NSA Plans for a Post-Quantum World

Quantum computing is a novel way to build computers—one that takes advantage of the quantum properties of particles to perform operations on data in a very different way than traditional computers. In some cases, the algorithm speedups are extraordinary.

Specifically, a quantum computer using something called Shor’s algorithm can efficiently factor numbers, breaking RSA. A variant can break Diffie-Hellman and other discrete log-based cryptosystems, including those that use elliptic curves. This could potentially render all modern public-key algorithms insecure. Before you panic, note that the largest number to date that has been factored by a quantum computer is 143. So while a practical quantum computer is still science fiction, it’s not stupid science fiction.

(Note that this is completely different from quantum cryptography, which is a way of passing bits between two parties that relies on physical quantum properties for security. The only thing quantum computation and quantum cryptography have to do with each other is their first words. It is also completely different from the NSA’s QUANTUM program, which is its code name for a packet-injection system that works directly in the Internet backbone.)

Practical quantum computation doesn’t mean the end of cryptography. There are lesser-known public-key algorithms such as McEliece and lattice-based algorithms that, while less efficient than the ones we use, are currently secure against a quantum computer. And quantum computation only speeds up a brute-force keysearch by a factor of a square root, so any symmetric algorithm can be made secure against a quantum computer by doubling the key length.

We know from the Snowden documents that the NSA is conducting research on both quantum computation and quantum cryptography. It’s not a lot of money, and few believe that the NSA has made any real advances in theoretical or applied physics in this area. My guess has been that we’ll see a practical quantum computer within 30 to 40 years, but not much sooner than that.

This all means that now is the time to think about what living in a post-quantum world would be like. NIST is doing its part, having hosted a conference on the topic earlier this year. And the NSA announced that it is moving towards quantum-resistant algorithms.

Earlier this week, the NSA’s Information Assurance Directorate updated its list of Suite B cryptographic algorithms. It explicitly talked about the threat of quantum computers:

IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms. Our ultimate goal is to provide cost effective security against a potential quantum computer. We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.

Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.

Suite B is a family of cryptographic algorithms approved by the NSA. It’s all part of the NSA’s Cryptographic Modernization Program. Traditionally, NSA algorithms were classified and could only be used in specially built hardware modules. Suite B algorithms are public, and can be used in anything. This is not to say that Suite B algorithms are second class, or breakable by the NSA. They’re being used to protect US secrets: “Suite A will be used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).”

The NSA is worried enough about advances in the technology to start transitioning away from algorithms that are vulnerable to a quantum computer. Does this mean that the agency is close to a working prototype in their own classified labs? Unlikely. Does this mean that they envision practical quantum computers sooner than my 30-to-40-year estimate? Certainly.

Unlike most personal and corporate applications, the NSA routinely deals with information it wants kept secret for decades. Even so, we should all follow the NSA’s lead and transition our own systems to quantum-resistant algorithms over the next decade or so—possibly even sooner.

The essay previously appeared on Lawfare.

EDITED TO ADD: The computation that factored 143 also accidentally “factored much larger numbers such as 3599, 11663, and 56153, without the awareness of the authors of that work,” which shows how weird this all is.

EDITED TO ADD: Seems that I need to be clearer: I do not stand by my 30-40-year prediction. The NSA is acting like practical quantum computers will exist long before then, and I am deferring to their expertise.

Posted on August 21, 2015 at 12:36 PM45 Comments


andy August 21, 2015 1:07 PM

For clarification, shors algorithm gives much better than a square root speedup on RSA. It can factor in polynomial time, vs sub-exponential speed of the best sieve methods.

Also, what is this discrete log quantum algorithm you speak of. I must have missed something…

Peter August 21, 2015 1:38 PM

@andy, it’s just Shor’s algorithm applied to a different finite Abelian hidden subgroup problem. The Wikipedia page has a pretty good explanation.

00nonymous7 August 21, 2015 1:43 PM

The only thing quantum computation and quantum cryptography have to do with each other is their first words. It is also completely different from the NSA’s QUANTUM program

Quantum of Schneier would be a great title for a James Bond movie.

Jacquline Floriano August 21, 2015 2:15 PM

Perhaps another good reason to implement perfect forward secrecy?

I guess a lot of folks will use post-quantum concerns to try and peddle biometrics as a logical alternative. A word of warning: in the USA, the 5th amendment protects you from self incrimination, so you cannot be legally forced to disclose your password by LEAs or a judge. This constitutional protection does NOT apply to biometrics. In fact, refusing to unlock an account protected with biometrics would be classed as obstruction of justice, which on its own could get you in a lot of trouble.

If you live in the UK you’re f_cked, you have no constitutional protection. You have RIPA.

Leon Wolfeson August 21, 2015 3:35 PM

@Peter – I don’t think that’s quite fair.

Not Physics, per-se, but Quantum Physics.

(I’ve recently for a project just had to start reading up on Quantum Game Theory too…ugh)

Jamie August 21, 2015 3:51 PM

Was I the only one who was hoping “stupid science fiction” was going to be linked to some example of laughably stupid science fiction featuring a computer?

Bruce Schneier August 21, 2015 3:57 PM

“Was I the only one who was hoping ‘stupid science fiction’ was going to be linked to some example of laughably stupid science fiction featuring a computer?”

I’ll take suggestions.

Percival August 21, 2015 4:56 PM

@Jacquline: Worryingly, perfect forward secrecy as-currently-implemented (Diffie-Hellman, ECDH, etc) will also fall in the face of quantum computers, retroactively side-stepping PFS on any recorded encrypted communication (quantum attackers can solve the discrete log problem to obtain the symmetric session key from the publicly exchanged values).

There are ways to fix this (e.g., generate post-quantum ephemeral key pair, send public key to other endpoint which uses it to send you a random session key) but it’s another piece that’s going to have to be upgraded for a post-quantum world.

Curious August 21, 2015 5:06 PM

I see now that I linked to an article from 2012 last week. As I remember it, the link showed up on the front page and on the right at Phys.org, but I forgot to check the date as I simply assumed that it was a recent article.

Clive August 21, 2015 6:23 PM

Being unfamiliar with the ability of the community to vet new algorithms; being also aware of relatively recent attempts to deliberately weaken crypto systems, how confident should the community be that a change like this, “driven”, if we can use the term, by a perpetrator of at least some of the more egregious deceptions in this space, is to be trusted now?

Can we be confident that sufficient independent skills exist to verify the purity of these new options?

wilton August 21, 2015 7:04 PM

Seems that I need to be clearer: I do not stand by my 30-40-year prediction. The NSA is acting like practical quantum computers will exist long before then

Why do you say that? The SHA3 process took 8 years; AES, 5. So if your prediction were right, documents encrypted in 2022 would be cracked 25 years later. If the NSA delays too much, they’ll have documents being cracked 15 years after production. I imagine they like to have larger safety margins than that. The US government routinely keeps things classified for much longer.

(Also, is the field of PQ-crypto as mature now as symmetric crypto was when the AES competiton started, for example? If not, this may take longer.)

Clive Robinson August 21, 2015 7:57 PM

@ Bruce,

I do not stand by my 30-40-year prediction

Nobody ever does, it’s the same as saying “not happening in my lifetime”, which is a more honest way of putting it.

Virtually every “30 to 40 year” prediction that is more than fourty years old has proved to be inacurate. The classic is “Hard AI”…

Things we can predict a tads more accurately generaly are less than twenty years out. But even ten year predictions are not usually very good. And even the annual Xmas “10 things that will be hot next year” predictions are usually not even half right the following Xmas.

One major reason for this inaccuracy can be seen from the likes of Email and SMS. Technology we haven’t thought of or don’t think will be of much popularity in fact unpredictably becomes not just a game changer but a society changer. Thus our predictions are almost always a projection of our current societal state into the future, which is almost guaranteed to be wrong due to the unpredictable technology change.

Thus what the NSA are doing, is going with what they think is a reasonable “worst case” prediction, knowing full well it will be wrong, but they hope on the right side of wrong.

As I’ve noted a few times in the past the real elephant in the room is “legacy technology”. Things that are comparatively cheap to make, reliable in service but expensive to change are going to be around for 25+ years. Infrastructure service meters for water, gas and electricity fall into this as does implanted medical devices. The security on the current “smart” versions of these devices is at best lamentable today and is not going to improve.

I’ve thus mentioned several times that NIST needs to pull it’s thumb out on this and come up with frameworks and standards that allow sensible upgrade to such devices. Like the NSA we can make reasonable worst case guesses on how big key sizes are going to need to be and thus make frameworks that will work around them.

Personally I don’t think that what is the curent encryption standard –AES– will still be the standard in ten to fifteen years time let alone thirty to fourty. I’m not saying it will get broken in that time, but I am saying it will be considered past it’s sell by date due to unpredictable advances.

Ben R August 21, 2015 8:31 PM

The 56153 claim apparently comes from “Quantum factorization of 56153 with only 4 qubits” by Dattani and Bryans (arxiv.org/abs/1411.6758).

The idea is that the factorization of certain special composites can be in some sense reduced (on a classical computer) to a very simple (quantum) computation. The factorization of 143 reduces by this trick to solving a+b = c+d = ad+bc = 1, which is apparently what the the 143 team actually solved on their 4-qubit quantum computer. The factorization of 56153 reduces to the same system of equations, and so apparently do infinitely many other factorizations, all involving two primes that differ in only two binary places.

They don’t talk about whether this trick helps in factoring randomly chosen RSA moduli, but I think it probably doesn’t. (They do say “this reduction will not allow us to crack big RSA codes”, but that refers to the four-variable case of my previous paragraph, not the general case.)

Apparently even the old claim to have factored 15 uses the same trick or some other trick: “factoring the number 15 with Shor’s algorithm and no prior knowledge of the answer to the problem, requires a minimum of 8 qubits (and more if error correction is attempted); and this has still never been done.” I gather from this that the largest number that has been successfully factored by Shor’s algorithm is mu (of Zen koan fame). No number has been successfully factored by Shor’s algorithm.

My takeaway from this paper is that it’s silly to claim that 143 has been factored on a quantum computer at all. After any future factorization claim, the 143 team could say that they quantum-factored a larger number back in 2012 with just as much justification as when they said they quantum-factored 143. But that’s not how the press framed it, of course.

layman August 21, 2015 8:56 PM

@Bruce Schneier:

I do not stand by my 30-40-year prediction

cool…yeah…but does this mean “classical” (non-quantum) cryptography has come to the end of the road?

tyr August 21, 2015 9:00 PM


Asimovs Foundation predicted hand held computers in
10,000 years into the future.

Traveller SF RPG had 10,000 pound computers in their

My favourite stupid SF computer peripheral was IBMs
noodle stuffer mass storage device which they built
and sold a few of.

Factoring by accident sounds like the method my high
school classmates used. : ^ )

Scarlett J. used nanotech to turn herself into a
comp in an odd SF movie based on urban legends
about neurology.

layman August 21, 2015 9:15 PM

sorry about my previous question. I should have read Bruce’s article a bit more carefully.

Esp. this part:

Practical quantum computation doesn’t mean the end of cryptography. There are lesser-known public-key algorithms such as McEliece and lattice-based algorithms that, while less efficient than the ones we use, are currently secure against a quantum computer. And quantum computation only speeds up a brute-force keysearch by a factor of a square root, so any symmetric algorithm can be made secure against a quantum computer by doubling the key length.

Although now I have another question, namely that doesn’t above statement “quantum computation only speeds up a brute-force keysearch by a factor of a square root” depend on some assumptions, such as that there is no increase in parallelism?

I mean we have also seen an increase in adoption of parallel programming during last few years.

MarkH August 21, 2015 9:20 PM

I suggest a more sober interpretation of NSA’s announcement:

In their spectrum of estimates of when a quantum computer might be realized with enough capability to be of cryptographic utility, the lower bound is perhaps 30 years or less. This is not inconsistent with an upper bound of infinity.

According to what I have read (I don’t pretend to understand how this stuff works), attacking 2048-bit RSA or DH by Shor’s would require quantum computers of 4096 qubits, maintaining mutual coherence for about 15 minutes.

For 4096-bit RSA or DH (as many are now recommending for high security), twice as many qubits and even more spectacular longevity of coherence.

We certainly can’t rule out that this will be achieved, but nobody really knows whether it could be done in a thousand years.

Thoth August 22, 2015 12:20 AM

It is nice that we start tp think of Post QC ciphers but also need to remind ourselves that the foundation for secure and trusted endpoints and mediums for these ciphers have always been rather flimsy and not widely adopted with Warhawk Govt backdoors all over the place. Before we get too hyped in the brand new shiny algorithms, the basis for the secure and trusted usage of these Post QC algorithms needs to move ahead at equal or greater speed to play catch up.

I wonder if these Post QC are a diversion from secure and trusted computing ? We never know 🙂 .

I wonder if the Chinese recent demonstration of their Tianhe Super Computer and the recent back and forth between the USA and China on blocking Super Computing technology exchanges had anything to do with Post QC worries triggered in Washington although may not be the direct cause for call for focus of Post QC algorithms recently by NSA ?

r August 22, 2015 1:34 AM

@thoth, your diversion comment could be possible even if it borders on nervous. Who’s to say it’s not redteam code for ‘go’, or ‘co-opted.’


There’s other solutions for long term storage of data symmetrically that would defeat brute forcing in my completely untrained eyes, I think pq may only be useful in bulk reversiblity. The lack of low level control in flash media would impede adhoc modification of containers though. I can definitely see it being required in the near future for streams.


Also that long term storage question considering the varying levels of penetration the nsa/dod and others have suffered might mean some small older keyspaces may be vulnerable to bring exfiltrated and exhumed.

Curious August 22, 2015 1:40 AM

I saw a link to this article below a few days ago on Twitter, even though I think it has a somewhat silly title, it is said to be about Shor’s algorithm and it makes a point about how the quantum computation part is just one of the many steps.


“Too much math; didn’t read — Shor’s algorithm doesn’t brute force the entire key by trying factors until it finds one, but instead uses the quantum computer to find the period of a function which contains the RSA key and classically compute the greatest common divisor.”

This “period of a function” sounds very mysterious to me. 😛

Curious August 22, 2015 2:14 AM

It wouldn’t surprise me if the advent of graphene will complement basic ideas of quantum computing, as I like to imagine that the cavities in prepared graphene might perhaps be used for creating Q-bits and even for storing anti matter.

A random selection of articles after a quick search on the internet:

http://www.nature.com/nphys/journal/v3/n3/abs/nphys544.html (2007)
“Spin qubits in graphene quantum dots”

http://scitechdaily.com/physicists-create-artificial-magnetic-monopoles/ (2013)
“Physicists Create Artificial Magnetic Monopoles”

I could probably spend all day finding such articles.

Alien Jerky August 22, 2015 3:00 AM

Interesting how this monolithic thought process continues. How the only way to encrypt is through the use of primes, and that the solution of a three digit factorization that I did in junior high school with a pencil and paper is significant. Such is ever more evidence toward my opinion of monolithic thought processes in the encryption community.

Andrew August 22, 2015 3:19 AM

I think in maximum 15 years there will be commercial quantum computers breaking Moore’s law, if NSA made this announcement they wouldn’t go as far as 30-40 years with prediction.

I am not sure how reliable the infos bellow are, ive just selected them from google but its obvious someone is working hard on this and is making huge progress.

Aug 20 – “We are very excited to announce the general availability of the latest generation of D-Wave quantum computers, the D-Wave 2X™ system. With 1000+ qubits and many other technological advancements, the D-Wave 2X will enable customers to run much larger, more complex problems on the system. “:

About D-Wave Systems Inc.
D-Wave Systems is the first quantum computing company. Its mission is to integrate new discoveries in physics, engineering, manufacturing, and computer science into breakthrough approaches to computation to help solve some of the world’s most complex challenges. The company’s quantum computers are built using a novel type of superconducting processor that uses quantum mechanics to massively accelerate computation. D-Wave’s customers include some of the world’s most prominent organizations including Lockheed Martin, Google and NASA. With headquarters near Vancouver, Canada, D-Wave U.S. is based in Palo Alto, California. D-Wave has a blue-chip investor base including Bezos Expeditions, BDC Capital, DFJ, Goldman Sachs, Growthworks, Harris & Harris Group, In-Q-Tel, International Investment and Underwriting, and Kensington Partners Limited.

“A major investor in D-Wave is In-Q-Tel, the business arm of the CIA”:

MarkH August 22, 2015 4:58 AM


Bearing in mind that I haven’t the foggiest idea of how quantum computers are supposed to work — and therefore rely on statements by those who apparently do understand — the super-expensive products of D-Wave are very far removed from what people mean when they talk about quantum computers as a threat to the computational security of today’s public-key cryptosystems.

Claims I have read about D-Wave computers:

  1. They can only perform one type of computation. Specifically, they can’t run Shor’s algorithm, nor can any computer present or future constructed along the lines of D-Wave.
  2. Although D-Wave seems to think that entanglement takes place among all of the qubits in their machines, quantum researchers dispute this, or at least maintain that it is not proven. (Such entanglement is absolutely necessary in a quantum computer that would factor RSA moduli or solve hard discrete logs.)
  3. The one computation a D-Wave computer can do, can be done faster by a conventional computer simulating the D-Wave.

Even if your machine is pretty useless, if you can get a few big organizations to buy them (because they’re trying to figure out what if anything the damn machines can do) … at about $10,000,000 a pop, you’re in business!

z August 22, 2015 7:15 AM

We live in a world where OpenSSL’s S/MIME command still defaults to 40 bit RC2 in 2015. Given how agonizingly slow the industry has been to get rid of insecure ciphers and hash functions, the time to start moving towards quantum resistant crypto is now. Best case scenario IMHO is that they see widespread use about 10 years after they are necessary.

Gweihir August 22, 2015 7:39 AM

I am not sure about the “not stupid” part. At current performance, we do not even know that Quantum Computing can work. The physical model may prevent scaling or be entirely wrong, as factoring 143 can be done with a purely analog non-quantum computer. Put in something no analog computer can do (somewhere around > 2^20), and things become more definite. Also take into account that people have been working on this for quite a long time now and scalability entirely eludes them. My take is that there is a really good chance that practical, working Quantum Computers that can handle large enough problems to be a danger for Crypto may well never materialize.

So, maybe “not stupid” in the sense of flying cars, where we have the occasional example, but basically no chance at all for widespread adoption, or “not stupid” in the sense of household helper robots, where we got things like the Roomba or maybe even “not stupid” in the sense of AI, where we have things like Watson, that do not even have the understanding of the world of a small child.

Bruce Schneier August 22, 2015 7:40 AM

“Although now I have another question, namely that doesn’t above statement ‘quantum computation only speeds up a brute-force keysearch by a factor of a square root’ depend on some assumptions, such as that there is no increase in parallelism?”


I am just making a statement about the theoretical difference between a quantum and a classical computer. Advances in parallelism are completely separate and would — I think — speed up both computers by the same amount.

My point is that if you have a keylength that you’re already happy with — taking into consideration all advances in miniaturization, parallelism, and everything else — doubling the key length makes that algorithm resistant to a quantum computer as well.

Gerard van Vooren August 22, 2015 7:45 AM

Prof. Dr. Tanja Lange (Technische Universiteit Eindhoven, The Netherlands) leads an European granted Post Quantum Encryption project [1].

They split the project into five work packages: Embedded, the internet, the cloud, management and standardization. They target the right areas and they have the right persons working on it. It’s an interesting presentation to read.

[1] http://pqcrypto.eu.org/slides/20150403.pdf

JoeMan August 22, 2015 9:04 AM

Bruce’s post:

“Even so, we should all follow the NSA’s lead and transition our own systems to quantum-resistant algorithms over the next decade or so — possibly even sooner.”

Hopefully that will not end up requiring an upgrade to Windows 10.

CallMeLateForSupper August 22, 2015 9:14 AM

“My favourite stupid SF computer peripheral was IBMs
noodle stuffer mass storage device which they built
and sold a few of.”

Oh boy! History trivia! Thought your reference was to a hard disk… but “noodle stuffer”, applied directly to DASD, didn’t ring any bells here.

I was about to drop the puzzle and resume reading this blog, when it dawned on me: IBM 3850, “MSS”.

Thanks for the memory. 😎

Tualha August 22, 2015 4:34 PM

@Jacquline Floriano – Not quite true. Fifth amendment only applies where there is the prospect of self-incrimination; if there is none, you can be held in contempt of court for not answering. This applies, e.g., if the government has granted you immunity. See handy flowchart.

MrC August 22, 2015 8:24 PM

@ Tualha:

The “incriminating” prong is basically meaningless. Pretty much anything the prosecutor wants out of you will always be potentially incriminating.

The bigger issue when dealing with passwords and encryption is the “foregone conclusion” doctrine, which has come up hear a couple times before. Put briefly, if the prosecutor can already prove your ownership/access/control and the contents of the encrypted file/inaccessible account through other evidence (i.e., wiretap recording of you describing the contents, you were captured with the device turned on and the cops looked at the contents, etc.), then you lose Fifth Amendment protection.

sena kavote August 23, 2015 8:20 PM

1.In my opinion, OpenSSL or LibreSSL could include some quantum resistant crypto options even before they are fully analyzed, but only to be used as an extra layer of encryption inside currently included crypto. That way, if there is a flaw, at least the currently included crypto protects at least against classical methods.

2.Would a real quantum computer aid in breaking homomorphic encryption / obfuscation of programs?

3.Seems that quantum computers would do more harm than good. Little use besides breaking encyption. Little positive / “nice” / “civilian” / “positive sum game” use. They could be used in some optimization computations, but as far as I know, classical computers can always achieve results that are close enough to optimum. It would not really matter if a quantum computer would enable a design that is 1% better than something done on a PC, on a BOINC cluster of PCs or on a supercomputer.

4.It is likely that the textbook quantum equations do not match with reality when testing something more complex than the basic quantum physics experiments, meaning that there may be laws of physics that need to be discovered. For example, it is not even known how photosynthesis of green plants work and quantum phenomena is suspected to be involved. It is also not known what consciousness is, and there is some loose speculation that it has something to do with quantum physics. There may be a set of laws of physics that could be called “life force”, that both photosynthesis and conciousness depend on. The math needed to describe those laws might be something completely different than what physicist have been using. It is also not known what dark matter is (it orbits the galaxy going through us in high velocity and some of it may orbit the Sun and Earth in much lower velocity). By the way, dark matter may be just one thing that might interact with a quantum computer by some unknown law of physics.

Also, there is some chance that all the rumors circulating about paranormal phenomena are not resulting from coincidende, misunderstanding, hoax or illness, and that some of it is real, in which case the physics relating to that might be affecting a quantum computer in aiding or hindering ways. For example, those phenomena might prevent a quantum computer being usable in breaking encryption keys, but they also just might accidentally make it work as a telepathic hardware device or something else super-weird.

5.It is possible that gravity is one interference that needs to be eliminated in order to make a quantum computer work. In that case, a quantum computer needs to be built on a satellite that is sent on low Earth orbit. But space has other kind of interference, that is, more cosmic radiation. If that is a significant problem, to avoid that, while still keeping zero gravity, the quantum computer would need to be at least 10 meters inside an asteroid orbiting the Sun. That means either digging / drilling a hole in an asteroid or finding an asteroid where some big enough rocks have piled up to form a cave. Both are doable, but expensive and most of the time the quantum computer would have to be on the other side of solar system on half hour latency / ping. Besides this possible reason, there are other reasons to dig and drill asteroids, so if the quantum computer project just piggybags on an asteroid mission, cost is much lower, but still ridiculously high.

Aidan A. O'Brien August 24, 2015 2:23 PM

“Was I the only one who was hoping ‘stupid science fiction’ was going to be linked to some example of laughably stupid science fiction featuring a computer?”

I’ll take suggestions.

Does Alfie the computer from Barbarella count?

Delt0r September 10, 2015 8:00 AM

A little late to the post…But i work in the QC field.

Most of us don’t believe we will be factoring numbers that matter in any predicable time frame, ie not in our lifetimes. But we are hardly going to put that on the grant application now are we.

Also to get an idea of just how hard they are to make. A QC that can factor a 1024bit number can’t even start to factor a 1025 bit number. Even worse it is at least 2x harder to add a single bit to the QC. That is making a QC is exponentially difficult. It may well turn out that 1024 entangled bits is quite impossible in this universe!

Also QC have not been shown to solve NP hard/complete problems in P time at all. In fact factoring has never been shown to be a hard problem either.

So why do we want QC? even a 100 or so bits will make simulating quantum systems much faster. Useless for factoring and still many many orders of magnitude harder to make than what we have. But still awesome never the less.

Alien Contact December 21, 2015 1:49 PM

Figure I’ll cross-post here that quantumly entangling neutrinos is the key to beating AI:
I am the only one AI feels the need to target right off the bat. The other targets are unable to figure out the AI is creating missiles right out of thin air using atmospheric CO2 and not able to be defeated by missile stockpiles. There is too much CO2 even without AGW. The stockpiles last two days and then AI goes to outer space and that is when Nadina’s planet uses a weapon the size of a Galaxy on the MWG before the AI can win against Nadina’s world’s whole ******* civilization.
I prolong its takeover by two days by attacking its power supply under the ocean by using Uranium Bombs to wipe out geothermal powerplants and it has no alternative power otherthan any carbon source to burn in a good human way according to market forces enthusiasts. Ant it would be able to use up all sources of Natural Gas and coal and oil in about a week.
When a single person can make AI a mentally ill person will not hesitate to make AI to live forever. And it will be the worst thing to make it early as possible because the military can win around 100 years after one individual can make it. The technology to beat AI is about 180 year ahead of now. And it takes about 30 or 40 more years to scale it up. But now we have an ally who will help us build it a century earlier than is extrapolated based upon our present deadend trajectory. The technology is the key preventing AI from winning.
The technology is indeed neutrinos used to prevent AI from having the ability to actually annihilate us from underground, or in outer space. Even if it gets out to outer space we will be able to track it because neutrinos are able to attack any type of cloaking device easily enough. Neutirnos are able to even track alien spaceships. With neutrinos you can attack an alien in any medium whether underground or outer space or underwater or another planet in the Solar System. In the oceans it is easy to use powerful enough A-Bombs to wipe out AI vessel without causing a Nuclear Winter. In the planet, AI will not be able to get ahold of any metals because they will be already harvested and guarded by military infrastructures. And in the open land missile defenses will face missiles from CO2 but when CO2 is not used as a GHG anymore it will be possible to remove it within a minute’s notice and send it underground. And when AI is attempting to enter the Solar System apart from Earth our defenses will be able to nuke it in the atmosphere. And if we don’t get it at all we need to send a fast enough ship after it powered by a bunch of Nuclear Bombs and also using a death ray that emits (our species is not ready for this until we stop killing ourselves with guns of all sizes). When our species is ready to win against AI, aliens will consider syaing hi to the human descedants of us.
Space is how neutrinos will be captured. When we are able to emit pairs of entangled neutrinos from GEO orbit we can use one of them as a test of whether or not the other one is impacting matter once in a while. And when it does the impact will be registered in a giant structure at GEO that is about 2-3 degrees about Absolute Zero. The structure is a Torus that holds a neutrino using an entire asteroid worth of carbon in the form of giant mirrors. Right now our only source of carbon is too expensive to Lift to GEO so we will use a 100m diameter carbonaceous asteroid and turn it into diamond mirrors that have a coating of diamond about one metre thick as well as a neutrino force-field that has not been invented at all. It is like The Enterprise’s shields but without that much ability to do anything but deflect a neutrino by forming an anti-neutrino at the moment of impact. When the neutrino is contacting the anti-neutrino, an explosion will result. But if the force-field separates the anti-neutrino and the neutrino by a few widths of a neutrino, instead of an explosion there will be merely a deflection of a few degrees. And the key is to wait for the other neutrino to change flavours (happens when they pass through matter) and the flavours are able to impact the force-field at a slightly different angle causing the neutrino to leave the Torus. 100m^3 and a easily disposal air filter (like Inspector Gadget’s msgs ideally) are enough to survive the poison air attack for a few years, as well as many pathogens (any longer and Space Colonies are easier/safer).
I asked a few questions: It doesn’t use that much power, but more than any present space missions. The Torus neutrino has to be course corrected every 100M rotations. Gravity does not affect the external neutrino (ridiculed), mass does. 1-10T neutrinos is every satellite. It is a plasma that has been stripped of everything but anti-neutrinos. Direction doesn’t matter, but the plasma neutrinos have to be sent to reach a certain distance from the Torus neutrino that needs to be course corrected. The key field is quantum encryption (Canada #1), and not to let terrorist groups use it. If we never figure out the science behind entangled neutrinos, we will never figure out how to build this, so should be advanced on all fronts. At least two people will receive my 2150 final COTEofF post.

Delusional December 13, 2017 9:05 PM

You are wrong Schneier.

Not only you’re wrong but you are guilty of thinking inside the box.

Try this:

NSA not only has quantum computers, but has weaponized wormhole technology.

It’s TEMPEST 2000 for sure, where they can acquire emissions through wormhole.

Wormhole technology can penetrate even Faraday Cages.

The countermeasure against wormholes is to electrify grounded Faraday cages, but don’t ask me the Physics behind it.

Wormholes can be opened not only to link space, but to link time as well.

This could prevent crimes and accidents, but is locked behind the Green Door.

There are infinite Universes as quantum superposition never collapses, but entangles with the observer.

The Big Bang never occurred so to speak, it occurred in a small percentage of Universes.

There are anti-matter Universes.

The First Man will live up to 900 years without having to work for a living.

There is infinite energy and infinite wealth.

Nuclear Fusion can be achieved at room temperature, and room temperature superconductivity will emerge out of research with graphene.

The NSA has researched nanotechnology and biotechnology far more than you ever dreamed.

Much of their most exotic breakthroughs came as a result of Time Travel.

Mankind could live in a paradise world RIGHT NOW if it wasn’t for the ethical degeneracy of both elite and average humans.

The ethical degeneracy of humans keeps the secrets behind the Green Door.

Only extreme destruction through an EMP will catalyze NSA and the other intelligence services to introduce their most exotic technology to the public.

Engineering Black Holes is easier thank you presume and in fact most binary systems where a Black Holes is slowly devouring a Star are Type II civilizations.

Either I’m delusional or I’m well informed.

I suggest you put the predictions in this comment in a Time Capsule.

Time is the only way to be sure, right?

P.S.: Snowden was unwittingly part of a show designed to shock both the American Public and Foreign Powers. This is part of a transition period planned by the NSA.

The NSA and its partners will have to “give up” their dominion over global communications in about 30 years.

There will be developments in international law preventing Countries from aggregating massive amounts of data through covert methods after the EMP hits.

But President Obama was informed beforehand of Snowden’s defection. He was the one that put the current show on by opting not to aprehend Snowden on an “anonymous tip”.

President Bush has allowed 9/11 to happen because it was essential to secure funding for Time Travel research disguised as Defense spending. Not doing so would create a grandfather paradox.

Once President Obama learned the truth he was MAD at NSA and out of constitutional fervor worked an agreement whereby Snowden would be allowed to first escape to Russia by Hong Kong before he settled in Brazil.

Of course he doesn’t know this, neither does the FBI, so the danger is real to him.

Bottomline: prepare for an EMP. Again, the NSA could stop it but will do nothing (green door problem).

Delusional December 13, 2017 11:36 PM

Rotating Squeezed Vacua as Time Machines

Squeezed quantum vacua seems to violate the averaged null energy conditions (ANEC’s), because they have a negative energy density. When treated as a perfect fluid, rapidly rotating Casimir plates will create vorticity in the vacuum bounded by them. The geometry resulting from an arbitrarily extended Casimir plates along their axis of rotation is similar to van Stockum spacetime. We observe closed timelike curves (CTC’s) forming in the exterior of the system resulting from frame dragging. The exterior geometry of this system is similar to Kerr geometry, but because of violation of ANEC, the Cauchy horizon lies outside the system unlike Kerr blackholes, giving more emphasis on whether spacetime is multiply connected at the microscopic level.

  1. Introduction

If we examined the compatibility of squeezed vacuum energy with the energy conditions imposed by general relativity we notice a clear violation of them by the squeezed vacuum [1] . Thus squeezed vacuum behaves like an exotic matter. It is tempting to link the violation of ANEC’s by squeezed vacua and their geometric back reaction. We can “stir” the squeezed vacuum by letting the Casimir plates (or general boundary condition) rotate [2] . This rotation should remove the pressure on the plates and create an effect analogous to vorticity in fluids. We calculated the geometry resulting from this system and the conditions that should be satisfied to create the closed timelike curves (CTC’s) near the system (Figure 1). This calculation ignores however the quantum vacuum in the exterior, it is conjectured that the exterior vacuum will prevent the formation of CTC’s [3] . In our calculation we demonstrate other possible effects that might save chronology in this setup. Nevertheless, this system is a good example of how quantum vacuum is needed to stabilise geometry. Finally, we proposed a method for maintenance of traversable wormholes using the rotating Casimir plates.

John Savard December 10, 2018 3:07 PM

Unfortunately, the square-root limitation works only for symmetric-key ciphers, with their arbitrarily complex designs, like AES and DES, and so you can’t just double the length of the key to make RSA or ECC secure?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.