won’t exist are a little short sighted, as of 2006 we’re already up to experimental systems of 12 qubits [1].

Bruce, as others such as KTC have pointed out, I’m really disappointed that you linked this. The author seems to have read enough on the subject to make it sound like he knows what he is talking about- but doesn’t.

Reference:

[1] D. Bacon and D. Leung, "Toward a World with Quantum Computers," Communications of the ACM, vol. 50, pp. 55-59, September 2007 2007.

Some other good intro texts on quantum computing in addition to Nielsen and Chuang:

N. D. Mermin, Quantum Computer Science: An Introduction, 1 ed. Cambridge, UK: Cambridge University Press, 2007.

P. Kaye, R. Laflamme, and M. Mosca, An Introduction to Quantum Computing. New York City, New York: Oxford University Press, 2007.

M. Hirvensalo, Quantum Computing, 2 ed. Berlin: Springer, 2004.

]]>http://scienceblogs.com/pontiff/2008/03/shor_calculations.php]]>

Possibly people think of the NSA as supernatural because at one time their crypto was so advanced it was indistinguishable from supernatural:

http://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html

There is a habit when considering exotic techogies that need advances. That these same advance will not improve anything else.

If we can build a n qbit computer, with techogly X, there is a very very good chance that with the same tech we can build much much better classic computer devices....

]]>I agree. There are already weak EC than can map to normal Z_p and then the DL problem can be solved with index calc as per normal DH. For that reason the "extra" security of ECC seems permature to me. A lot of work has gone into factoring and DL over Z_p etc. But not over EC fields.. I remained sceptical (paranoid?)

As for QC. There are a few things that are true no matter how much you arm wave. First is decoherance scales with the number of states... or exponetialy in the number of qbits. In other words the enginnering is "problem class" O(e^n) in number of qbits. Hence a Mores law would predict a linear scaling of qbits over time.

Secondly if i have enough qbits to factor a 1024 bit number. I cannot use this in anyway to factor 1025 bits. In other words there is no way to "simulate" a n+1 qbit register on any number of n qbit registers. This is in contrast to classic computers where simulation 64 bit registers on a 8 bit computer is straitforward.

I personaly know a few people who have large grants (in the millions) to work on QC. One personally belives that they will never be faster than classic computers. The other things they will only compete with classic computers when "simulation" quantim systems.

Oh and there is no proof yet that factoring or that the DL problem are NP hard/complete or otherwise. For all we know they could be P (I doubt it). But you never know...... ;).

The scaling for Shor's algorithm quoted in this post is incorrect. The bottleneck in the algorithm is the modular exponentiation. For small N a naive approach is used which leads to O(N^3) scaling, but for larger N it makes sense to use the Schonhage–Strassen algorithm, which has O(N^2 logN loglogN) scaling. (See arXiv:quant-ph/9508027)

There have been quite a few implementations which factored 15, the most recent being a very nice demonstration using photonic qubits (arXiv:0705.1684).

Well, A1 ever since it was "invented" is still just dumb software. You've got to be artificial to believe it intelligent.]]>

"I hope no one is actually using 4096 bit keys, because with the need for 5 trillion bits, more bits than we can currently put on a disk drive, it will be impossible to decrypt anything encrypted with such a large key, right?"

Wrong. 5 trillion bits is equivalent to a 625GB hard drive, which I've already seen advertised. And just this week, I read of some computer memory research that may bring hard drive storage capacity into the range of these huge hard drives.

3D storage that might store 1 terabit/cc:

http://www.physorg.com/news125058183.html

Quantum-dot memory that may reduce memory access down to the picosecond range:

http://www.physorg.com/news125316650.html

Moreover, computer speed advances aren't limited to quantum architectures. How about exa-flop performance!?!

http://www.physorg.com/news122833354.html

Way to ignore Moore's Law.

"640k ought to be enough for anybody"

]]>In short, quantum mechanics is a "realization of an equivalent of an algebra of probably inference (in the sense of Cox)" for those of you out there into Bayesian statistics. It is a system of Bayesian inference. There is a Boolean structure even, meaning it is subject to all those computability and decidability theorems they feed baby computer scientists! So, to parody things a bit, when you add 2+2 on a quantum computer you get the most probable outcome of such an addition - which is okay if you are working in a way such that your spectra is restricted to the integers (2+2=4), and not the reals (2+2=3.99792). So, if you actually understand what you are really doing with your quantum computer, you will realize that you are solving an altogether different problem than, say, the NP hard problem you started out with. I have never seen any discussion of this very significant point: you may be able to change the class of a problem if you can frame it in a quantum context properly. One of my suspicions is that it may even be possible to build a "universal translator" for crypto based on (discrete) wavelets and their relation to quantum theory, to calculate "the most probable decryption", but this would take an enormous effort by people who know what they are doing for several years. The fact that you are decrypting deterministic algorithms is not a problem: quantum theory is agnostic on determinism, what it presumes is correlation.

I must confess, the few papers I did read were sufficient to prevent any serious effort on my part at studying quantum computing, so I may be a bit severe in my ad hominum judgement, but certainly the overwhelming majority of such work is simply "not even wrong".]]>

"It is currently believed that the most difficult aspect of building an actual quantum computer will be dealing with the problems of imprecision and decoherence."

Like Leo said above, the poster of that blog post Mordaxus, knows as little about quantum computing as the people he's mocking. Really Bruce, this is something I expected you know better of than to link to misinformation like that.

]]>But it is not clear to me that ECC would necessarily be safer from quantum attacks. Because integer arithmetic is drilled into children from an early age, it is easier for most people to grok the structure of ordinary modular arithmetic well enough to design an algorithm (quantum or classical) for reversing its operations, than it is to grok some weird elliptic curve over a finite field. But does that mean that a good algorithm is actually less likely to exist for elliptic curves? If a good algorithm does exist, it takes only a single genius to find it, no matter how difficult it would be for ordinary humans to conceive of it.

]]>NSA = Naturally Super, thanks for Asking

]]>"Does anyone think that the gov has or will not already solve this issue. Has anyone heard of NSA"

Why do people persist in thinking of the NSA as a supernatural organization?

]]>For those who are interested in the real issues and not the hype, positive or negative, there are good books available. "Quantum Computations and Quantum Information" by Michael A. Nielsen and Isaac L. Chuang was used as the textbook in the first course I took.

]]>"If memory serves, the number of qubits needed to run shor's algorithm on an k-bit number is only O(k), owing to the fact that there are efficient reversible circuits for modular exponentiation. Each "gate" in the quantum circuit should be thought of as roughly equivalent to a bit operation in a deterministic algorithm. So the statement "Shor's algorithm requires 72k^3 quantum gates" is equivalent to saying it takes TIME 72k^3 to run. This, by the way, is almost exactly the number of steps it takes to do a RSA decryption with a k-bit key -- no mistake, since the main step in the algorithm is to perform a k-bit modular exponentiation."

I hope no one is actually using 4096 bit keys, because with the need for 5 trillion bits, more bits than we can currently put on a disk drive, it will be impossible to decrypt anything encrypted with such a large key, right?

Apparently this "mordaxus" doesn't understand quantum computing anymore than those he mocks in his first paragraphs. The commenter "Not a Quantum Bigwig" apparently does. He points out valid concerns in the rest of his comments.

Hasn't anyone around here ever taken a course in digital logic?

]]>For complexity purposes, the "size" of a problem involves the time, number of (qu-)bits and number of gates. Quantum algorithms are usually analyzed within a computational model where the number of qubits is O(k) (k = #bits of input and output numbers). In factorization, it is really the time that scales as k³, not the number of gates.

]]>"It adds, it subtracts, it factors! Buy the Ronco PairCracker, now with 50% more Quantum!"

]]>