Is 1P taking the threat from quantum computing serious these days?
Last I've seen about QC was a response in January that referenced this 2019 post https://1password.community/discussion/comment/533187/#Comment_533187
I study QC and am very familiar with the work of one QC company in particular, ionQ, which uses trapped ions and is literally years ahead of the closest competition. I won't go into the details here, but they currently have a 32 qubit system available for use on its private ionQ cloud for early investors. The company is very likely to have a 1,000 qubit system within 2-3 years. Source: https://www.fastcompany.com/90682375/ionq-quantum-computing-going-public-spac
It's very conceivable, I'd even argue likely that in less than 5 years, standard encryption will be hackable with these machines. So my question is, is 1P doing any work in the area of post-quantum cryptography? The most recent responses I've seen to this in this forum have not been very comforting.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:quantum computing
Comments
-
Hi @1PWguy,
Over the past decades I have seen many claims about breakthroughs in quantum computing that attempt to draw investors (or even paying customers). Sometimes there is a grain of truth to the claims, but those grains are so tiny or irrelevant that they do not to lead to any reassessment of the state of the field with respect to cryptography. I have not investigated the claims of the company you refer to nor the company itself, so I cannot say that it fits the pattern of the ones that have come before; but there is such a pattern.
There are real advances in quantum computing technologies. Google's Sycamore project proved (or came close enough to proving) that it is possible to construct a quantum computer that in practice is capable of solving a problem that classical computers cannot solve in practice. That project doesn't suggest that things will happen any more quickly than the pace we have been seeing, but it does tell a particular category of skeptics that their specific skepticism was misplaced.
This is not to say that we are ignoring or dismissing the potential for quantum computing becoming a real threat to the systems that we use. And we have use "pessimistic" (from the defender's point of view) assessments of the time line. But we also have to follow the science and engineering instead of business press releases with unverifiable and implausible claims when forming even a "pessimistic" view of when these might be a threat.
I should say that the world in on course to beat such pessimistic claims. There are systems out there today which can be used. We don't use them because they are much more computationally expensive even for the defender (with keys that are in the kilobyte range) and are cumbersome in other ways. But as classical computers continue to improve and as those post-quantum cryptographic systems also improve, their drawbacks will diminish. The race between post-quantum cryptography and cryptographically relevant quantum computing may feel slow, but it is increasingly in our (defenders') favor.
0 -
Your long-winded comment can summed up as "I'll believe it when I see it." ionQ is led by Christopher Monroe and Jungsang Kim, 2 of the most respected quantum researchers in the world over the last 25+ years. I work in academia and it's unbelievable that you would dismiss their claims without obviously knowing anything about the developments of their ion trapping system, which is easily verifiable.
It would have been comforting to hear that 1P has a small team of researchers working on post-quantum cryptography, but frankly I didn't expect it. But I also did not expect such a lazy response. You obviously have no idea how much of the quantum puzzle they have already cracked. Google uses ionQ. They're so-called quantum supremacy does not even stack up to ionQ.
0 -
If I am wrong, then we will have to swap out some algorithms much sooner than I otherwise anticipate. It won't be fun doing so under heavy time pressure, but we will be able to manage in the unlikely event that that is necessary. We have internally documented how we would go about doing an algorithm upgrade.
0 -
I have been doing a bit more reading, @1PWguy.
It appears to me that what IonQ is looking to produce in the next few years is a Noisy Intermediate-Scale Quantum (NISQ) computer. This is an exciting and plausible goal. But it is a type of quantum computer that even if scaled up way beyond the hundred or so qubits they are shooting for would not be cryptographically relevant. Shor's algorithm requires Quantum Error Correction. Noisy quantum computing is "there are some interesting and useful things we can do without quantum error correction".
So they may be making real and substantial progress in quantum computing, but even if scaled up dramatically, it is not something that signals a threat to the kinds of cryptographic systems that are subject to Shor's or Grover's algorithms.
1 -
Google uses ionQ. They're so-called quantum supremacy does not even stack up to ionQ.
Maybe "worriesome" is China's seemingly impressive foray into QC.
https://www.energyandcapital.com/articles/china-s-war-for-quantum-supremacy/1005250 -
Some musings on trapped ions
Disclaimer: I haven't taken a physics course in more than 35 years, and I barely know the difference between a bra and a ket,
Classical computers need to physically instantiate bits. Vacuum tubes were used in the early days of electronic computers (Colossus, ENIAC), mercury tubes, cathode ray tubes, magnetic core, transistors, and eventually transistors in integrated circuits (with different ways to do it with transistors).
QCs need to physically instantiate qubits, and there are a number of approaches. Many of them more or less trap electrons with the spin state of the electron instantiating the state of the qubit. Others use optical systems that rely on the polarization of light. Trapped ions use the energy state of an electron in the ion. All QCs (as far as I can tell) actually use a mix of things because they need stable qubits, but they also need ways for the qubits to interact with each other in circuits. The sort of "wires" between the qubits need to be able to transmit quantum states.
Remaining coherent
The challenge to all of these is decoherence. When a quantum state interacts too much with the outside world, it decoheres. A cat is a very much too much of the outside world, but so is most of a particle detector. The cat's fate is sealed well once the detector detected.1. Trapped ions are a really nice approach because the technologies to isolate them so that they don't decohere too early is more advanced that with other things. (This was surprising to me before I started to read up on them because I thought that as they are bigger it would be harder to keep them isolated. But it turns out that they can be nicely trapped in two dimensions with electromagnetic fields and can be very finely tuned lasers. Laser technology has been improving very nicely over the decades.) Some trapped ion qubits can stay coherent for minutes, which is really remarkable. I now get a sense of why there is so much enthusiasm for this technique.
Again, we do want the qubits to entangled with each other. Otherwise we have a bunch of qubits that can't compute anything other than their own state. So we need the whole computer to stay coherent during the course of its computation. This broadly the challenge facing all QC technologies. The more qubits you add, the more likely it is for the whole system to decohere at any point in time, At the moment the analogue of "clock speed" for trapped ion quantum logic gates is slower than the alternatives, and so while there is a better chance of a trapped ion QC running for long time (a few seconds), it needs more time to run a quantum algorithm.
When to take the (post) quantum leap
All of those things will improve in the years and decades to come. But if some computation that would take trillions of years on the best classical computer would take only ten years to run on some quantum computer, that quantum computer needs to stay coherent for that entire time. So once real quantum computers look like they could begin to come near the same ball park as is needed, we can buy time simply by increasing key sizes. That strategy won't work forever (well, it will for things subject to Grover's algorithm) it will still buy us time in the practical sense.
Also many of the technologies that will have to be developed to make QCs work will make classical computers faster. This will have two effects. The first is that it will enable us to increase key sizes for the systems that are vulnerable to QCs to buy us more time at little cost, but more importantly it will bring the post quantum cryptographic systems that currently exist within practical use on classical computers. Unless there is some urgency, we should hold off on switching to post-quantum algorithms until those systems our classical computers are up to the task.
What IonQ is doing is really cool and exciting, but it doesn't change my view that we (1Password and the world) are easily on course to switch to post-quantum algorithms well before there is any urgency. But I should add that my role is deciding when 1Password switches to post-quantum algorithms is just one voice among many.
-
Schrödinger created his thought experiment about the cat to critique the Copenhagen Interpretation (Bohr, etc) , which speculated that "observation" was what triggered decoherence. This is why he put a cat between the detector and the human observer in a long chain of events. He very much disliked that the public ended up associating him illustrating the "spookiness" of quantum physics, when he was actually arguing against it. ↩︎
0 -