Quantum Computing Pioneer Warns of Complacency Over Internet Security

Q&A

Quantum computing pioneer warns of complacency over Internet security

When physicists first thought up quantum overhead, requiring many physical qubits for computers in the 1980s, it sounded like each logical qubit. a nice theoretical idea, but one probably destined to remain on paper. Then, in In 2019, Google showed that its 54-qubit 1995, applied mathematician Peter Shor quantum computer could solve a problem published a study that changed that that would take impossibly long on perception (P. W. Shor Phys. Rev. A 52, a classical computer. What was your R2493(R); 1995). He showed how quantum reaction? computers could overcome a crucial It’s definitely a milestone. It shows that problem. The machines would process quantum computers can do things better information as qubits — quantum versions than classical computers — at least, for a of ordinary bits that can simultaneously very contrived problem. Certainly some be ‘0’ and ‘1’. But quantum states are publicity was involved on Google’s part. But notoriously vulnerable to noise. Shor’s it has a very impressive quantum computer. error-correction technique showed how to It still needs to be a lot better before it can make quantum information more robust. do anything interesting. He also found the first potentially useful — but ominous — way to use a hypothetical When quantum computers can factor large quantum computer: an algorithm that prime numbers, will that enable them

BBVA FOUNDATION BBVA would allow it to factor integer numbers to break ‘RSA’ — the ubiquitous Internet into prime factors at lightning speed. Most Applied mathematician Peter Shor. encryption system? Internet traffic today uses encryption Yes, but the first people who break RSA techniques based on large prime numbers. problem, but somehow in five days my result either are going to be the NSA [the US Cracking those codes is hard because had turned into factoring as people were National Security Agency] or some other big classical computers are slow at factoring telling each other about it. organization. At first, these computers will large products. But quantum computers Many experts still thought that quantum be slow. If you have a computer that can only are now a reality, and although they are computers would lose information before break, say, one RSA key per hour, anything still too rudimentary to factor numbers of you can actually finish your computation. that’s not high priority or a national-security more than two digits, they could one day One of the objections was that in quantum risk is not going to be broken. The NSA has threaten Internet encryption. Nature spoke mechanics, if you measure a system, you more important things to use its quantum to Shor, now at the Massachusetts Institute inevitably disturb it. I showed how to measure computer on than reading your e-mail. of Technology in Cambridge, about the the error without measuring the computation impact of his work. — and then you can correct the error and not Are there cryptography systems that can destroy the computation. After my 1995 paper replace RSA and that will be secure even in Before your factoring algorithm, were on error correction, some of the sceptics were the age of quantum computers? quantum computers mostly a theoretical convinced that maybe quantum computing I think we have post-quantum cryptosystems curiosity? might be doable. that you could replace RSA with. A bigger My paper certainly gave people an idea problem is that there are other ways to break that these machines could do something Error correction relies on ‘physical’ and Internet security, such as badly programmed useful. Computer scientist Daniel Simon, in a ‘logical’ qubits. What is the difference? software, viruses, sending information to precursor of my result, solved a problem that When you write down an algorithm for a some not entirely honest player. I think the he came up with that shows that quantum quantum computer, you assume that the only obstruction to replacing RSA with a computers are exponentially faster [than qubits are noiseless; these noiseless qubits secure post-quantum cryptosystem will be ordinary computers]. But even after Simon’s that are described by the algorithm are will-power and programming time. algorithm, it wasn’t clear that they could do the logical qubits. We actually don’t have something useful. noiseless qubits in our quantum computers. In Is there a risk we’ll be caught unprepared? fact, if we try to run our algorithm without any Yes. There was an enormous amount of effort What was the reaction to your kind of noise reduction, an error will almost put into fixing the Year 2000 bug. You’ll announcement of the factoring algorithm? inevitably occur. need an enormous amount of effort to switch At first, I had only an intermediate result. A physical qubit is one of the noisy qubits in to post-quantum. If we wait around too long, I gave a talk about it at Bell Labs [in New our quantum computer. To run our algorithm it will be too late. Providence, New Jersey, where I was working without making any errors, we need to use the at the time] on a Tuesday in April 1994. The physical qubits to encode logical qubits, using Interview by Davide Castelvecchi news spread amazingly fast. At that point, a quantum error-correcting code. The best This interview has been edited for length and I had not actually solved the factoring way we know how to do this has a fairly large clarity.