[ar:Jean-Philippe Aumasson]
[al:DEF CON 23 Hacking Conference]
[ti:Quantum Computers vs Computers Security]
[au:Jean-Philippe Aumasson]
[length:32:16]
[by:DEF CON Communications (https://www.defcon.org/]
[00:00:00.73]
I'm happy to
be here. They asked me if it was
[00:00:08.23]
my first time speaking I said
yes and no from sky talks was a
[00:00:17.77]
smaller room so happy to see so
many people. So talking about
[00:00:25.93]
quantum computer.
How do youknow how
[00:00:27.93]
quantum works or quantum
-- so this is very basic
[00:00:37.47]
that you have to know.
Complex number -- obviously
[00:00:43.60]
so if you
don't know these please leave
[00:00:49.03]
the room. I'm kidding. The nice
thing I will say that you don't
[00:00:57.87]
need to get this stuff to
understanding quantum computing
[00:01:04.07]
-- lost audio -- I will try to
convince you that. Outline, I
[00:01:12.90]
will be talking very broad but I
will not go into technical
[00:01:21.07]
details so how things work and I
will give you the ideas and
[00:01:29.90]
applications. Very brief crash
course of quantum computing. So
[00:01:36.03]
based on quantum mechanisms
about you see the operating
[00:01:42.17]
system of nature on nature like
the framework on top which the
[00:01:50.33]
gravity -- nuclear forces are
running so you get series in --
[00:01:58.50]
and you try to adapt them to do
quantum mechanics. There is my
[00:02:07.40]
only side about quantum
mechanics. What it says that the
[00:02:14.20]
particles in the universe like
electrons and protons they
[00:02:20.33]
behave randomly but not not
inception they are not
[00:02:26.47]
predictable. But you have no way
to predict what is going to
[00:02:34.63]
happen but what is different
compared to what the randomness
[00:02:41.43]
can be negative this is problem
but negative and complex
[00:02:48.23]
numbers. So that seems to be
counter intuitive and you have
[00:02:55.73]
to trust me that it does make
sense mathematically. So --
[00:03:03.30]
(lost audio) -- so when you have
not looked as the Q bit it is in
[00:03:14.20]
the state that if you observe
the Q bit and ask what is value
[00:03:23.73]
it is zero with property and
some other property.
[00:03:29.87]
Coefficients and -- of the
straight line and the bracket is
[00:03:37.37]
called the bracket notation you
don't need to remember this but
[00:03:44.87]
what you need to know that is
alpha and beta used called -- so
[00:03:54.40]
they can be a negative or
complex and the property so you
[00:04:02.63]
take this value and square it
and that property that is what
[00:04:10.80]
you get so a number between zero
and one. You have different
[00:04:18.97]
properties for each byte.
Sequence of eight quantum bytes
[00:04:25.10]
maybe it will be 0X or 00 and so
on. And using these objects like
[00:04:35.30]
quantum computer you have
registered which can we --
[00:04:41.43]
anything you want and you will
transform the state so that is
[00:04:49.60]
how you will compute. You will
have kind of quantum assembly
[00:04:57.10]
but you have will different
restrictions. The importance to
[00:05:03.30]
remember that will be reversible
but can go back in the past so
[00:05:12.13]
for your information you don't
have classical assembly you have
[00:05:18.93]
end operation register one or
two and then you register one
[00:05:26.43]
and you can't go back in the
past not the previous value and
[00:05:35.27]
here you have what you modify so
quantum objects about you just
[00:05:43.43]
chain the properties what you
learned in high school in
[00:05:50.23]
algebra so just do
multiplication and transfer the
[00:05:55.67]
property and when you properties
go to one you want -- sum to one
[00:06:05.27]
as well. I will not go more
technical but that is idea
[00:06:13.43]
remember that quantum computing
is multiple together some
[00:06:18.87]
properties of complex. And that
is it. So you have this set of
[00:06:27.70]
register that can be bot on the
same time and at the end you
[00:06:37.23]
observe one bit or more and that
your result. And the importance
[00:06:45.40]
thing is that you cannot
simulate this using quantum
[00:06:51.53]
computer say you have a quantum
byte it is encoded 256 different
[00:06:59.70]
properties so you might be able
to start this on the normal
[00:07:07.93]
computer but now say you have a
quantum motor of two bits. How
[00:07:16.77]
do you start this classically
might be doable but if you have
[00:07:24.93]
64 bits cannot start this on the
classic computer. So can try
[00:07:33.10]
this online there are some
simulators you cannot go too
[00:07:39.90]
far. Multiple vision for all of
this was to simulate quantum
[00:07:47.40]
physics and for some reason that
you cannot simulate the quantum
[00:07:54.90]
computer -- so a friend of said
okay to simulate this we need to
[00:08:04.50]
simulate a quantum computer and
to understand how physics or
[00:08:11.30]
nature works by submitting all
the quantum phenomenon. I will
[00:08:18.10]
just go through to common
misunderstanding about this and
[00:08:24.23]
people say quantum computer that
is super faster and way faster
[00:08:31.73]
and solves problems but bad news
doesn't solve all the problems.
[00:08:39.23]
I don't know if it is familiar
to you -- where you list of
[00:08:48.77]
cities and you have to find the
best route. All have problems
[00:08:56.93]
have some structure that makes
them difficult and practically
[00:09:03.13]
impossible to solve on a normal
computer. You will not solve
[00:09:10.63]
these hard problems on the
computer. The good news is you
[00:09:18.13]
do have quantum speed up for
some specifications making the
[00:09:24.93]
impossible possible on the
quantum computer and going from
[00:09:31.07]
N to P times Q is difficult on
the normal computer but easy on
[00:09:40.60]
the quantum computer so the
application is -- I will talk
[00:09:48.10]
about this later. So the last
caveat is some people say you
[00:09:56.27]
have the super notion trying
everything the person for free
[00:10:03.07]
-- that is not the idea, the
idea is in some sense several
[00:10:11.90]
values of the same time but you
can only look at one result but
[00:10:21.43]
like all of this is useless and
you cannot say I want to look at
[00:10:31.63]
result that gives this value.
You look at the random results
[00:10:39.13]
so no magic here. So that was it
for the tear. Let's move to
[00:10:48.67]
practical part. Like I said --
we know how to factor 15. Three
[00:10:57.50]
times five. We also know how to
factor 153 and 56,123. But that
[00:11:06.40]
is caveat here for these numbers
they use special -- about in
[00:11:14.57]
some sense they have to know in
advance what was the solution
[00:11:22.73]
before searching for the
solution. I want to say that we
[00:11:30.23]
have very far from the use
application of quantum computer
[00:11:37.03]
and the reason is it is
difficult to build. First of all
[00:11:45.20]
you is have to find a object to
simulate your Q bit so you will
[00:11:55.40]
take some physical particle and
sometimes foreign molecules --
[00:12:01.60]
the main problems they are
facing in quantum computer is
[00:12:08.40]
that what is -- interact with
the rest of the system and this
[00:12:17.23]
will complicate the system --
you can correct all your -- in
[00:12:25.40]
time but in practice much more
difficult. You have to computer
[00:12:32.90]
temperature plus absolute zero.
And we don't know how to scale
[00:12:40.40]
to several hundreds or thousands
of Q bits so we have to result
[00:12:49.23]
four or 5Q bits but if you want
to break all the crypts in the
[00:12:59.43]
world you need a thousand and we
are far from this. 9Q bits this
[00:13:09.03]
year not a actual quantum
computer just a set of 9Q bit
[00:13:17.20]
that's can live together for a
few seconds while correcting --
[00:13:24.70]
in the environment. Lost audio
-- I don't think they do. They
[00:13:32.87]
probably don't but -- so like I
said -- RSA -- explain why RSA
[00:13:42.40]
this is based on factoring
numbers. If you can factor
[00:13:49.20]
numbers then you can break RSA
and then factor numbers so it is
[00:13:58.03]
hard with computer we don't have
a math proof of this but we
[00:14:06.93]
convinced that is our problem.
Factoring is not complete but
[00:14:13.73]
easy on the quantum computer.
Doing a quantum for transform
[00:14:20.53]
and gives you the result. And
what is nice within is not
[00:14:28.70]
specific for factoring, it is
for a whole class of problems
[00:14:36.20]
that we call the -- fighting a
subgroup ribosome bigger group
[00:14:43.70]
and turns out that the disc
algorithm is another time of
[00:14:51.20]
this problem. So the problem
behind the -- problem is you
[00:14:58.70]
have number G and you know a G
to power of Y and you don't know
[00:15:09.67]
why so you look for Y. You can
try it. It's not easy if you do
[00:15:20.57]
it only big numbers. And again,
it easy on the quantum computer.
[00:15:28.73]
So what about -- or has
functions. A little bit faster
[00:15:36.23]
than is quantum computer but not
that faster just that is search
[00:15:44.40]
for the key would be much
faster. So you get half of 64
[00:15:53.23]
bits of security. If you do some
advance math if I want 120 bit
[00:16:02.83]
security I need a key off to 56
and we have version of 256 and
[00:16:13.03]
we not have -- of 12 bits and
the reason behind this -- we can
[00:16:23.23]
search in a table of elements in
time square with N instead of M.
[00:16:32.77]
So if you have two to the N --
so there is a field called post
[00:16:43.67]
quantum crypting to fee and goal
is the find alternatives. Lost
[00:16:51.17]
audio -- means equations with
many variables and the variables
[00:16:57.97]
are come fined in such a way
with multiplication and once you
[00:17:06.20]
have that much much harder to
solve. You do multiplication it
[00:17:13.70]
is harder so impossible. But if
you want the use it, most of
[00:17:22.53]
time you need the have a shorter
system. You need to have some
[00:17:31.37]
trace structure and that reason
why some -- working I don't --
[00:17:39.53]
now something important to
understand, someone has quantum
[00:17:44.97]
computer that created it might
break -- you can still
[00:17:51.77]
signatures but issuing knew ones
with a quantum system. But if
[00:17:59.27]
you encrypt something with a
nonquantum safe cipher it is too
[00:18:06.83]
late and going to be encrypted
and no use to encrypt again. So
[00:18:15.67]
the bottom line here is more
important the have quantum
[00:18:22.47]
encryption you can still wait
until the quantum computer is
[00:18:29.27]
created. So two types of
encryption techniques so nothing
[00:18:35.40]
new. Ideas from 70s or 80s. We
have very large keys kilo bytes
[00:18:44.23]
but today we have tera byte but
maybe kilo bytes not big data.
[00:18:53.07]
And the other one is -- very
simple to understand you have
[00:19:01.30]
function and you don't know the
function you know what it looks
[00:19:09.47]
like and you want to learn the
function. So you cannot guess
[00:19:17.63]
how it works. So fifth part is
quantum distribution. Here the
[00:19:25.13]
problem is like a quantum --
instead of using -- you use
[00:19:33.30]
physical phenomenon. Not really
quantum computing but using
[00:19:38.73]
quantum mechanics. The argument
is that if you are in the middle
[00:19:46.90]
you can't do the middle because
it will be detected by the law
[00:19:55.73]
of physics. It will be modified
so you will see the modification
[00:20:03.90]
you cannot copy quantum bits.
And are random. So this one is
[00:20:12.07]
the -- BB8 h invited by the guys
in 1984. This is simple. They
[00:20:21.60]
want -- so likes a few bits and
she has to select encoding. Here
[00:20:31.13]
it means just position of the --
you can see just simple
[00:20:39.30]
encoding. So she says blue-green
green and she will send this to
[00:20:47.47]
bob and he doesn't know the
encoding and thing is if you
[00:20:55.63]
have the same encoding you will
observe the right value and if
[00:21:03.87]
you don't have the -- it will be
too late to correct because once
[00:21:13.40]
you observe it, it is not a
quantum bit. So bob he observes
[00:21:22.23]
the bits that he receives and
then he publishing encoding and
[00:21:29.73]
Alice says you have the right or
wrong one and it just pick the
[00:21:39.27]
bits why you have same -- so the
scheme is more complicated but
[00:21:48.10]
that is general idea. But it is
not as secure as it pretends to
[00:21:57.63]
be. The first one is it is
quantum when you use the keys
[00:22:06.53]
when you store it in your system
you use classical -- so the
[00:22:15.37]
people say classical -- yes, but
then what do you do, you have to
[00:22:24.90]
use classical crypt. In practice
you to -- quantum hacking and
[00:22:32.40]
broke some of the first systems.
You can do this over the
[00:22:40.57]
internet and dedicated optical
fiber links so point to point
[00:22:47.37]
and limited in distance less
than a hundred km. You can put
[00:22:55.53]
repeaters or make -- now it is a
bit annoying. So that
[00:23:03.77]
application is quantum computer
if you wonder why I put this
[00:23:11.27]
here. I don't know if you
recognize this guy. Leverage the
[00:23:18.77]
no claim principle. The idea is
simple. The idea is when you
[00:23:26.93]
have quantum bits you can know
like momentum but you know bot
[00:23:35.10]
at the same time. You cannot
know everything about the
[00:23:41.90]
quantum object so if you don't
know everything you cannot copy
[00:23:49.40]
it. You cannot copy what you
don't know. In physics you have
[00:23:57.57]
this -- that cannot clone a
physical object to exact copy.
[00:24:05.13]
So you see the relation with
quantum cash. You will put some
[00:24:13.30]
Q bits on your bank note and so
only the bank can create the
[00:24:22.83]
ones. So that is suggest a
experiment and not practical
[00:24:29.63]
because it is difficult to put Q
bits on the note and to deal
[00:24:39.17]
currency problem. So you will
never see this for real but you
[00:24:47.33]
can imagine. You can imagine
software -- so using this idea
[00:24:54.83]
of quantum non-cloning, so you
have function here in green the
[00:25:02.40]
-- let's say you find you get
the code of function and maybe
[00:25:11.23]
sophisticated but you can
reverse the code. You check the
[00:25:18.03]
hash, if a strong hash you not
find the password easily. And if
[00:25:26.87]
you have binary you can copy the
bytes. So here is idea of
[00:25:35.70]
prediction that you cannot copy
the program. You have the
[00:25:42.50]
problem which is a list of Q
bits and you have no idea about
[00:25:52.03]
what the program is doing. So
like quantum cash it is not
[00:26:00.27]
something that will happen for
real. So my last one is about
[00:26:08.43]
learning. Seems to be hot these
days. I have seen some very good
[00:26:17.27]
talks and not so nice talks. So
one slide difficult to summarize
[00:26:25.43]
but see the science of getting
computer -- it is either
[00:26:32.93]
learning patterns or -- notion
of supervised -- un-supervised
[00:26:39.07]
like discovering patterns and it
is quite a success and feels
[00:26:46.57]
like for detection -- usually
better at finding similarities
[00:26:52.70]
that no monies and intern
detection for example we went to
[00:27:00.27]
find monies for specific notion
of no money. But security --
[00:27:07.77]
lots of false positive the
mission learning. Recommend
[00:27:13.20]
something that you don't want
the see it is not a big deal but
[00:27:22.73]
if you -- system or detects too
much you have a problem. Some
[00:27:31.57]
companies claim the use it but
sometimes just say we will use
[00:27:39.73]
mission learning just to say
they use mission learning. I
[00:27:46.53]
have not seen detail about this
so I don't think it works as
[00:27:55.37]
claim. Some people have been
trying to -- mission learning.
[00:28:02.23]
But a bit boring because not a
brand new algorithm, just take
[00:28:10.40]
the algorithm and run them on
your quantum computer. Things
[00:28:17.20]
like clustering. There are two
advantages and one sometimes you
[00:28:24.00]
have search in the big list of
data, so you can use what was
[00:28:33.53]
seen before to speed up the
search and you have the square
[00:28:41.70]
root improvement. You do get a
exponential speed up which means
[00:28:49.20]
it is something you could not do
on classical computer but you
[00:28:57.37]
need a quantum ram. So the idea
is out there. You give a address
[00:29:06.97]
and get the value add this
address so in quantum memory --
[00:29:15.13]
and you receive the values at
these addresses in
[00:29:21.27]
superposition. I have no idea
how the implement this and
[00:29:28.07]
physicist have no ideas. And the
idea of quantum learning -- so
[00:29:36.23]
if you have a quantitative you
don't have quantum -- so will be
[00:29:45.07]
useless. So time to conclude?
Maybe you were not happy about
[00:29:52.57]
this and you will be leaving the
room. It sucks. Doesn't even
[00:30:00.73]
solve problems. So -- this is an
article but if you are more opt
[00:30:10.27]
mystic person you will see it
differently. Stuff collecting
[00:30:16.40]
all the -- if you are math --
transforming a physical state.
[00:30:24.57]
You can take this microphone a
bunch of atoms you can see the
[00:30:33.40]
wall is big quantum computer
allowing da. What is universe
[00:30:40.20]
computing. So what some
physicist say we don't know if
[00:30:47.00]
it is possible to have a quantum
mechanics but if we have proof
[00:30:55.83]
that is poses then it will tell
us about physics. So even if we
[00:31:05.43]
fail we win something. So I hope
you liked this. If you have
[00:31:14.27]
questions, I will put the slides
at line. I have just been
[00:31:22.43]
interested in this stuff for
years and years. So if you want
[00:31:30.60]
to build a quantum computer
don't talk to me. Yeah. I have a
[00:31:39.43]
few minutes left. When I did
this talk people ask me why
[00:31:47.60]
don't you talk about the company
that is selling a computer. This
[00:31:55.77]
is recorded. So the company
selling the quantum computer, it
[00:32:02.63]
is a different type and it
cannot factor big numbers. So
[00:32:10.13]
that's it. Thank you for you
attention and I am happy the
[00:32:18.30]
take questions.