Google's quantum supremacy is real. Now we urgently need quantum-safe encryption, says UKNQT's Sir Peter Knight

'There's a lot at stake in rewiring the world in terms of encryption and we all depend on getting it right'

Google's recent claim to have achieved 'quantum supremacy' is valid and cryptographers must hurry to develop 'quantum-safe' techniques, says physicist Sir Peter Knight.

In September, Google publicly announced it had achieved the long-sought goal of quantum supremacy, meaning that its quantum computer succeeded in performing a task that a classical computer could not conceivably do. It solved a particular algorithmic challenge in 200 seconds rather compared with the estimated 10,000 years it would take powerful supercomputer. However, IBM disputed that claim, saying its engineers could perform the same calculation on a supercomputer in three days; but, Knight pointed out, that's still a thousand times longer than Google's achievement.

Like IBM, Knight, who is a board member of the UK National Quantum Technologies (UKNQT) Programme at UK Research and Innovation (UKRI), was privy to the findings six weeks before they were officially announced on 23 September, thanks to an inadvertent leak of the paper online. So he's had the opportunity to investigate the Google experiment and is convinced that it rally does represent a major advance.

Google engineers achieved coherence between 53 qubits (quantum bits) and were able to monitor and manipulate their performance, even managing to isolate one bit that wasn't performing as it should (the company's Sycamore processor is actually made up of 54 qubits).

This was an engineering triumph rather than a theoretical one, which is important, Knight said.

"It's the first proof-of-concept that we can get on with on the engineering side and get it out of physics labs. It shows that quantum computing may be hard, but it's not impossible."

Google's engineers assembled 54 high-quality qubits in a refrigerated unit held at a fraction above absolute zero (0K or -273 C) in such a way that they were able to monitor and control the resulting quantum processor from the lab without causing excessive noise and interference. The algorithm used in the experiment was designed to demonstrate that all the qubits would continue to talk to each other coherently, acting as a single unit. It has no other practical use. Indeed, general-purpose quantum computing is still some way off.

It's really important not to blow this up into a spat between IBM and Google - Peter Knight

For those seeking to advance the science through collaboration like UKNQT, the term 'quantum supremacy' is unhelpful as it could lead to a form of protectionism, Knight said. "It's really important not to blow this up into a spat between IBM and Google. It's important for all of us involved in the field that we can poke at these assumptions to make sure that we are confident that it's doing what it says on the tin."

Quantum computers can perform multiple calculations in parallel, making them very well suited to probabilistic search-type problems, such as pharmaceutical drug discovery, and optimisations - a quantum computer can try all possible routes simultaneously thus arriving at the best solution far more quickly than a classical computer which, must try one after the other in sequence. As they are uniquely sensitive to difference, quantum computers are also a good fit for anomaly detection and advanced security systems.

But, of course, for security the technology is a double-edged sword. A viable quantum computer would spell doom for many of the cryptographic techniques that protect data and communications today. Most of these rely on 'trapdoor' functions that are easy to perform in one direction, such as multiplying two very large prime numbers to obtain a product, but very hard to do the other way - factorising that product to obtain the original primes. Hard for a classical computer which must try every alternative sequentially, that is, but child's play for a quantum computer which can make multiple guesses simultaneously.

While Google's advance is significant, many hurdles remain before a production-ready quantum computer can be realised: devices need to be made much more fault-tolerant; the software required will be completely different from that used today; and error-handling must be worked through. Even then, the need for a supercooled environment (room temperature lab experiments are still at a very early stage, Knight says) means they will remain the preserve of government departments and tech giants, with quantum computing most likely offered as a cloud service (Jeff Bezos has been actively interested in this prospect for years). Given these constraints, Knight estimates the first reliable, fault-tolerant machine is probably a decade away.

Quantum computing vs quantum-safe encryption, the race is on

Intriguingly, the development of quantum-safe encryption is projected to arrive around the same time.

"We got to get on with it now," Knight said. "The timescale to build and test new primitives for encryption is also about a decade."

So, the race is very much on.

Like the engineers refining quantum computers, cryptographers have a lot of ground to cover. Professor Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo in Ontario, Canada, says one of the biggest issues is a lack of urgency on the part of businesses and governments. Perhaps because quantum computers always seem to be a few years away, the task of preparing for the new world has not yet been given the priority it deserves, even in organisations like banks that would be hugely affected should their encryption become worthless overnight.

Continues

Google's quantum supremacy is real. Now we urgently need quantum-safe encryption, says UKNQT's Sir Peter Knight

'There's a lot at stake in rewiring the world in terms of encryption and we all depend on getting it right'

But until the first attack happens (by which time it will be too late) or regulations arrive with penalties for inaction, there's a real danger that quantum safety will remain low on the priorities list.

For businesses, by far the biggest element in preparing is planning, said Mosca, reeling off a to-do list including "quantum risk assessments, quantum migration, road-mapping, standards development, testing and prototyping, and discussions with vendors in the supply chain".

Meanwhile, cryptographers are looking at a variety of methods to stave off the quantum threat. One of these is the 'hybrid key agreement', effectively chaining together different algorithmic approaches meaning that an attacker would need to break all of them to obtain the key, Mosca explained.

"For example, use today's ECC [eliptic curve cryptography] since it is our best-known defence against classical attacks, combined with one or two quantum-safe algorithms, including possibly quantum key distribution, or QKD."

We don't get to call time-out if an algorithm is broken - Michele Mosca

However, a problem for cryptographers is the absence of a large -scale quantum computer against which to test their prototypes: in the field of cryptography theory and practice do not always match. This requires cryptographers to develop 'cryptographic agility', the ability to swiftly develop and deploy new algorithms as threats and capabilities evolve, in order to stay ahead of the curve. "We don't get to call 'time-out' if an algorithm is broken," Mosca commented.

Such forethought is vital given the unpredictable nature of advances in this field, Knight agreed.

"How do we know that quantum-safe encryption is safe? There's no mathematical proof of security. When we came up with RSA it looked fantastic because it's so hard to factor numbers, but there's no proof that it's hard to factor numbers. And then Peter Shor comes along with his algorithm. How do we know that of these bright young sparks coming out of college now aren't going to be the new Peter Shor? So caution is everything. There's a lot at stake in rewiring the world in terms of encryption and we all depend on getting it right."