# Quantum Encryption

## 6:57PM Jul 25, 2020

### Speakers:

### Keywords:

### quantum

### key

### qubits

### quantum computing

### problem

### algorithm

### encryption

### cubits

### bit

### grover

### computer

### talk

### brute force attack

### quantum computers

### symmetric algorithm

### states

### observe

### pretty

### rsa

### photons

#### Good afternoon. Welcome to next talk at hope, we have a good talk for you up now. We got Robin Wilson with us who is an Oxford man with a degree in philosophy in modern language, and has spent the last 35 plus years working in identity and privacy, with folks including IBM and sun micro and Gartner so lot to teach us about some of the privacy aspects of this I hope, but what he's looking to talk to us today as the director for internet trust at the Internet Society is talking about quantum encryption and quantum computing that we've been hearing a lot about in the press for a while now, and, and I gather, we may even see an unhackable internet Robin over here.

#### Thank you so much, and welcome everyone. I think we've, we've all found in the last six months that we've

#### had to move a lot more of our

#### lives with shopping online do banking online, taking our work online like this, using online tools to stay in touch with our families. So, I think we've all become a lot more conscious about the security and privacy implications of doing that. And perhaps how much of our lives depend on secure robust online communication. So, given that it's fairly frequent that we see in, at least in a tactical press announcement saying, a breakthrough in quantum computing. I wanted to try and put some kind of a talk together to give people a view of what that risk is, whether it's real or not. But the more I tried the more it dawned on me that actually to put a talk together like that and give people that kind of idea, you've got to understand something about quantum physics, you've got to understand, two or three dimensions of the encryption part. You have to understand about quantum computing and complexity theory.

#### And it all got quite heavy.

#### So, because I'm as Doug said I'm not a theoretical physicist. I've worked in it for a long time and worked on encrypted encryption products since the late 80s, but I didn't do quantum physics and I wouldn't pretend to understand it. So I've had to try and understand this in terms that made sense to me. And that's the basis for my talk today. So, what I will do is switch to some slides here because I felt it was going to be really tough to explain this without some pictures.

#### So hopefully you can see the presentation now.

#### And like all good presentations, I'm going to start with a disclaimer, but at least it's a good one. It's from Professor Richard Fineman Nobel physicist who worked on this stuff, and was a fantastic explainer of complex concepts, and even he said if you think you understand quantum mechanics you don't understand quantum mechanics. So, let me promise you by the end of this presentation, you won't understand quantum mechanics, but I hope you'll have some metaphors that you can use to get some kind of a handle on what it does and what the relationship is to encryption, and therefore to our online life. So really the goal of this is to give you some kind of feel for whether quantum computing is a genuine threat to the encryption that we all depend on today. And to indicate what, if anything we can do about that. In order to do that, I'm going to touch on a few topics as I said, I'm going to have to try and explain some of the physics here.

#### And then we'll look at

#### the, and then how the two fit together, what is Quantum cryptanalysis and what implications does it have, and I'll run off with some general thoughts about security in this area, and

#### quantum computing in general.

#### So to look briefly at the physics of this. There are some things that we can see in the world that classical physics. Can't explain. So you probably will have heard about the famous dual split the double slit experiment where physicists will set up a screen with two slots in it, and then shine beams of light through that. I say beams because it's a fairly well established thing in physics that light is a, a beam of photons,

#### small, light bearing God.

#### Well, okay,

#### if you fire a beam of something through a slot in a card you expect to see a pattern on the other side, like the top diagram on the right hand side there, a little bit of scattering, but basically it's as if you were shooting a gun through that hole. Most of the bullets would fall into fall into a particular pattern. Well, that works if light is a beam. But what actually happens, if you shine light through a card with two slots in it,

#### is what you would see if

#### there's a wave of that so if you imagine all the light, I mentioned this is a harbor wall with two breaks in it, and waves are coming in as they go through the slots and reach the inside of our bubble, they'll produce, they'll produce patterns of interference constructive and destructive interference. And by the time they reach the back wall of the harbor. In other words, the screen here. There'll be hitting it in a series of different places. And that's what the bottom diagram illustrates. That's the pattern that you would expect to see if light was wave. And that's actually what the experiment reveals. So, classical physics, can't really explain how it is that light behaves like a wave, even though we know it's a stream of photons. You have to go down to the subatomic level to the quantum physics level to understand how those two things can be true at the same time. And the way they're true is that quantum physics says photons superposed two different states. One is a stick article, and the other is a state of being like a wave. And because they can superimpose those two things, you get a, a particle. That seems to be behaving like a wave.

#### If light were actually a wave,

#### rather than apart and you look to

#### the back screen, what you'd expect to see is an oscillating point like that. But you don't just see one point. So, there are good reasons to think that it's not a wave. But as I say, unique quantum physics to explain how that can be the case.

#### If you want to look, I've

#### introduced this by saying, classical physics can explain some of the things we observe in the universe and then gave an example it's really hard to observe. For some examples that are really easy and entertaining to serve. Professor jemelle colleague is amazing program and quantum biology and I've put a link in it to the to the YouTube clip for that. It gives fantastic examples like for example, how is it that a tadpole can metamorphose into a frog. Can the molecular bonds that hold the tadpole together and reforming them a frog takes more energy than the frog has. And there's a phantom, a fascinating explanation at the quantum level for them. So, that you're specifically designed to show that photons can superposed those two states they can act like a wave and like a particle. It also shows that quantum physics is really probabilistic in nature.

#### And this gives rise to some of the

#### with the dual split slit experiment, and quantum measurement. Because if you think of the back screen and that experiment it's showing you the interference pattern, created by light as a wave. After the event after something has happened after it has chosen to go through the slots in the screen.

#### But if you look at

#### the photon at any stage before that. Something really strange happens. If you observe the photon before it gets to the screen, or just come forward to the back screen. The pattern on the back screen changes. It becomes as if light is only a particle, not superposing to states anymore. And that's really strange because it seems at that point, as if the photon is predicting what you're going to do, and that's a spooky thing to think about. So, one simple explanation for this is that before you observe them, the photons superposed two states, the wave and the particle state. But as soon as you observe them. Those two states collapse. And you're just left with the photon as particle. And that's why you see just the beam pattern on the back screen of the experiment.

#### So, that's no

#### principles.

#### Is that where you have multiple states superposed, they're in a kind of a fragile state. And just observing that state, getting information out about what state the particle is in causes those states to collapse. And that's going to be an interesting point when we come on to the computing applications of this. So, let's have a quick look at classical computing which I hope is more familiar to most of the audience then quantum physics. And, as we all pretty much know classical digital computing is based on ones and zeros. It's based on bits that can store a value of one or zero. If you hook those bits together you can do arithmetic, and you can wait but you can also conduct construct logic circuits, and with logic circuits. You can start to do

#### computation,

#### those who haven't dived into binary logic Boolean logic, don't worry. If you have a light in your house that has dual switching pumps one downstairs and one upstairs. Then, essentially what you've got there is an OR gate. In other words, if the light is on, flicking the switch will turn it off. And if the lights off flicking either switch will turn it on.

#### There's a diagram that that the bottom of this page.

#### You can also create AND gates, and a simple example of a NAND gate is the nuclear launch button. If it takes two keys to be in the slot and turned at the same time, before you can launch the missile. That's an AND gate. So both of those circuits have to be closed. In order for the button to work. So we're pretty used to that in the binary world, but quantum computing comes along and changes it. So essentially quantum computing applies those principles of quantum physics to computer processing, where before in a classical model, a bit can only be a one or a zero quantum computing allows a single bit to superposed those two states. In which case, it's called the qubit quantum bit. So, this is a bit like flipping a coin. You know that it has to land in one of three states. It's kind of superposing all three. Or at least, you can think of that as a set of probabilities that it will come down in one of three states. If you're wondering why is it three and not two, there is always that tiny possibility that it will land on its edge. So, there are three three possible states there, one of which is much less likely than the others. But it's still a possibility. Now, we've probably also heard about Schrodinger as cat in a box.

#### A pretty weird thought experiment, and one that is superficially simple, but is actually describing something quite complex. And it's really what Schrodinger was saying was about the state of the cat. After a quantum event has happened, but before that quantum events effects that are observed. So this is if you like the coin in midair. While it's in midair you can assign probabilities to the likelihood of its end state being a one, zero or an edge. And when Schrodinger described this about the cat. He used this really graphic expression which I've put in here because I think it will help lodge it in our minds. And he said that the living and the dead cat are mixed or smeared out in equal parts.

#### I mean

#### physically that's from what he meant was that the probable end states of the cat are indistinguishable. They are kind of smeared they're merged together, and they don't become clear until the outcome, the quantum event is observed. So it's like going back to because I think we'll read it the first time and form some impression of what it means. And then it's a pretty good idea to go back and revisit it. So, how does this apply to your computer computing examples. Let's imagine we've got a really simple computer, a really basic computer. It's got 12 bits of storage, and it's got an add function, and a compare function and we just want to do a simple binary sum. We want to know if you start with a number 001. Sorry, 0001. And you want to end up with a number, 1000. What number do you have to add in order to get that result. So, with binary bits, you'd have to run through the possible eight values,

#### rip the four bits,

#### adding them to the first one and comparing with the last one. Until you found the correct value. If we had four cubits in the computer instead. Each of those qubits could represent both a one and a zero at the same time, all eight possible values, the outcome simultaneously. So, in theory, a quantum computer by representing all the possible values of each bit. At the same time, can calculate things much faster than a classical computer, having to go through them one at a time, step, step by step. So, there's a snag, obviously, which is that the qubit can only superposed the states have one hand zero at the same time until you observe them, at which point they suddenly collapse into either a one or a zero. And the trick there is, how do you know when they collapse into the correct value. There's, again, a really good video for the spinning coins metaphor on YouTube.

#### iPhone. It's a great

#### video up until the point where we encounter the problem I've just described, how do you get the correct answer from the collapsed states of all the observed qubits. The, the, too long, didn't read answer is, it's hard to understand. And it's hard to do and it's hard to explain. The answer is based on hybrid systems where quantum computer manages these multiple states produces probabilities of a range of answers, and a classical computer runs an algorithm that sort through them. To get to the result with the highest probability of being correct. So, here for an external reference I recommend the Wikipedia article on Grover's algorithm, which is the algorithm for sorting through multiple values to identify the one with the highest probability of being correct. But if you haven't done pretty advanced mathematics. That's pretty challenging article. And the bottom line for Grover's algorithm is that if your classical computer has to try n possible values to be sure of finding the correct one. With Grover's algorithm, you only have to try the square root of n. So in the encryption domain, that's a significant reduction in the work it would take you to crack a symmetric symmetric algorithm. So, the next section of this talk looks at why that's the case.

#### In symmetric encryption. Data is combined with a secret key, and scrambled, so that the original data can then be recovered by reversing the scrambling operation with the same key. So if you've ever used a petty cash tin. You open it up with a key put mine then someone with a copy of the key can open it, take money out, and so on. Obviously you've got the problem of how you share the key securely. If you're using the cash tend to send someone a message.

#### But we'll come on to the key distribution.

#### A good symmetric algorithm is designed so that if you don't have the secret key there's no more efficient way of recovering the clear text than by trying all the possible keys, until you hit the right one. And that's referred to as an exhaustive attack or a brute force attack. Now, in most cases, you won't have to try all the keys. This is like looking through a whole field. In order to find the needle. Unless you're unlucky enough to start at one corner of the field and the needle happens to be in the opposite corner. You're never going to have to search the whole field you'll find it somewhere along the way. But the work factor is assumed to be. Usually, the point at which is more probable that you would have found the key than not. So, usually roughly halfway through the key space. If that key space is big enough, the chances of finding the correct one just by picking at random, are basically as close to zero as makes no difference. And if it's big enough, the chop the task of finding the correct key systematically by checking each one in succession one after another, is what's termed computationally infeasible. If you've ever tried to unlock your bike with a three or four ring combination lock that you forgot a number two, you'll have some idea of how frustrating and time consuming that process can be. That's a brute force attack in. In, crypto in cryptanalytic terms with the bike, a real physical brute force attack would be to take an angle grinder or a pair of bolt cuts with a chain.

#### So that's a different different form, that's not very computational

#### for an external reference here I'd recommend.

#### Bruce Schneier his book, applied cryptography, where he sets out the actual thermodynamic terms what it would take to exhaustively attack, a 256 bit symmetric key. 256 bits is probably what your browser uses, if you have an HTTPS session. And the thermodynamic limits on there are quite extreme, and I'll give some indication of that shortly. So, when I mentioned work factor. I talked about key spaces and key spaces, as I said, the number of possible keys that there are, one of which will unlock

#### Oculus.

#### Wait, find out how big that key spaces for binary keys, is you take two to the power of the length of the key. So, if we had four bits like a really simple computer earlier. The key space for that would have been two to the power four, two multiplied by itself three times which gives us 16. So, each time you add a bit to the length of the key you double the key space, two to the power of 416 to the power five is 32 to the power of six to 64. And so, if you. So if you had one bit. The key length. You've doubled the key space. If you double the key length. The key space is squared

#### goes up with the power of two. So

#### that's how you calculate the work factor for a symmetric key. And you can also quantify it in terms of CPU cycles time and money.

#### But ultimately, as I

#### mentioned, different specialized work in terms of matter and thermodynamics. And part of the thinking behind that you can see from the table on the right here. The interesting number I think on this one is two to the power of 92, which is some way short about 256 bit as key or even 128 bit ASCII, but two to the 92 is the mass of the Earth in grams. And let's not forget that all of the silicon, out of which we make the chips that do these calculations comes from the bowl that we're standing on. So, there are real physical limits to our ability to build quantum analytic computers. It might simply not be enough silicon to make the chips, there might not be enough energy to power the computers to do the sun's and schneiders example and gives some really good calculations as to the energy requirements for that. But let's not forget this is for brute force attacks. And that's why so much emphasis is put on to finding potential flaws either in the algorithm itself, or in this implementation or its deployment and use. Now, symmetric algorithms. As I mentioned in the, in the, lockbox analogy suffer from this problem of how do we distribute the keys securely. If I, if I send you a message in a locked box. How have I got you the key to unlock the box with, did I put that one in a lockbox and send you that and if so you've got this recursive problem. So fortunately in the 70s, some clever people came up with a mathematical solution to this called asymmetrical public key encryption. And the reason it's called public key encryption is that each user has two keys, one of which is made public, and the other one is kept private. So, I've given an example here, if Alice wants to send Bob a message she first looks up Bob's public key, and then encrypts her message with it. She can then send that message to Bob in the knowledge that only Bob can decrypt it, and to do so he has to use his corresponding private key sounds counterintuitive if we thought about the cashbox example. And the reason it sounds counterintuitive is that if I intercept Alice's message on its way to Bob. And I know Bob's public key because it's public. I can't get the clear text back by reversing the encryption function using the public key. I don't get the clear text back. So, this function. This encryption function is not reversible in the same way as symmetric encryption is, it's only reversible in the sense that Bob can get the clear text back, but to do so he has to use a different key. So, if Alice's message, actually contains the secret key for a symmetric algorithm, then we've pretty much solved the problem of how to distribute keys securely for symmetric encryption. To do that, we needed a hybrid system. So we've got the public key aspects of this, for the key distribution. And then we use symmetric algorithms for the encryption itself because they are much faster and much more efficient. And that kind of hybrid system is actually the basis of TLS, which is the, the encryption technology used under HTTPS by your browsers. And it's pretty much the most widely deployed encryption technology around, but it does depend on Alice really getting Bob's key. And in order to ensure that Bob's key really is his. We have to rely on a chain of digital signatures

#### that associate a key with an identity.

#### And those signatures, because they're so key to the reliability of this, make a very interesting target for cryptanalysis. I put a diagram in there for reference for later. I changed the names to protect the innocent but the principle is still the same. And this is about Gerald wanting to send later a message using a public key. But I also wanted to put that diagram in because it leads on to this one. If I managed to get my flag in between, Gerald and Lila's flag, so that he thinks that he's seeing lightless public key but

#### he's sick and hijack the whole session.

#### So this mechanism for making sure that the public key you get really belongs to the person you're trying to talk to, is very important.

#### Okay, so we've talked a little bit about the physics, we've looked at some of the encryption aspects for symmetric and asymmetric algorithms. Now let's have a look at what quantum computing has in terms of implications for those two types of encryption. Well, with symmetric encryption. I mentioned Grover's algorithm, which has the effect of, essentially,

#### having the key length.

#### It's as if instead of encrypting with 128 bit key, you're only using 64 bits. Now, unfortunately, that doesn't only have the key space, it reduces the key space to, square root, because remember going the other direction. Every bit we added to the key length doubled the key space.

#### If we doubled the key length. The old key were.

#### So what Grover's algorithm does is it reverses that if you're using 128 bit keys and someone applies Grover's algorithm with a hybrid

#### quantum and and classical computer.

#### They will reduce a 64. And that's a lot easier to crack. So, the simple answer there is. Okay, let's double our symmetric key links. And we'll re square. The key space back up to what it was when we were using 128 bits before Grover turned up. And that's in fact the recommended mitigation for this risk double the key length snag is that, if you've already deployed encryption of mass scale, based on a particular key length, and someone comes along and says you need to replace it all with one using twice the length keys that kind of deployment can take a long time, especially given that you really want all your communicating partners to do the same thing, and their devices too. So while it's simple, in principle, it can take a while for that kind of change to propagate through systems like this. So let's have a quick look at the implications for asymmetrical public encryption. Here are the two most common algorithms in use RSA, which is based on factoring large prime numbers and elliptic curve cryptography which is based on the difficulty of solving discrete log problems. I'm going to freely admit, I know nothing about discrete logarithm problems. I can give you a nice example of the difficulty of factoring large prime numbers, which is this. If I give you two numbers, 1303 and 1307. And I tell you to multiply them. I'll bet you can do it with a pencil and a piece of paper. If I gave you the number 1,703,021. And I asked you to tell me which two other numbers when multiplied together. Make that result. You'd probably find it a lot harder to do. So, with this factorization problem, we have something which is really easy to do in one direction, multiplying two numbers, and really hard to do in the other direction. What makes it hard in this particular case, is that the only two, four digit numbers, you can multiply. In fact, the only two numbers, other than 1,703,021, and one that you can multiply to make that are the two I gave you first 1303 in 1307. And those don't have any factors either they are prime numbers. So that's a, a small simple illustration of the fact that this can be really difficult in one direction and really easy in the other direction. Here, rather than Grover, we've got a guy called Shaw who turned up with an algorithm. And he said, I've got a way of fixing that so that it's much easier to solve those problems both both the factorization and the discrete log problems. It's harder to quantify, I can't tell you this reduces the key space to two square root. But what what I can say is the use of problem to one of what's called polynomial time. Most of the maths that your computer does for you when it's calculating stuff is done in polynomial time it might be difficult, from a mathematical point of view, as far as we humans are concerned, but they are solvable problems. So it's taken it from a class of problems, formally categorized by mathematicians as this is really hard, even for a computer, down to one that is classified as computers couldn't fix this. I've put a couple of references in there because going into complexity theory and P and NP style problems, is way outside the scope of this talk.

#### So, let me round up with

#### first about feasibility and then some other things about quantum computing. So on feasibility. The chart on the top right here shows the number of qubits that manufacturers have managed to assemble and get them to work. Over the last 20 years or so. And it's a pretty standard looking computer style graph, it shoots up in what apparently is an exponential rate, and by next Tuesday we should have 200 cubits no problem.

#### But actually,

#### it's quite tricky to get qubits to hang around, they tend to decay over time, especially at room temperature, and they're very easily disturbed by other stuff including other qubits that you're trying to get them to work with. So in the bottom left, there's a table illustrating some of the problem there. You can have one qubit for 39 minutes at room temperature in 2013. But one qubit is not going to crack a, an algorithm for you. You can have 50 cubits at once. Three years ago, but only for 90 microseconds. So this is still a tough engineering problem is a tough, tough problem in computer manufacturing. And there's another factor here, which is that the number of qubits that you need to mount an exhaustive attack. Problem varies depending on what kind of algorithm, it is with a symmetric algorithm, it's enough to have an array of cubits the length of your key. And then, as we discussed, you can riffle through all of the potential values of that key at once. But when you look at the prime numbers and the discrete logs problems for RSA, you have to allow a couple of qubits per bit of key, and for elliptic curve, it's as many as nine qubits per bit of key length. Now, again, there are other factors their keys for RSA can be two or 3000 bits at length keys for elliptic curve tend to be around three to 500 bits in length. So, the numbers that you end up with may not strictly be smaller for RSA than for the curve, but they are substantial, you need thousands of qubits all to be collaborating in order for those attacks to be viable. So, quantum computing technology has been moving on. There have been breakthroughs now and again. And that has meant people have taken far more seriously the mathematical research into algorithms that would be safe against quantum computing. For more details on that I recommend the NIST paper. So, sorry US National Institute of Standards and Technology, which ran a competition to identify candidate algorithms that were probably going to be quantum quantum resistant. Just earlier this week they announced the set of candidates from that set of algorithms that get through to the next round of the standardization process. and they've got a homepage and a number of papers. If you follow the links in the presentation. Now, as Bruce Schneier said the other day. This is the way round that we like to see this. We like to see this happening where the, where the encryption technology is advancing faster than the deep, the cracking technology. But in order for that to be any use to you you have to be on the latest algorithm that's quantum secure. So

#### a quick look just in passing at the fact that quantum computing is not only used to crypt analysis, there are other applicants can solve it. I think that a lot of commercial companies looking at quantum computing will probably go for one of those other applications on the basis that they're more likely to be able to sell the resulting product. That might be in sensor technology navigation to replace GPS extremely accurate portable time sources. Better than atomic clocks by orders of magnitude. And these quantum computers specifically for cryptanalysis will remain a very niche

#### market,

#### probably, large criminal organizations and national governments only. So, whether that's important to you will depend on what your risk and threat analysis are for the data that you have under your control. So, as individual users there's probably not a lot we can do to defend ourselves and our encryption products against

#### the advancing threat of quantum computing.

#### But governments, and other organizations should keep an eye on this because things can change quickly. They should track the progress towards post quantum computing, and they should factor that into their risk analysis. If they suddenly had to re encrypt the national security archives for the last 40 years that be a substantial task. So that's something that needs to be factored in. And organizations in general and product vendors should do what they can to maximize the agility with which you can.

#### Which, if the first one is compromised or superseded.

#### And for example, there are some hybrid signature systems now where you actually sign using a current algorithm for compatibility, and a post quantum algorithm

#### for future assurance.

#### So, that's pretty much all I had prepared to say on this, I know we've covered a huge amount of ground so happy to take any questions, unless there are theoretical physics, students in the room, in which case you're probably on your own.

#### And I have a feeling that with us all being remote it's going to be hard to filter out those 90 theoretical physicists, thank you very much for that for such a helpful informative talk Robin and of course, thank you for protecting Alice's and Bob's privacy. The questions so far, we have a bunch of folks that were asking about your slides and I imagine you're planning on publishing those slides is that right.

#### Yeah, absolutely. So I'll email a copy of those to you.

#### Super so we'll figure that out afterwards. And I think the. The other thing that has come up is does quantum computing have interesting potential applications in artificial intelligence, which are different from the applications in binary computing for artificial intelligence so how does quantum really improve the ability to work on AI.

#### Yeah, that's interesting. I'm gonna be honest and say, I haven't heard of that application yet. I in January this year, shortly before the shutters came down, I managed to get to a, the United Kingdom's quantum research program in general. And I have to say I don't recall AI having been on the list. Like I say, the, the applications that they did talk about were things like quantum metrology, which was the basis for things like quantum sensors.

#### Gravity sensors.

#### Secure timekeeping and so on.

#### Does it have applications in AI. Well, I guess, if you're thinking of machine

#### learning,

#### that's currently thought of these days usually as

#### a serial process

#### of stepping through a mesh of decision points. Maybe if you arrange those as quantum gate. Different AI outputs we get it much quicker. But I'm, I'm speculating that

#### there are no, sorry, go ahead. Go ahead.

#### Sorry, I was just gonna say I see one one question in the, in the chat is a qubit like a rainbow table. Yes, it kind of is with the difference that the rainbow table is like

#### the output of the result.

#### The rainbow table is the collapsed result of the qubit. The qubit is the rainbow table while all of the all of the bits, all of the colors are the same time. So yes, it's not it's not a bad analogy. The trick of course with the qubit is, as I said, to identify the result, out of all of the potential ones. That is the one that you want.

#### Absolutely and and that speaks of course, much more closely to the, the quantum description examples that you were speaking to. What is your sense from the investigation that you've done, and the folks you've talked to around. When quantum decryption becomes viable for the average, you know hostile intelligence service and does anything in what you've looked at change our view of how we achieve forward secrecy.

#### But to take the last one, first for me to change my view of how we how we achieve forward secrecy. No, because the principle there remains the same, even if the key lengths change that you want you want maximum key separation between each message that you sent. So that intercepting one message and its key does not give any information doesn't leak any data about other messages and other keys. So I don't think that does change in principle,

#### works the first bit again,

#### just as to when quantum decryption becomes more viable and what I see as being the roadmap and the timeline here.

#### Okay, well the roadmap is pretty hard to foresee because those hockey stick graphs can be unpredictable, but they seem to be going up at pretty much the same rate so you know the number of number of qubits you need to decrypt a current algorithm is going up as a hockey stick. But at the same time as the number of viable qubits is going up. So I think there's a, there's an arms race going on there.

#### Of course,

#### if someone in a locked basement somewhere has made a terrific breakthrough on this in some research institute, they're not going to tell us.

#### And that plays nicely I think into one of the next questions we received, which was asking you to a pine on, on which particular algorithms are quantum resistant. So, you know, of course I, I think you've already explained that the. It may make it simpler to break things but are you seeing that there is going to be a different class of ways in which these algorithms can be attacked and what does that mean towards you know what algorithms are going to be more or less resistant to quantum decryption.

#### Yeah, that's interesting. So, RSA and ECC are reckoned to be, you know, theoretically, they know that if you can line up enough cubits those, those are vulnerable, so that that's really just. That's not a theoretical issue anymore that's just a practical and engineering issue. The kinds, it's quite interesting that the kinds of algorithms that are resistant. If you looked at this two years ago, you would have found mention of maybe two or three. And then as I say there was this request for competition entries, essentially, the number of possible types of algorithms suddenly shot up to about six kind of six types to that I could mention there's, there's one that's called a lattice problem, which is where you have a lattice of points. And you secure it a little bit, and then you jump from one point to another point to another point to another point. But you don't tell anyone the intermediate points, you only tell them the first and last point. And that gives you the basis for agreeing a public and private key pair with someone else.

#### Because an attackers

#### ought to hear.

#### They don't know how you got there, and because there are infinitely many piles from here to here, through the lattice. Not infinitely but a large number and then conveniently large number. That makes it really hard to get to, to attack. So lattice was one gather and we'll come back to me in a second.

#### Well, while you're thinking of that, if there are folks listening who are excited by by those comments you're just making their, where do they want to go investigate that aspect further.

#### I would start, start with either the NIST site, because they are working directly with the researchers working on this stuff. Or actually, there are any number of Wikipedia pages which are pretty much interlinked if you look up things like lattice and McAleese was the other one,

#### oil and vinegar.

#### There are some strange concepts, but then the people who think these things up, think in strange ways. So, yeah, if you look up lattice based encryption on on Wikipedia you'll find a great starting point.

#### So, I'm going to read out a couple of the other questions we've had come in. We have one that says if you lower the room temperature to zero Kelvin or close to that temperature can we increase the time that cubits can exist longer so now we're getting into implementational details, I don't know if that's something you're able to address.

#### It's not really but if you have a look at the. If you have a look at the websites for, say, Amazon and IBM. I know both of them have been quite loud about the number of qubits they've been able to to ramp up. And you can probably get some idea, just by looking at the, the PR hardware photos with all the tubes going in and out of the blue backlighting and all that kind of stuff.

#### I think low temperature does help

#### Yes, but it doesn't help with things like interference from from other things around the cubits.

#### Thank you. Well, one of the other questions we had come in that actually talking of the large tech vendors that are working on this problem was referring to the work that Google did where they claimed that they had solved a problem in 200 seconds that would normally take traditional computers, 100,000 years, or 10,000 years. Either way, a large number. And how can we verify that and so I guess you know without understanding what that particular problem was they were trying to solve. That's a hard question for you to answer but but I think maybe a question coming off of that is what kind of problems are going to be the best ways of demonstrating the capability of quantum computers. Yeah.

#### Yes, the Google story rings a bell. Now, you mentioned it, and if I remember correctly, they didn't. they didn't say much solve the problem as proved that it was soluble. So I think it was kind of, it was more of a meta problem than actually, that actually cracking something, but the other point was, they did it with a quantum system

#### that was designed

#### to solve that problem. It was designed to say, I think I think it was randomness if I remember correctly, is this stream of data random or not. And the answer it came back with was to say, I can deterministically tell whether this stream of data is random or not. So, the point there is that the more specific function you design these quantum computers for the less useful they are for anything else. So you can optimize it for that you can't then take that machine, and apply it to lattice cryptography or quantum annealing, which is another area of substantial research and breakthrough.

#### All right, super well thank you again Robin, and we'll be touching base right afterwards to talk about the, the slide deck and getting that published and for those folks who are watching the stream and debating going and making coffee or tea or whatever your favorite beverage is, we have Cory Doctorow up in 10 minutes so you probably want to stay and listen to the keynote. All right. Thanks everyone.

#### Fantastic. Thanks very much.