Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer

Researchers have calculated the quantum computer size necessary to break 256-bit elliptic curve public-key cryptography:

Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame in which it would actually pose a threat to do so. It would require 317 × 10⁶ physical qubits to break the encryption within one hour using the surface code, a code cycle time of 1 μs, a reaction time of 10 μs, and a physical gate error of 10^-3. To instead break the encryption within one day, it would require 13 × 10⁶ physical qubits.

In other words: no time soon. Not even remotely soon. IBM’s largest ever superconducting quantum computer is 127 physical qubits.

Tags: academic papers, cryptography, IBM, quantum computing

Posted on February 9, 2022 at 6:25 AM • 51 Comments

Comments

JL Sardinas • February 9, 2022 6:30 AM

They may want to use hybrids in the meantime… and algorithms may continue evolving, so the time frame is still uncertain. Maybe not too close, but uncertain definitely 🙂

Alan • February 9, 2022 7:00 AM

So breaking ECC key in five years would only require 7000 qubits? There are currently ECC keys in use that are intended to be used for that length of time… I think the limiting issue tho might be the number of quantum logic gates required, not the number of qubits…

NoSpamPlease • February 9, 2022 7:18 AM

So why is there so much buzz around Post-Quantum Crypto? Can it really be that cryptographers ran out of things to do?

null clam • February 9, 2022 7:38 AM

This is all very well, but I’m waiting for the black hole computer.

Recipe:

Warm up a left-over black hole (must not be more that 13.787±0.020 billion years old) in the cosmic microwave.
Uh … need some help here

xyzzy://arxiv.org/pdf/quant-ph/9908043

Ted • February 9, 2022 9:13 AM

127 qubits is a ways off from 13,000,000 physical qubits, but IBM is on a roll.

“IBM has said that it hopes to demonstrate a 400-qubit processor next year and to break the 1000-qubit barrier the following year with a chip called Condor.”

It looks like the US government is putting more money into QIS R&D. Its budget authority has almost doubled in the last 4 years. For FY 2022, it’s estimated to be $877 million.

What does the NSA think about this? “A: NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist.”

That is from the NSA’s 2021 FAQ on Quantum Computing and Post-Quantum Cryptography. At least we know it’s on their radar.

https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF

https://www.quantum.gov/wp-content/uploads/2021/12/NQI-Annual-Report-FY2022.pdf

Clive Robinson • February 9, 2022 9:43 AM

@ Bruce, ALL,

In other words: no time soon. Not even remotely soon.

One of the major failings in security is under estimating the human ingenuity and the ability to repurpose ideas or technology.

Whilst I agree it is unlikely for QC to become of practical use in security for breaking crypto within the next five generations, and with rapidly increasing uncertainty there after…

It could actually be in as little as a year if some one found a way to repurpos an existing technology.

And that is the real problem, not if and when QC ever happens, but how fast it can be implemented when it does.

Because as humans we tend to put off doing what we should do today unless we see some emergancy in doing so.

In the past I’ve provided reasonable estimates for the effective lifetime of devices that use crypto algorithms such as “smart-meters”. Due to “resource issues” these have tended to use “Work-Lite Crypto”.

The problem is that once a system is inplace the cost of upgrading usually deters any systematic upgrading, only repair for random hardware failures gets done. I know that software I wrote fourty years ago is still in use in a production environment.

But what about Crypto life times? Well DES is scarily still used in SIMs for mobile phones. DES was available in 1975 and in products in 1977. So fourt five years and counting…

Chips in smart cards and car door locks are still using even weaker crypto some of which originated in the early 1980’s.

From a practical view point though, consider tge question

“Why attack strong crypto such as ECC when you could get to a user interface with much less effort”

Will QC enable such attacks, now that is an interesting question 😉

Z.Lozinski • February 9, 2022 9:45 AM

@NoSpamPlease:

So why is there so much buzz around Post-Quantum Crypto?

We know that a quantum computer can efficiently factor integers (this is Shor’s Algorithm), which means that most current public key systems deployed today (e.g. RSA) are vulnerable once you have quantum computer with enough qubits.

IBM’s quantum computer roadmap is public and a little thought tells you that scaling quantum computers (at least ones using superconducting transmon qubits) is now about microelectronics. See Moore’s Law and Dennard scaling for how that works out over say 50+ years.

The NSA is quite proud of the fact it spent 40 years on VENONA – the breaking of WW2 Soviet one-time pads. This was worth it because it enabled them to understand much of Soviet penetration of the Manhattan Project and other agents still in place in the US. Kim Philby recalls how he would regularly visit Meredith Gardner (the ASA/NSA cryptologist) to check on progress, knowing full well that the signals about HOMER referred to him.

So, if you have information today that needs to be secure for 30+ years, you need to be thinking about cryptographic agility now. The ability to replace your current cyrptosystems with new cryptosystems and to securely re-encrypt the data.

Post-Quantum cryotography is about both cryptosystem agility and new cryptographic algorithms that cannot be broken by a quantum computer. The US NIST is running a competition for these with the results due in 2022/23.

So, we’re thinking about post-quantum crypto now, because if we wait until quantum computers with 1 million qubits are in production, it will be too late.

Z.Lozinski • February 9, 2022 10:10 AM

@Clive,

Consider that in 1965 we had three active elements (transistors or diodes) on an SLT module. And that in In 2022 we have 57 billion transistors in an Apple M1 Max. That’s 20 billion-fold improvement in 57 years. And for extra fun we then put 100,000 of them in a data center and call it a cloud. So now we have 1E15 transistors in a single unit.

From a security view-point, you cannot afford to bet against even a fraction of the same level of improvement in quantum computing technology. I have no idea if this will happen, but I can understand why it is a risk that must be managed.

But as ever your final conclusion is right. Never mind the technology, what about the person using it?

tim • February 9, 2022 11:24 AM

From a security view-point, you cannot afford to bet against even a fraction of the same level of improvement in quantum computing technology. I have no idea if this will happen, but I can understand why it is a risk that must be managed.

In other words we will cross that bridge when we come to it so lets stop the “panic” post that fills these forums. Most organizations can’t even get asset inventories right.

Seriously – this is a non issue for everyone for the foreseeable future.

V • February 9, 2022 11:26 AM

Does anyone have a handle on how many watts/qbit IBM is getting?

Morgan Burnham • February 9, 2022 11:34 AM

so still safe to say that Bitcoin is thermodynamically secured

Clive Robinson • February 9, 2022 12:55 PM

@ tim, Z.Lozinski, ALL,

In other words we will cross that bridge when we come to it so lets stop the “panic”…
…Seriously – this is a non issue for everyone for the foreseeable future.

The only proven way to reliably stop pabic is by solving a problem you are aware of in a sensibly timely manner.

But as I said above,

“Because as humans we tend to put off doing what we should do today unless we see some emergancy in doing so.”

So I guess you are just amplifing the point.

Z.Lozinski • February 9, 2022 1:33 PM

Does anyone have a handle on how many watts/qbit IBM is getting?

All the information on the IBM Quantum systems that has been published is here:

https://quantum-computing.ibm.com/lab/docs/iql/manage/systems/configuration

I have checked and watts/Qubit is not included. To be fair this is dominated by the characteristics of the dilution refrigerator, not the implementation of the qubits.

Jp • February 9, 2022 1:44 PM

And then even if ECC is cracked you would need first to crack sha256 for not reused Bitcoin address (Bitcoin address is a hash of the ECC public key. You first need to know the public key to be able to crack it)

pup vas • February 9, 2022 2:13 PM

Record-high seizure of $5bn in stolen Bitcoin
https://www.bbc.com/news/world-us-canada-60310783

=Stolen Bitcoin worth more than $5bn (£3.7bn) has been seized by the US Department of Justice – the largest ever confiscation of its kind.

Officials also arrested and charged two people on Tuesday with attempting to launder the money, which amounts to nearly 120,000 Bitcoin.

The funds, stolen by a hacker who breached a cryptocurrency exchange in 2016, were valued at about $71m.

But, with the rise in Bitcoin’s value, it is now valued at more than $5bn.

A criminal complaint alleges Lichtenstein and his wife, Heather Morgan, 31, laundered about 25,000 of the stolen Bitcoin through various accounts over the past five years and used various methods to cover their tracks, from fake identities to converting their Bitcoin into other digital currencies.

The asset seizure comes four months after the launch of a National Cryptocurrency Enforcement Team at the Justice Department.=

Z.Lozinski • February 9, 2022 3:45 PM

Further to the question “why now” about the interest in quantum safe cryptography.

Have a look at the recent National Security Memorandum (NSM-8, Jan 19, 2022) “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” issued by the White House. NSM-8 mandates US Government agencies develop plans to migrate to quantum secure encryption and submit them for approval.

https://www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandum-on-improving-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems/

Firms outside the US Government who are interested in the long term security of data-at-rest are looking seriously at what they need to do after the publication of NSM-8.

SpaceLifeForm • February 9, 2022 3:58 PM

@ Jp

Wouldn’t it be easier to exfiltrate the private key?

Paper please.

https://www.investopedia.com/news/bitcoin-safe-storage-cold-wallet/

Jp • February 9, 2022 4:43 PM

@spaceLifeForm my point was that this is not enough because public key of bitcoin address are not public if no spend on it. This was to reply of people speaking about crypto/Bitcoin.
And for what I know, sha256 is not easier to crack with quantum computing…

SpaceLifeForm • February 9, 2022 5:47 PM

@ Jp

I agree that quantum will not likely help in reversing a sha256 hash.

My point is that it would not be needed if you have the private key.

In this instant case, the cryptocurrency money launderers did not follow sound security practices.

They did not use a cold wallet.
`
The FBI got a warrant, and got the private key.

https://twitter.com/RachelTobac/status/1491458747797209088

Yes, you heard that right, they stored the private keys to billions of dollars worth of stolen cryptocurrency in online accounts…which the DOJ simply got a warrant for, saw quickly, and transferred back to themselves using those private keys lol.

SpaceLifeForm • February 9, 2022 7:27 PM

@ Winter, ALL

Can someone prove the status of CryptoCurrrency?

Can one prove it was stolen versus it was always a money laundering operation?

Money Launderer: My Apes were stolen!

Plausible deniability.

Money Launderer: I waz hacked!

You lose your private key, you lose.

lurker • February 9, 2022 8:06 PM

@SpaceLifeForm, All

There’s locally $0.5M reward “for information leading to the recovery” of a USB stick containing private keys to a large amount of BTC. It was in a very large heavy safe that got lifted by night…

Now assuming the lifters decide not to chase the reward, and wipe the stick and use it for their manga collection, is that BTC effectively a NFT?

The reward seems to indicate nobody can remember the private key out of their head; nor did they follow @Clive’s advice and print it on paper, tucked into p.nnn of Bleak House.

Russ • February 9, 2022 10:24 PM

Good news, thanks. Good to know keys are still safe (for now).

MarkH • February 9, 2022 11:14 PM

@Alan:

So breaking ECC key in five years would only require 7000 qubits?

If I understand correctly, some QC algorithms (such as Shor’s) cannot be divided: the whole must proceed as an integral process, which would prevent such capacity vs. time tradeoffs.

MarkH • February 9, 2022 11:24 PM

@Z.Lozinski:

scaling quantum computers … is now about microelectronics

This should be true about fabricating increasing numbers of qubit structures on a substrate.

However, I suppose the greater challenge to be establishing coherent entanglement among the entire set of qubits, and maintaining this condition stably for hundreds (or even thousands) of seconds.

Fulfilling this requirement goes far beyond the scope of microelectronics.

Mexaly • February 10, 2022 12:47 AM

If you can’t break the pipe, attack the endpoints.

Winter • February 10, 2022 2:05 AM

@SLF
“Can one prove it was stolen versus it was always a money laundering operation?”

The same way you can prove that your car or credit card was stolen. It is no different. Evidence, plausibility, motive, opportunity, are all there. It helps if more unrelated people were affected at the same time.

timeframe • February 10, 2022 6:24 AM

The timeframe depends on your goals.
If you want to double-spend the newest transaction, you’ll need about 10 minutes or better. This is of limited value anyway.

If you want to re-write an hour’s history, you’ll need to sustain a rate of better then 10 minutes (say, 9?) for over an hour.

If you want to crack into a person’s wallet – then days or weeks would be good.

If you want to destroy Bitcoin, your target should be Satoshi’s coins. Maybe the first few reward blocks. Crack those, then simply move them. The following panic might be good enough to destabilize the economy of crypto.
For that, a year or three timeframe might do the trick. For a government afraid of crypto, that’s a possible scenario.

Clive Robinson • February 10, 2022 8:28 AM

@ Winter, SpaceLifeForm, ALL,

It helps if more unrelated people were affected at the same time.

Not as often as murder mystery etc writers would have you believe.

As an over generalised statment the authorities do things in a certain order to establish a list of suspects,

1, Those at or adjacent to crime scene.

2, Those close to the victim.

In most cases they have a likely suspect or organisation by then in over nine out of ten cases. The issue then is “burden of proof”[1]

This is because contrary to what is said in fiction serial killers are a tiny tiny fraction of the cause of unexplained deaths.

Often most who might become or later became serial killers[2] are caught with their first attempt/kill, because they have not yet worked out how to reduce their chances of getting caught by planning.

The problem for a person who wants to hide a murder by committing several murders is that they are directly linked to the intended victim(2 above), but still indirectly linked to their random victims (1 above).

That is they need to decouple themselves from all the murders, and that is hard. Also serial killers tend to be “hands on” because it is a “power over life or death” craving and so they want to prolong the act to increase the visceral pleasure. It also gets “ritualistic” but in a manner to the person whilst they are still alive, that is it’s akin to torture. Most people no matter how motivated can not do it convincingly, likewise the victim display rituals.

People have tried poisoning consumable supply (food, medicines, etc). Mostly as far as we are aware it does not work out because they are too far down the supply chain so leave traces. With even small local fresh produce suppliers having CCTV with 30day storage to hard drive, it makes the “swap in” process difficult. Also other issues such as “batch numbers” give significant tracability.

There are quite a number of other things, but I’m not going to go into them, as the above should tell you the more obvious problems it is very difficult to get past sufficiently convincingly.

But in nearly all cases of multiple killing like this, the killer leaves it way way to long, therefore a motive for the killing is there for the intended victim and probably not for the random victims. Worse the motive is often effectively in plain sight. So after even cursory investigation there is a strong indicator (though this can go wrong for investigators in genuine serial killings, divorce and the like are rather common so random…).

[1] Sometimes a killer is carefull or just lucky and even though the police etc have them on the suspect list, there is insufficient evidence to fully identify or convict. However when new forensic techniques come along, things change and identification becomes possible. We know this more from “wrongful convictions” than actual new convictions. But what is most frequently scene is the actual guilty party was known to the authorities at the time and were to some extent investigated.

[2] We don’t know how many proto serial killers there are in society it could be quite high. What we do know is some violent offenders / murderers having been caught on release having got paroled or full served offend again. We also know that there are people that kill, only for reward or other motive, even though under analysis they are very similar to serial killers.

Winter • February 10, 2022 8:37 AM

@Clive
“Not as often as murder mystery etc writers would have you believe.”

Interesting, but not really what I meant. If your house is burglarized, it matters whether yours was one of many in the neighborhood that summer, or just that single one in 10 years.

SpaceLifeForm • February 10, 2022 2:27 PM

@ Winter, ALL

re: Can one prove it was stolen versus it was always a money laundering operation?

The same way you can prove that your car or credit card was stolen. It is no different.

Except that it is different.

It is physics.

There are records, and documentation associated with a physical object such as a credit card or a car.

You can contact your bank, and tell them your credit card was lost or stolen. They can kill the credit card number.

You can report a stolen car because there is a VIN, and a title tied to the VIN and the owner.

But a Bag-of-Bits on a blockchain is not physical, and there is no documentation proving ownership.

SpaceLifeForm • February 10, 2022 3:04 PM

@ Winter, ALL

re: Can one prove it was stolen versus it was always a money laundering operation?

Which leads to the recent rule changes requiring AML/KYC regarding crypto-currency exchanges.

The intent is to require documentation of the customers to prevent money luandering.

hxtps://getid.com/aml-kyc-crypto-exchanges-wallets/

Which defintely would help, if they all did this, but…

SpaceLifeForm • February 10, 2022 3:42 PM

@ Winter, ALL

re: Can one prove it was stolen versus it was always a money laundering operation?

but… my apes were stolen!

I waz hacked!

hxtps://www.aljazeera.com/economy/2022/2/10/who-gets-the-3-6bn-in-bitcoin-us-seized-in-bitfinex-hack

Another difficulty may lie even in verifying customer identities. Even today, anyone with an email address can simply open an account on Bitfinex, without any further verification for most basic functions.

…

Who hacked the Bitfinex is still unclear as well, and could be pertinent to any distribution, Silver said. The married couple who were arrested on Feb. 8 were accused of money laundering, not stealing the coins.

[alleged hack]

Erdem Memisyazici • February 10, 2022 4:15 PM

This is very interesting. NIST estimated such computers to be built in 2030s ( https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf ) for around a billion dollars. I am not even going to comment (yet again) on what that means for a system of currency.

SpaceLifeForm • February 10, 2022 4:45 PM

@ Winter, ALL

re: Can one prove it was stolen versus it was always a money laundering operation?

So, going full circle here, my question remains. It was always a rhetorical/legal question if you have not figured that out.

Here is how it could work, and likely did.

X launders fiat money into the blockchain via the Y crypto-exchange that asks no questions for a percentage.

X passes on the private key to Z that does the laundry.

Y can argue that they were hacked.

X can argue that their apes were stolen.

X will not show up in court.

There are many other dots. British Virgin Islands is a good starting point.

hxtps://decrypt.co/92529/bitfinex-billion-bitcoin-who-keeps-it

At the time of the hack, governments had already grown concerned over Bitfinex’s lack of oversight—unlike exchanges such as Coinbase or Gemini, it failed to impose so-called know-your-customer (KYC) requirements that are intended to curtail criminal activity.

[you lose the private key, you lose]

SpaceLifeForm • February 13, 2022 7:06 PM

@ ALL

Q-day

Worth a read to grasp how difficult doing secure encryption really is.

The race to save the Internet from quantum hackers

https://www.nature.com/articles/d41586-022-00339-5

Clive Robinson • February 13, 2022 10:38 PM

@ SpaceLifeForm,

Worth a read to grasp how difficult doing secure encryption really is.

Yet neither the author or those he spoke to appear to realy grasp the depth of “Protocol Ossification”.

The longest time they mentioned was for the chips in a car…

The reality that will realy bite people hard is “Smart Meters” these will have a minimum of a three year design/certification time, then be current for installation for a couple of decades with a minimum usage life time of a quater century and as much as half a century…

So what is starting the design process now, will still be in use in upto sevebty five years…

Now we already know that Smart Electricity Meters that sample at 600 times a second, can be used to tell what TV program you are watching on your big-screen TV. They can also tell what appliances are being used…

The race is on to force Smart Meters in peoples homes, long before the NIST QC-Proof Competition has been finished. The realiry is it’s unlikely they will use QC-Proof Crypto in production Smart meters for a decade or so after that.

So any Smart Meter will be insecure for another fifty years or more after that so say untill 2100…

Then of course there is “Implanted Medical Electronics” to consider as well…

fred • February 14, 2022 6:51 AM

What number of QuBits is required for a root-certificate in six months or a year?
What protection does an encrypted document stored by Maloy today have?

Itan Barmes • February 14, 2022 7:46 AM

The authors of this article neglect the fact that 25% of all Bitcoins are stored in quantum-vulnerable addresses. Attacking these coins is not bound in time. Therefore, the resource estimation for an attack within 1 hour is not relevant.

For a proper analysis of the threat look at
Bitcoin: https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html
Ethereum: https://www2.deloitte.com/nl/nl/pages/risk/articles/quantum-risk-to-the-ethereum-blockchain.html

Its a shame that the researchers did a very interesting analysis but are drawing the wrong conclusion

Clive Robinson • February 14, 2022 9:24 AM

@ fred, ALL,

What protection does an encrypted document stored by Maloy today have?

That depends on what encryption is used.

It surprises some that one of the oldest secure pencil and paper ciphers is Quantum Computing proof.

That is the “One Time Pad”(OTP)[1], the reason is there is no “determinism” for any algorithm to use for “prediction”. It’s also why “Quantum Key Distribution”(QKD) systems are secure against “Quantum Computing”[2].

In reality AES is not at all secure in practical implementations, this has been known since before the NIST AES competition. But what surprises many is just how little enciphered material you need to check if you have the right AES key or not from the “key-leak side channels”.

If you are encrypting real plaintext such as say this posting then as little as “two blocks” is required.

Which is why,

1, Selecting the right mode to use AES in.
2, Flattening the plaintext statistics prior to encryption.

Are so very important.

But realistically the latice based encryption systems and similar may not actually be needed and the NIST competition like that of the last HASH one become moot.

The reason is “Quantum Computing”(QC) is realistically going to be some time away, and just increasing the number of bits in existing algorithms will hold things off for a while. Look at it this way some of those QC resistant systems have key sizes up in the 1Mbit range to a base communications system the use for the bits is irrelevant, just that they have to be shipped from point A to point B. If you have to have a 1Mbit key do you actually care what algorithm it’s for as long as it’s secure for your needs?

But where as QC sounds exciting and captures the speculative imagination, the reality is any QC system for cryptographic attacks is a long way over the horizon and thus may never become a reality. Especially as the issues with QKD systems are moving forward at a comparitively faster pace.

[1] The One Time Pad has a poor reputation for various reasons, firstly it is seen as “brittle” in that even very minor human error can “reveal all”. But also untill this century the generation of “true random bit streams” was a slow and tedious process and shipping likewise fraut with issues. This century though both the generation and storage of keystream is not actually that difficult, and the OpSec issues of a “Point2Point” link automated beyond human failings, to almost “Plug and Play”. There are Quantum effect devices that generate random bit streams faster than we can practically capture them to storage. As for storage, the density of ultra small microSD memory cards easily exceads 32GBytes (2TByte is the limit, with 512GByte fairly readily available). Assuming a 2000hour working year, that 32Gbyte will give 16Mbyte of key stream an hour which is probably more than most “home workers” will need to be connected full time to the Company Organisational Hub.

[2] It’s also why “Quantum Key Distribution”(QKD) systems are secure against “Quantum Computing”. Whilst QKD systems currently have some sigbificant distance or speed limitations, QKD works and is improving all the time. So much so that the Chinese have put a QKD Satellite into space and have been testing it for a few years now. But they are moving forwards,

https://phys.org/news/2021-01-long-distance-quantum-key-qkd-free-space.html

SpaceLifeForm • February 14, 2022 6:12 PM

@ Clive

Re: Protocol Ossification

That is an existing problem today, especially with old non-maintained routers that still function.

I purposely did not want to bring that up as it would distract from the overview presented.

I just wanted to point out a good overview article for readers, that do not pay attention to security issues everyday, may find informative and useful.

Clive Robinson • February 14, 2022 10:29 PM

@ SpaceLifeForm,

I purposely did not want to bring that up as it would distract from the overview presented.

True, but “Protocol Ossification” is the “alligator” in “the swamp that ICTsec is” and sooner rather than later it is going to bite you bad or take you down for a “death roll”, long before anyone tries to dig a drainage ditch.

I see it happening all the time, and it happens for two reasons,

1, Full state never spec’d.
2, Just get something up, mentality.

Back in the 1970’s Europe decided from experience that doing things that way was a bad idea. So the ITU-T / OSI model was born from serious Telco work into digital networks from the late 50’s and through 60’s with what was called “System X”. Importantly X.25 and other OSI protocols were specified without refrence to resources, just global scalability.

The US however went the other way and we’ve ended up with the ARPAnet IP system that is now so badly broken. With RFC’s that go through countless revisions every few years in a “Red Queen’s Race” of “patch and make do”.

Worse there are a lot of semi-dead protocols that have never realy got to the point of being used, in part because “commercial interests” killed things that they saw as conflicting with their very short term business models, that are now long since gone.

You asked the other day about X.25 well it’s still around doing it’s thing quietly and effectively, it’s why it appears to be invisable. I won’t go into it but AX.25 works quite happily across RF links[1], and builds a point to point network over which IP and many other protocols can be reliably carried, with few actually realising they are using it (it was built into the Linux kernel).

One of X.25’s best features is effectively “it does not block” unlike most LAN and a number poorly thought out WAN protocols, also it has effective and transparent error correction (one of the reasons why UDP can look so good when in reality it’s not).

[1] Direwolf is a software implementation for a PC that uses a sound card to interface to a radio. This has a number of advantagee not least of which is the radio equipment can be mounted at the masthead thus saving significant amounts of money,

https://github.com/wb2osz/direwolf

Who? • February 15, 2022 9:08 AM

Let us suppose we have this huge quantum computer on production right now. Can we imagine the amount of energy required to break those keys? How can we supply this formidable amount of energy in just one hour?

Having a quantum computer with physical qubits in the order of 10^6 is not enough; it does not run for free.

SpaceLifeForm • February 15, 2022 8:32 PM

@ Who?

Yes, it is way more energy efficient if everyone told no lies.

The problem is that Homo Sapiens is not an intelligent species like squid.

There will always be those that want to steal.

Who? • February 16, 2022 5:55 AM

@ SpaceLifeForm

The problem with quantum computing is that, even if it is time efficient (think, for example, on Shor’s algorithm), each iteration requires energy to be completed.

Think on it this way… you can complete a computation that would require a million years on a classical computer in just a few hours, I agree with the general thinking on this thread, but you will need to provide the energy required to get this computer running for the entire million years. It is possible running a massive set of parallel computations, but each one will need the energy to be completed.

I doubt any intelligence service will be willing to use something between 1% and 5% of the world energy for an hour to break a single key.

Quantum computing will be a great advance, but will not solve “impossible” problems like this one. With that energy requirement, they will need to carefully choose what keys they want break, if any.

Breaking a bitcoin network key will not be a clever choice, even if it means stealing one thousand bitcoins.

I doubt there are many secrets worth spending the energy required to get a computer running a million years; and they will need to provide this formidable amount of energy in just a few hours, days or weeks.

No, I think quantum computing will never work as most people believe it will do. We can build huge quantum computers with large arrays of qubits, and get them cooled enough to make noise under control even on the most sensitive calculations, but the energy required to complete a task will not be lowered just because we can run millions of iterations concurrently.

I see quantum computing in the same way we saw optoelectronic computers two decades ago. Most people thinks optoelectronics just become nothing. They are wrong! We have optoelectronic devices anywhere, from the CD-ROM drives to the fiber optic links. Quantum computing will make computation really fast, we will have cooled boxed full of quantum processors, and we will use them in the same way first Cray supercomputers were used four decades ago. It is just that these devices will not be able to solve unimaginable problems without expendind unimaginable amounts of energy.

I may be wrong, of course, but cannot imagine how a computer will end a computation that would require thousand of years in just a few minutes without expending the amount of energy required to complete that computation on a classical way. Quantum computing will be faster, but will not iterate without expending energy.

JonKnowsNothing • February 16, 2022 10:31 AM

@Who?, @SpaceLifeForm, @All

re: I think quantum computing will never work as most people believe it will ….

As noted, the energy requirements are too great for large scale, large deployments of such systems. Perhaps a few can be tied to Private Nuclear Generation Plants(1) for sustained power.

The important parts mentioned is the re-purposing and re-design of existing technologies based on new concepts and mechanics needed for the Quantum Computers.

Not every technology leads in a straight path of improvement, and some improvements are dismal failures for public commerce, yet a good number manage to make their way into the consumer market place.

Improved Mouse Traps using qubit driven technologies to Determine the Probable Location of the Mouse and the Potential Likelihood the mouse will encounter the device and the Expected Outcome Ratios for the mouse tripping the trap.(2)

===

1) France plans on building a dozen or so Nuclear Generation Plants

2) Folks that deal with mouse visitations all have various methods of deterring the visits. These make fun Saturday Morning Cartoons.

Serious invasions of mice, such as seen in Australia, could be captured and groups set to spin cage wheels driving electrical generation.

Billions Upon Billions of mice driving generators. New generations every month.

Dimitris • February 18, 2022 2:53 AM

Innovation comes in waves. We cannot know how things will escalate towards a larger QC.

Who? • February 19, 2022 11:59 AM

@ Dimitris

Innovation comes in D-Waves.

Sorry, I had to say that!

Jon • November 8, 2022 3:55 PM

Taking IBM’s historic and planned qubits and assuming similar future rates of improvement, this appears to be a 10-20 year horizon.

Clive Robinson • November 8, 2022 4:55 PM

@ Jon,

Re : Qbit development.

“assuming similar future rates of improvement”

That’s the question… Or in other words will the slope hold or not, and if not in which direction will it change.

If I were to put money on it I would say that the slope will change, and such that it will take atleast twice as long as if the slope had not changed.

Whilst I might be alive at a hundred, I probably won’t be so (next month might be peoblematical bearing in mind what is currently in progress). Therefore I think it doubtfull I will be here to see the result one way or the other…

But if it’s possible we will probably get there, unless a different better way comes up in the mean time.

SpaceLifeForm • November 8, 2022 6:10 PM

@ Jon, Clive

Re : Qbit development.

I would not worry about the Quantum Ghost. NSA has lots of data, and a lot of good math folk. BumbleHive.

Make sure your Random is really Random.

rare • June 20, 2023 4:32 PM

I wish this was more public info, people freaking out cause they think everyone’s crypto wallet is gonna be drained and everyone’s bank account gone cause cause they quantum computing is all one level and once you achieve it we all die from ai or something lol

Schneier on Security

Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer

Comments

Leave a comment Cancel reply