https://community.isc2.org/t5/Tech-Talk/When-will-a-quantum-computer-break-RSA/m-p/73406#M4538 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>My most trusted source for this is the <A class="" href="https://www.linkedin.com/company/global-risk-institute/" target="_self">Global Risk Institute</A>'s yearly "Quantum Threat Report" (<A class="" href="https://lnkd.in/dWi5DaVj" target="_self">https://lnkd.in/dWi5DaVj</A>) by <A class="" href="https://www.linkedin.com/in/dr-mosca/" target="_blank" rel="noopener">Michele Mosca</A></SPAN> and <A class="" href="https://www.linkedin.com/in/marco-piani-26260b/" target="_blank" rel="noopener">Marco Piani</A></SPAN>, which gives a risk based approach to the estimation based on experts' opinions. The TL;DR conclusion is that around mid-30s it will be more likely than unlikely that a cryptographically relevant quantum computer will exist.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Today I knew about the paper "Estimation of Shor’s Circuit for 2048-bit Integers based on Quantum Simulator" by <A class="" href="https://www.linkedin.com/company/fujitsu/" target="_self"><SPAN>Fujitsu</SPAN></A> researchers (<A class="" href="https://lnkd.in/dEqWA8eX" target="_self">https://lnkd.in/dEqWA8eX</A>). They evaluate the computational resources necessary for factoring general composite large integers by Shor algorithm using an ideal quantum computer. That is:<SPAN><BR /></SPAN>- They don't take advantage of beneficial properties in the numbers they select,<SPAN><BR /></SPAN>- They assume a fault tolerant quantum computer. A real quantum computer will need some level of overhead for error correction.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Also, they do not take advantage of the latest improvements to Shor's algorithm by Regev, Ragavan and Vaikuntanathan (on different papers, reach them through <A class="" href="https://lnkd.in/dMCsUSNv" target="_self">https://lnkd.in/dMCsUSNv</A>). So, the circuit depth and gate number estimations might be improved. I can't guess if the error correction overhead and these algorithmic improvements cancel out, but let's assume for a moment that they do. We just want to get ball-park figures.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Their estimation is that RSA-2048 will need 2.23 × 10^12 gates with depth 1.80 × 10^12. As a reference, <A class="" href="https://www.linkedin.com/company/ibm/" target="_self"><SPAN>IBM</SPAN></A>'s Quantum roadmap (<A class="" href="https://lnkd.in/dFu52wJR" target="_self">https://lnkd.in/dFu52wJR</A>) expects to support 10^9-gate circuits in 2033+. So, the target is still unreachable by a factor of 1000 gates.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Conclusion: Unless the hardware development accelerates beyond the current predictions or algorithmic improvements significantly reduce circuit requirements, the target of 2033 or beyond seems to be a good estimation.<SPAN><BR /></SPAN></P><P>&nbsp;</P><P><SPAN>However it could come sooner than you expect:</SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="">The integration of classical supercomputing, ASIC-enhanced AI and memcomputing, quantum interconnects, AI-driven optimizations, and quantum black box oracles forms a threat to RSA encryption today. These researchers only take into account commercially available quantum computing capability and not the interconnect of a hybridized network with classical supercomputing, AI, quantum oracles and other techniques and capabilities to derive prime factors.<BR /><BR />In this approach you need far lesser Qubits, an approach that was also pointed out by the Chinese back in 2023, claiming they could break 2048-bit RSA, using a 372-qubit quantum computer. Yet here the assumption is made that there is still time until 2033 ... That really is not the right message ...</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P>&nbsp;</P><P><SPAN>Caute_Cautim</SPAN></P> Tue, 27 Aug 2024 01:01:27 GMT Caute_cautim 2024-08-27T01:01:27Z https://community.isc2.org/t5/Tech-Talk/When-will-a-quantum-computer-break-RSA/m-p/73406#M4538 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>My most trusted source for this is the <A class="" href="https://www.linkedin.com/company/global-risk-institute/" target="_self">Global Risk Institute</A>'s yearly "Quantum Threat Report" (<A class="" href="https://lnkd.in/dWi5DaVj" target="_self">https://lnkd.in/dWi5DaVj</A>) by <A class="" href="https://www.linkedin.com/in/dr-mosca/" target="_blank" rel="noopener">Michele Mosca</A></SPAN> and <A class="" href="https://www.linkedin.com/in/marco-piani-26260b/" target="_blank" rel="noopener">Marco Piani</A></SPAN>, which gives a risk based approach to the estimation based on experts' opinions. The TL;DR conclusion is that around mid-30s it will be more likely than unlikely that a cryptographically relevant quantum computer will exist.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Today I knew about the paper "Estimation of Shor’s Circuit for 2048-bit Integers based on Quantum Simulator" by <A class="" href="https://www.linkedin.com/company/fujitsu/" target="_self"><SPAN>Fujitsu</SPAN></A> researchers (<A class="" href="https://lnkd.in/dEqWA8eX" target="_self">https://lnkd.in/dEqWA8eX</A>). They evaluate the computational resources necessary for factoring general composite large integers by Shor algorithm using an ideal quantum computer. That is:<SPAN><BR /></SPAN>- They don't take advantage of beneficial properties in the numbers they select,<SPAN><BR /></SPAN>- They assume a fault tolerant quantum computer. A real quantum computer will need some level of overhead for error correction.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Also, they do not take advantage of the latest improvements to Shor's algorithm by Regev, Ragavan and Vaikuntanathan (on different papers, reach them through <A class="" href="https://lnkd.in/dMCsUSNv" target="_self">https://lnkd.in/dMCsUSNv</A>). So, the circuit depth and gate number estimations might be improved. I can't guess if the error correction overhead and these algorithmic improvements cancel out, but let's assume for a moment that they do. We just want to get ball-park figures.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Their estimation is that RSA-2048 will need 2.23 × 10^12 gates with depth 1.80 × 10^12. As a reference, <A class="" href="https://www.linkedin.com/company/ibm/" target="_self"><SPAN>IBM</SPAN></A>'s Quantum roadmap (<A class="" href="https://lnkd.in/dFu52wJR" target="_self">https://lnkd.in/dFu52wJR</A>) expects to support 10^9-gate circuits in 2033+. So, the target is still unreachable by a factor of 1000 gates.<SPAN><BR /></SPAN><SPAN><BR /></SPAN>Conclusion: Unless the hardware development accelerates beyond the current predictions or algorithmic improvements significantly reduce circuit requirements, the target of 2033 or beyond seems to be a good estimation.<SPAN><BR /></SPAN></P><P>&nbsp;</P><P><SPAN>However it could come sooner than you expect:</SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="">The integration of classical supercomputing, ASIC-enhanced AI and memcomputing, quantum interconnects, AI-driven optimizations, and quantum black box oracles forms a threat to RSA encryption today. These researchers only take into account commercially available quantum computing capability and not the interconnect of a hybridized network with classical supercomputing, AI, quantum oracles and other techniques and capabilities to derive prime factors.<BR /><BR />In this approach you need far lesser Qubits, an approach that was also pointed out by the Chinese back in 2023, claiming they could break 2048-bit RSA, using a 372-qubit quantum computer. Yet here the assumption is made that there is still time until 2033 ... That really is not the right message ...</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P>&nbsp;</P><P><SPAN>Caute_Cautim</SPAN></P> Tue, 27 Aug 2024 01:01:27 GMT https://community.isc2.org/t5/Tech-Talk/When-will-a-quantum-computer-break-RSA/m-p/73406#M4538 Caute_cautim 2024-08-27T01:01:27Z