< Return to Video

https://www.youtube.com/watch?v=PDjAuSAcbY4 The impact of quantum computers in cybersecurity

  • 0:00 - 0:02
    [Transcribed by Pekka P]
  • 0:02 - 0:03
    (KYBS2004 course assignment at JYU.FI)
  • 0:03 - 0:14
    ♪ (37C3 intro music) ♪
  • 0:14 - 0:18
    And with that, I would love it for you to welcome Alessandro and his great talk.
  • 0:27 - 0:28
    Can everybody hear me okay?
  • 0:29 - 0:29
    Yes.
  • 0:30 - 0:30
    Okay.
  • 0:30 - 0:31
    Okay.
  • 0:31 - 0:33
    So, quantum computers.
  • 0:33 - 0:43
    Dear community, dear hackers, it was December of 14 years ago that I attended my first CCC
  • 0:43 - 0:44
    in Berlin.
  • 0:44 - 0:49
    And it's also because of that experience and that community that I made a series of
  • 0:49 - 0:56
    choice that led me here as a researcher studying quantum algorithms and quantum computation.
  • 0:56 - 1:02
    And there are certain similarities that we can draw between hacking and writing quantum
  • 1:02 - 1:03
    algorithms.
  • 1:03 - 1:09
    The idea is that writing quantum algorithms is like hacking nature.
  • 1:09 - 1:10
    Why?
  • 1:10 - 1:18
    Well, because we can think of nature as a quantum mechanical system and programming it is like
  • 1:18 - 1:24
    a way to make nature behave in a way that is not meant to be used.
  • 1:24 - 1:27
    So, writing quantum algorithms is a lot of fun.
  • 1:27 - 1:32
    It is a lot of fun in games, but how do I feel today?
  • 1:32 - 1:37
    Well, today I feel a little bit meh.
  • 1:37 - 1:38
    Why?
  • 1:38 - 1:47
    Well, because the impact of quantum computers is not communicated very well in the press today.
  • 1:47 - 1:50
    There is a lot of hype.
  • 1:50 - 1:55
    So, we are here today to understand better what's the impact of quantum computers, especially
  • 1:55 - 1:58
    in cyber security.
  • 1:58 - 2:01
    So how do we measure impact?
  • 2:01 - 2:11
    Well, we can say that a new paradigm for doing computation has impact if it's faster than
  • 2:11 - 2:17
    the classical computers that we have or if it can give us better results, right?
  • 2:17 - 2:24
    Like imagine we are approximating some solution of a problem like the price of a derivative,
  • 2:24 - 2:29
    for example, and our quantum computers can give us a better estimate of a price in the
  • 2:29 - 2:32
    same amount of time of a classical computer.
  • 2:32 - 2:38
    Or maybe it's just cheaper to compute the same result in the same amount of time.
  • 2:38 - 2:47
    Another way that we can expect quantum computers to impact our society is if they can
  • 2:47 - 2:51
    allow us to do something that before we couldn't do, right?
  • 2:51 - 2:57
    And an example is exponential speedups or big polynomial speedups.
  • 2:57 - 3:03
    And I know you have in mind Shor's algorithm for factoring.
  • 3:03 - 3:06
    But it's not that easy, right?
  • 3:06 - 3:13
    Because we know from high school that asymptotically an exponential function will dominate a polynomial
  • 3:13 - 3:14
    or linear function.
  • 3:14 - 3:20
    Imagine that this is the cost of your computation and you can imagine to measure the cost in
  • 3:20 - 3:23
    hours, okay?
  • 3:23 - 3:29
    So asymptotically if we have a quantum algorithm that is exponentially or polynomially faster
  • 3:29 - 3:34
    than a classical algorithm, then we know that it will be faster.
  • 3:34 - 3:41
    But maybe we have to look at regimes that are relevant for us.
  • 3:41 - 3:47
    And as you can see from this picture, there are cases where, you know, a linear time algorithm
  • 3:47 - 3:55
    is slower than an exponential time algorithm, okay?
  • 3:55 - 3:59
    So how do we measure the cost of quantum computation?
  • 3:59 - 4:07
    Well, in theoretical computer science, what we do, even for classical computation, we measure
  • 4:07 - 4:08
    the size of a circuit, right?
  • 4:08 - 4:14
    And the size of a circuit is basically the number of logical gates that we execute.
  • 4:14 - 4:20
    Or maybe we can measure the depth of a circuit, that is also known as parallel time.
  • 4:20 - 4:22
    Or we can measure the space, right?
  • 4:22 - 4:27
    The number of bits, the size of a memory that we use in our computation.
  • 4:27 - 4:33
    Or we measure the number of queries that we perform to an oracle.
  • 4:33 - 4:37
    But we also care about more practical things.
  • 4:37 - 4:41
    And these practical things are maybe the money that it costs to run some computation, the energy
  • 4:41 - 4:45
    that I use to run this computation.
  • 4:45 - 4:51
    And more specifically in quantum circuits, we care about the number of Toffoli gates, which
  • 4:51 - 4:55
    are a particular kind of three qubit gates.
  • 4:55 - 5:01
    And we also care, obviously, about the work clock time of our computation and the number
  • 5:01 - 5:03
    of physical qubit.
  • 5:03 - 5:06
    So there is a difference between physical and logical qubit.
  • 5:06 - 5:10
    I won't get into the details of this because it's related to error correction, a very difficult
  • 5:10 - 5:11
    topic.
  • 5:11 - 5:16
    But you just have to know that in order to obtain something that we call physical qubit,
  • 5:16 - 5:21
    we need to, something that we call a logical qubit, we need to use a certain amount of physical
  • 5:21 - 5:22
    qubit.
  • 5:22 - 5:26
    And now the ratio is 1 to 1000.
  • 5:26 - 5:31
    So how do we estimate these more practical and interesting measures?
  • 5:31 - 5:33
    We do what's called the resource estimation.
  • 5:33 - 5:40
    And the resource estimation is basically a procedure where we take the theoretical complexity
  • 5:40 - 5:45
    of an algorithm, we look at the real problem that we have to solve, perhaps we use some
  • 5:45 - 5:52
    tricks to optimize the circuit, and then we can count the number of resources that we
  • 5:52 - 5:57
    really need to solve the problem that we care about.
  • 5:57 - 6:03
    Okay, so what are we going to see today is three topics.
  • 6:03 - 6:09
    The first, the impact of quantum computing in the cryptography that we use today.
  • 6:09 - 6:13
    So RSA and LiptevCurveCrypto.
  • 6:13 - 6:19
    And there the too-long-didn't-read is that there is a long way to go, but we will eventually
  • 6:19 - 6:22
    get there.
  • 6:22 - 6:27
    We will see if there is any impact in post-quantum cryptography.
  • 6:27 - 6:35
    So we will show some research estimation of post-quantum attack on post-quantum cryptography.
  • 6:35 - 6:41
    And there the result is that lattice-based crypto is safe even when considering practical
  • 6:41 - 6:45
    implementations of the attacks.
  • 6:45 - 6:48
    And then we will see the impact of quantum machine learning.
  • 6:48 - 6:49
    Why?
  • 6:49 - 6:56
    Because machine learning is used in cybersecurity and we will just try to explore a little bit
  • 6:56 - 7:00
    this area with methodology.
  • 7:00 - 7:05
    And the conclusion there, and this is not just in cybersecurity, but is that we will see a
  • 7:05 - 7:08
    speed-up only for massive datasets.
  • 7:08 - 7:13
    But we have a lot of good ideas and a lot of hopes.
  • 7:13 - 7:21
    So in this part, I'm going to present some results of the internship that Adi did in Invariant
  • 7:21 - 7:31
    with me and Varun and also Antonio joined later this project.
  • 7:31 - 7:35
    So factoring, right.
  • 7:35 - 7:40
    The state-of-the-art on factoring is this paper by Craig Gidney.
  • 7:40 - 7:47
    And basically in this work, he is showing how to break RSA 2048 using 20 million physical
  • 7:47 - 7:53
    qubits and approximately eight hours of quantum computation.
  • 7:53 - 8:00
    So he is assuming to work with a particular kind of hardware made of superconducting qubits, with
  • 8:00 - 8:04
    a gate error of 10 to the minus three.
  • 8:04 - 8:11
    And he is using concatenated surface code to achieve these estimates, right?
  • 8:11 - 8:14
    So in order to perform a resource estimation, you have to do some assumption on the hardware
  • 8:14 - 8:21
    that you expect to have in the future.
  • 8:21 - 8:30
    What he is using in his circuit is this idea of windowed arithmetic.
  • 8:30 - 8:35
    So in his circuit, he needs to perform, let me be very technical for five seconds, phase
  • 8:35 - 8:40
    estimation on an oracle that is performing modular exponentiation.
  • 8:40 - 8:44
    So basically he needs to perform arithmetic in his circuit.
  • 8:44 - 8:48
    To perform arithmetic, he is using this idea called windowed arithmetic.
  • 8:48 - 8:52
    And windowed arithmetic is basically a way to have space-time trade-offs.
  • 8:52 - 8:58
    So instead of running a circuit that is computing the function that you want to compute, you
  • 8:58 - 9:02
    pre-compute this function classically and you store some results in memory and you just
  • 9:02 - 9:07
    query the memory when you run the quantum computation.
  • 9:07 - 9:14
    And in order to look up the memory at some point, since the computation is quantum and it needs
  • 9:14 - 9:19
    to be reversible, at some point you need to uncompute some garbage.
  • 9:19 - 9:30
    And for that, he is also using a trick that allows him to save some gates in these settings.
  • 9:30 - 9:40
    So our contribution is that we can do some improvements in the way this unlookup is done, especially when
  • 9:40 - 9:45
    we have nested loops in the circuit.
  • 9:45 - 9:51
    And in modular exponentiation, you do windowed arithmetic using nested loops.
  • 9:51 - 9:57
    And therefore, you can have a little bit of saving in the number of gates.
  • 9:57 - 10:07
    So the performance improvements that we were able to get is around 1% for cryptographic relevant
  • 10:07 - 10:09
    numbers.
  • 10:09 - 10:20
    So RSA keys of 2048, basically, 0.7%, is a modest improvement, but it's still non-negligible,
  • 10:20 - 10:22
    and we hope to do more in the near future.
  • 10:22 - 10:31
    And it's basically saving 15 minutes over 8 hours.
  • 10:31 - 10:38
    There is another problem that you face when you're trying to do Shor's algorithm, which
  • 10:38 - 10:42
    is implementing Boolean functions in general.
  • 10:42 - 10:46
    So imagine you have a Boolean function.
  • 10:46 - 10:51
    You can write your classical circuit for implementing this Boolean function.
  • 10:51 - 10:57
    Using some tricks from classical computer science, you can make this circuit reversible, and then
  • 10:57 - 11:00
    you can obtain a quantum circuit for this Boolean function.
  • 11:00 - 11:05
    But again, you will see that you have a problem of performing a computation.
  • 11:05 - 11:09
    But in literature, we have this thing called measurement based on computation, which allows
  • 11:09 - 11:16
    you to have savings in expectation when you run the on-computation of the circuit.
  • 11:16 - 11:21
    And applying this trick to something that we thought was very well analyzed and optimized,
  • 11:21 - 11:31
    that we realized that you can have savings in the circuit that is performing modular addition.
  • 11:31 - 11:34
    And where is the circuit for modular addition used?
  • 11:34 - 11:42
    Well, it's used also in the circuits that are used for breaking elliptic core cryptography.
  • 11:42 - 11:51
    And here, the state-of-the-art for resource estimation of ACC is this paper by Littinsky.
  • 11:51 - 11:56
    It's again another corollary of the Shor algorithms.
  • 11:56 - 12:04
    It's using some particular kind of architecture called active volume, which is assuming basically
  • 12:04 - 12:07
    to work with photonic qubits with a similar gate error.
  • 12:07 - 12:15
    And the number of logical qubits that is using is 6,000 logical qubits.
  • 12:15 - 12:22
    So after our trick, we were able to save, again, a little bit less than 1%, but we have
  • 12:22 - 12:29
    other tricks under our sleeves to improve this result further.
  • 12:29 - 12:34
    And the message here is that there is a lot, really, really a lot to do in the whole stack
  • 12:34 - 12:43
    of quantum computing to improve these attacks and algorithms.
  • 12:43 - 12:54
    So in the second part, I'm going to present briefly some results of our team at CQTeam, where
  • 12:54 - 13:01
    me and Joao are super lucky to have Georgios and Aditya helping us studying the resource
  • 13:01 - 13:04
    estimation of post-quantum cryptography.
  • 13:04 - 13:13
    So we are focusing on lattice attack, and this is the only math part of this talk, I promise.
  • 13:13 - 13:20
    So a lattice is basically the set of all integral linear combination of a set of n linearly independent
  • 13:20 - 13:22
    vectors.
  • 13:22 - 13:27
    And the problem that you have to solve here is I give you the basis, and you have to find
  • 13:27 - 13:30
    the shortest vector of this basis.
  • 13:30 - 13:35
    Shortest vector in, let's say, Euclidean norms.
  • 13:35 - 13:37
    Why this is important?
  • 13:37 - 13:43
    Because if you know how to find the shortest vector, then you are able to break post-quantum
  • 13:43 - 13:45
    cryptography.
  • 13:45 - 13:51
    Fortunately, we don't have polynomial time algorithms.
  • 13:51 - 13:57
    We don't have polynomial time quantum algorithms and classical algorithms for solving this problem.
  • 13:57 - 14:03
    So theoretically, we know that at some point for big lattice dimension, we are safe.
  • 14:03 - 14:10
    But the question is, are we safe even when we look at the constant factor of the attack
  • 14:10 - 14:13
    when we implement it?
  • 14:13 - 14:16
    And there are already works in this direction.
  • 14:16 - 14:23
    Namely, the first one is studying some version of an algorithm called gauss-siv.
  • 14:23 - 14:29
    And the second one is implementing and studying enumeration attacks.
  • 14:29 - 14:33
    So what we did, well, we implemented the gauss-siv.
  • 14:33 - 14:39
    And here you can find the code online of the attack.
  • 14:39 - 14:41
    That's great.
  • 14:41 - 14:43
    But let's look at the results.
  • 14:43 - 14:47
    So what's the real complexity of the circuit?
  • 14:47 - 14:51
    Well, from this plot, you see the following thing.
  • 14:51 - 14:57
    Well, the dotted green line is the cost of the classical algorithm.
  • 14:57 - 15:05
    And the dotted red line is the cost, the asymptotic cost, the theoretical cost of the quantum algorithm.
  • 15:05 - 15:11
    The two non-dotted lines are the number of Toffoli gates, a particular kind of gates
  • 15:11 - 15:19
    in the circuit, and the blue line is the duration in hours.
  • 15:19 - 15:30
    So you can see that the slope of the two non-dotted lines is compatible with the red dotted lines.
  • 15:30 - 15:37
    And yes, so it means that we are safe from quantum attacks.
  • 15:37 - 15:42
    Unless someone finds a new quantum algorithm that is more efficient asymptotically.
  • 15:42 - 15:46
    And then we have to repeat this study again.
  • 15:46 - 15:48
    Okay.
  • 15:48 - 15:56
    In the last part, we study quantum machine learning and applications in cybersecurity.
  • 15:56 - 15:59
    As I said before, why are we doing this?
  • 15:59 - 16:04
    Well, because machine learning is ubiquitous in cybersecurity.
  • 16:04 - 16:10
    And we want to see if quantum has something to say.
  • 16:10 - 16:15
    So the idea of quantum machine learning is that you want to use a quantum machine for training
  • 16:15 - 16:26
    a model, so the training part, and or the predict phase of a machine learning algorithm.
  • 16:26 - 16:30
    Let me say that there are two ways of doing quantum machine learning.
  • 16:30 - 16:34
    One stems from the theoretical computer science community.
  • 16:34 - 16:42
    And there you have a theorem stating, I can do this computation with certain probability
  • 16:42 - 16:45
    and certain approximation error.
  • 16:45 - 16:50
    And the other community is saying, okay, we have very small devices.
  • 16:50 - 16:54
    Let's see what we can build on top of those.
  • 16:54 - 17:01
    And this is very similar to what people are doing in deep learning and with neural networks.
  • 17:01 - 17:03
    I belong to the first community.
  • 17:03 - 17:08
    So what I do is I take a classical machine learning algorithm and I try to come up with
  • 17:08 - 17:12
    a quantum version for it.
  • 17:12 - 17:18
    And in our work, what we do is we study the query complexity of an algorithm.
  • 17:18 - 17:19
    Why?
  • 17:19 - 17:24
    Well, because if we know the number of queries that we do to the input, then we just need
  • 17:24 - 17:27
    to understand what's the cost of performing a query.
  • 17:27 - 17:34
    And we know the final cost of performing the whole algorithm.
  • 17:34 - 17:43
    So this problem is basically reducing to understanding when the left-hand side of this equation is smaller
  • 17:43 - 17:45
    than the right-hand side.
  • 17:45 - 17:51
    Let's not delve into the details of the meaning of all these symbols.
  • 17:51 - 17:57
    But the only important thing here is that on the left-hand side, we don't have n.
  • 17:57 - 18:04
    And n is the number of samples in our data set.
  • 18:04 - 18:13
    So there is hope that a quantum algorithm should scale much better than a classical algorithm
  • 18:13 - 18:16
    in terms of number of samples, right?
  • 18:16 - 18:19
    But what about the other parameters?
  • 18:19 - 18:26
    So in order to understand that, we developed this methodology to try to see for data sets
  • 18:26 - 18:31
    that we care about, what are the parameters in the runtime of a quantum algorithm so we
  • 18:31 - 18:35
    can compare the runtime with a classical runtime.
  • 18:35 - 19:00
    So we tested this on a few data sets that are standard in cybersecurity, and the result is that we need 10 to the 7 elements in our data set in order to start to feel a little bit of quantum advantage in terms of query complexity.
  • 19:00 - 19:05
    So without taking into account the cost of query to the Q-RAM.
  • 19:05 - 19:06
    Okay.
  • 19:06 - 19:20
    So maybe there are other data sets and problem that we can look at to get advantage.
  • 19:20 - 19:26
    And so, well, the answer is there is some hope.
  • 19:26 - 19:30
    And there is this particular problem that I found many years ago.
  • 19:30 - 19:33
    And the problem is related to malware detection.
  • 19:33 - 19:41
    So DGA, domain generation algorithm, is an algorithm that malware is using in order to contact the command and control server.
  • 19:41 - 19:45
    They are basically generating random domains.
  • 19:45 - 19:52
    And they are trying to connect to a web server that is answering behind one of these randomly generated domains.
  • 19:52 - 19:59
    And the randomly generated domains are very different from the domain that we humans generate.
  • 19:59 - 20:04
    Take, for example, google.com versus randomletters.com.
  • 20:04 - 20:09
    So I took as a training set the top one million domains.
  • 20:09 - 20:11
    And I did some pre-computation.
  • 20:11 - 20:17
    And I obtained an n-gram matrix where the number of rows is one million.
  • 20:17 - 20:23
    And in the columns you have the n-grams that you built out of the training set.
  • 20:23 - 20:33
    And in any row you have one if the n-gram in the column you are considering is appearing in the domain in that row.
  • 20:33 - 20:34
    Okay.
  • 20:34 - 20:38
    So what's interesting here is that this matrix is very sparse.
  • 20:38 - 20:42
    And I tell you later why it's interesting.
  • 20:42 - 20:52
    But then when you build this n-gram matrix with a classical computer, you can only afford to pay linear time to process it.
  • 20:52 - 20:59
    So you cannot do linear algebra on this matrix on a classical computer.
  • 20:59 - 21:06
    And my idea was, hey, let's use a quantum algorithm to extract something out of this matrix.
  • 21:06 - 21:07
    Great.
  • 21:07 - 21:14
    So I wrote, my first paper was a quantum algorithm for something called slow feature analysis,
  • 21:14 - 21:18
    which is exactly equivalent to something called fissure linear discriminant.
  • 21:18 - 21:20
    You might know this.
  • 21:20 - 21:30
    And so I wrote a classical simulation of a quantum algorithm to extract this feature out of this
  • 21:30 - 21:33
    very big and very sparse matrix.
  • 21:33 - 21:40
    And then I used this feature in a classification step.
  • 21:40 - 21:42
    So the game is the following.
  • 21:42 - 21:43
    You give me a domain.
  • 21:43 - 21:46
    I have a classifier, a machine learning classifier.
  • 21:46 - 21:55
    I use the feature I just extracted from the matrix to add a new input to this classifier.
  • 21:55 - 21:57
    And I looked at the results.
  • 21:57 - 22:02
    And I compared the classical results with the quantum results.
  • 22:02 - 22:10
    And you can see that this feature is improving a little bit the results of a classification.
  • 22:10 - 22:15
    So the moral of the story is that if you think hard enough, maybe there is some hope to get
  • 22:15 - 22:21
    quantum advantage in the future.
  • 22:21 - 22:23
    So conclusions.
  • 22:23 - 22:35
    Well, the results and the paper that we see nowadays are kind of the following script.
  • 22:35 - 22:37
    We know how to perform linear algebra.
  • 22:37 - 22:41
    We find a problem where linear algebra is needed or is a bottleneck.
  • 22:41 - 22:44
    And we write a quantum algorithm for it.
  • 22:44 - 22:49
    It's interesting, but maybe we want to understand and we want to get a new algorithmic paradigm
  • 22:49 - 22:51
    for writing new quantum algorithms.
  • 22:51 - 22:53
    Different kind of speedups.
  • 22:53 - 23:03
    A common trend that is limiting the quantum advantage in practice is something called QRAM.
  • 23:03 - 23:07
    So the quantum version of random access memory.
  • 23:07 - 23:11
    And there is a lot of research to do there.
  • 23:11 - 23:17
    And if you're asking me when this will happen, I really do not have the answer.
  • 23:17 - 23:20
    You have to ask a physicist.
  • 23:20 - 23:31
    There are many other topics in quantum computing that might impact cybersecurity, namely the delegation
  • 23:31 - 23:32
    of quantum computation.
  • 23:32 - 23:40
    So the idea that not only you can do encrypted computation over the cloud, but you can also
  • 23:40 - 23:44
    delegate and encrypt the computation that you are delegating.
  • 23:44 - 23:46
    Quantum key distribution.
  • 23:46 - 23:52
    There were other talks at CCC previous years about QKD.
  • 23:52 - 23:55
    Something called position-based cryptography.
  • 23:55 - 24:02
    And if you want to learn more about the computational aspects, so the algorithmic aspect of what we
  • 24:02 - 24:04
    do is quantum computing.
  • 24:04 - 24:11
    You can find an open source project set of lecture notes on quantumalgorithms.org.
  • 24:11 - 24:19
    And the last thing, I'm hiring at CQT, postdoc internship for PhDs and research assistant positions.
  • 24:19 - 24:23
    So thank you so much.
  • 24:23 - 24:33
    So we actually have a lot of time for questions.
  • 24:33 - 24:38
    Please, people who are leaving, leave very, very quietly.
  • 24:38 - 24:39
    And please take your trash.
  • 24:39 - 24:41
    But questions.
  • 24:41 - 24:42
    Do we have any questions?
  • 24:42 - 24:44
    We have four microphones on the floor.
  • 24:44 - 24:49
    And we have the signal angels on the internet.
  • 24:49 - 24:55
    You have to go to the microphone, sorry.
  • 24:55 - 24:58
    So if you have a question, step up to the microphones.
  • 24:58 - 25:01
    All right.
  • 25:01 - 25:02
    Microphone one.
  • 25:02 - 25:04
    Hi.
  • 25:04 - 25:10
    You mentioned that you were speeding up the Tifoli gates with some enhancements.
  • 25:10 - 25:15
    Were these enhancements for lattice general, or was it specific to learning with errors,
  • 25:15 - 25:17
    or short integer solutions, or was it...?
  • 25:17 - 25:20
    Can you repeat the beginning of the question?
  • 25:20 - 25:21
    Yeah.
  • 25:21 - 25:26
    The enhancements on the Tifoli gates that you showed earlier, was it on all lattice algorithms,
  • 25:26 - 25:29
    or was it specific to learning with errors or short integer solutions?
  • 25:29 - 25:31
    It was for general lattices.
  • 25:31 - 25:32
    All of them.
  • 25:32 - 25:35
    Yeah, but the algorithm is not done by us.
  • 25:35 - 25:37
    We just implemented it.
  • 25:37 - 25:38
    Thank you.
  • 25:38 - 25:41
    So, microphone number three.
  • 25:41 - 25:42
    Hi.
  • 25:42 - 25:43
    Hi, Alessandro.
  • 25:43 - 25:45
    Thank you for your time.
  • 25:45 - 25:49
    I have somewhat of a more different question.
  • 25:49 - 25:54
    So, you've shown a lot of resource estimation where we look into how much does it cost to compute
  • 25:54 - 25:55
    this.
  • 25:55 - 26:00
    Do you also have work where you look into the adversarial cost, as in how much does it cost
  • 26:00 - 26:05
    to do this in an attack, as in compared to a classical attack path, where you do, for
  • 26:05 - 26:08
    example, in the short algorithm, you usually decrypt things.
  • 26:08 - 26:14
    So, you look into an attack on crypto, and usually it's, you know, at the end of the
  • 26:14 - 26:18
    attack chain, after exfiltration, to decrypt certain things.
  • 26:18 - 26:23
    Can you more elaborate, maybe, how the attack path looks like in comparison, the adversary
  • 26:23 - 26:27
    cost to use a quantum computer versus a classical thing, and what the timeline would be?
  • 26:27 - 26:33
    That's a great question, and I'm afraid I don't have an answer for that.
  • 26:33 - 26:37
    There's probably more research to do to understand that.
  • 26:37 - 26:38
    Yeah.
  • 26:38 - 26:40
    So, we have a question from the internet.
  • 26:40 - 26:41
    Yes.
  • 26:41 - 26:42
    Thank you.
  • 26:42 - 26:47
    The internet is wondering if you could go into more details about the differences and
  • 26:47 - 26:53
    the synergies between a classical neural network and a quantum neural network.
  • 26:53 - 27:01
    To answer properly this question, it takes more than one PhD, for sure.
  • 27:01 - 27:02
    What can I say?
  • 27:02 - 27:13
    Well, I mean, the similarities is that you have a quantum circuit, and a quantum circuit
  • 27:13 - 27:19
    is composed of gates, and the quantum gates are somehow more general than classical gates,
  • 27:19 - 27:23
    so you have angle of rotations.
  • 27:23 - 27:30
    And the idea is that you can do gradient descent or other optimization algorithms on these parameters,
  • 27:30 - 27:34
    and this is similar to the weights of a neural network.
  • 27:34 - 27:37
    So, that's a similarity.
  • 27:37 - 27:42
    And the difference, well, the difference is that one is quantum, the other is classical.
  • 27:42 - 27:50
    So, we still don't know if one is more powerful than the other, if one is trainable,
  • 27:50 - 27:52
    if it's trainable, maybe it's classically simulable.
  • 27:52 - 27:58
    So, it's a very open area of research.
  • 27:58 - 28:00
    Microphone number three.
  • 28:00 - 28:01
    Sorry, one.
  • 28:01 - 28:02
    Hi.
  • 28:02 - 28:04
    Thank you for the talk.
  • 28:04 - 28:11
    I was wondering if you could quickly explain the similarities and differences between time
  • 28:11 - 28:16
    complexity classes for classical versus quantum algorithms.
  • 28:16 - 28:17
    Exactly.
  • 28:17 - 28:19
    Another great question.
  • 28:19 - 28:24
    It requires more than a PhD.
  • 28:24 - 28:38
    But, I mean, complexity theorists try to take complexity classes and add quantum somehow.
  • 28:38 - 28:44
    And then they try to compare these classes between quantum and classical.
  • 28:44 - 28:47
    So, there are a lot of open questions.
  • 28:47 - 28:56
    If you have any more precise thing, maybe we can discuss it later.
  • 28:56 - 29:01
    But, yeah, it's a big, big topic of research.
  • 29:01 - 29:02
    Thank you.
  • 29:02 - 29:03
    Thank you.
  • 29:03 - 29:04
    Thank you.
  • 29:04 - 29:06
    Microphone number three.
  • 29:06 - 29:07
    Hi.
  • 29:07 - 29:08
    Thanks for the great talk.
  • 29:08 - 29:16
    First of all, I wonder if you heard about the first theoretical, practical approach, research
  • 29:16 - 29:37
    of Harvard University, and logic-based coprocessor they found with natural atoms, where they found a methodology to build up a processor for quantum computers with less physical qubits than it's foreseen.
  • 29:37 - 29:42
    Because it's helpful for the next threat, let's say.
  • 29:42 - 29:44
    So, I wonder if you know about it.
  • 29:44 - 29:54
    And I wonder if you could use this approach for this open research themes as a thing of the memory-based problems and challenges.
  • 29:54 - 29:55
    Thanks.
  • 29:55 - 29:56
    Thank you.
  • 29:56 - 29:57
    Great question.
  • 29:57 - 30:01
    Are you referring to this recent result of a few weeks ago?
  • 30:01 - 30:02
    Yeah.
  • 30:02 - 30:06
    I think, I mean, it seems to be solid research.
  • 30:06 - 30:08
    So, I'm very happy.
  • 30:08 - 30:10
    But, again, I'm not a physicist.
  • 30:10 - 30:19
    So, like, between me and them, there's a whole stack of people that needs to connect our results, basically.
  • 30:19 - 30:21
    But, yeah, I'm hopeful.
  • 30:21 - 30:22
    That's great.
  • 30:22 - 30:23
    That's great.
  • 30:23 - 30:28
    So, we have a question from the internet.
  • 30:28 - 30:29
    Thank you.
  • 30:29 - 30:36
    The internet is wondering if what you showed is also applicable to special quantum computers, especially quantum annealers.
  • 30:36 - 30:44
    And they're referring to an announcement made by Lockheed Martin a couple of years back here that they were able to do something like Shaw's algorithm here.
  • 30:44 - 30:46
    Great question.
  • 30:46 - 30:51
    I usually do gate-based quantum computing.
  • 30:51 - 31:04
    So, the thing is that you can put whatever you want in an annealer because the thing that the annealer is solving is very general.
  • 31:04 - 31:07
    It's very simple to see that you can reduce factoring to an optimization problem.
  • 31:07 - 31:08
    Right?
  • 31:08 - 31:19
    You have N, the number you want to factor, equal P times Q. And you do N minus P times Q. And you are trying to minimize the difference between these two things.
  • 31:19 - 31:32
    So, the difference is zero for the right P and Q. But if you try to do this on an annealer, you don't have a proof that the runtime is polynomial.
  • 31:32 - 31:37
    For the annealing thing, it's like quadratic or cubic in something called spectral gap.
  • 31:37 - 31:42
    And for factoring on annealer, we don't have any bound on this thing.
  • 31:42 - 31:44
    So, microphone two.
  • 31:44 - 31:45
    Right.
  • 31:45 - 31:46
    Joran?
  • 31:46 - 31:49
    Thanks for your talk.
  • 31:49 - 31:53
    What I want to know is what the...
  • 31:53 - 31:57
    Well, I know quantum computers are still experimental.
  • 31:57 - 32:10
    And how well do your algorithms break or scale or break up to the currently available systems, physical systems, or...?
  • 32:10 - 32:12
    Well, it's a great question.
  • 32:12 - 32:18
    And unfortunately, the answer is they don't run very well because they really require a lot of qubits, a lot of gates.
  • 32:18 - 32:25
    So, I need error correction to run anything meaningful.
  • 32:25 - 32:28
    Question from microphone three.
  • 32:28 - 32:29
    Yeah, hello.
  • 32:29 - 32:31
    My question also relates to this.
  • 32:31 - 32:33
    And I want to be a bit more specific.
  • 32:33 - 32:44
    So, it's really hard, as you mentioned, to judge how well things are going and how well are things progressing, apart from all the hype that's been going on.
  • 32:44 - 32:51
    So, one thing that I was asking myself, so how far are we actually with factoring numbers?
  • 32:51 - 33:07
    And despite the progress that we've been seeing in quantum processes in the past years, I believe that except for certain publications that maybe happen once or twice a year where they factored a really long number, but like they've pre-chosen that number to optimize for it.
  • 33:07 - 33:08
    Exactly.
  • 33:08 - 33:09
    Yeah.
  • 33:09 - 33:17
    And I believe the current record still is more or less factoring 15, and that has been since 2012.
  • 33:17 - 33:20
    Why hasn't anything happened since then?
  • 33:20 - 33:24
    I think they may have gotten up to 21 by now.
  • 33:24 - 33:28
    Great question.
  • 33:28 - 33:29
    I don't know.
  • 33:29 - 33:30
    I don't know.
  • 33:30 - 33:33
    I don't know.
  • 33:33 - 33:38
    Well, maybe because also the attention shifted to other topics.
  • 33:38 - 33:39
    Maybe.
  • 33:39 - 33:40
    Yeah.
  • 33:40 - 33:41
    Thank you.
  • 33:41 - 33:44
    I think we have another question from the internet.
  • 33:44 - 33:47
    Yes, thank you.
  • 33:47 - 33:55
    And the question is if you have ever had the chance to look into the cybersecurity application for quantum certified deletion.
  • 33:55 - 33:59
    So quite special, maybe, but maybe you have some experience.
  • 33:59 - 34:02
    Quantum certified deletion.
  • 34:02 - 34:03
    Yes.
  • 34:03 - 34:05
    Never heard of that.
  • 34:05 - 34:07
    Yeah, I just Googled it.
  • 34:07 - 34:09
    It's a paper may.
  • 34:09 - 34:10
    Okay, cool.
  • 34:10 - 34:12
    Microphone three.
  • 34:12 - 34:19
    Hey, so when you talked about quantum machine learning, you made a distinction between predictive model and variational model.
  • 34:19 - 34:28
    I was wondering how do they differ in terms of what happens when you need to measure in intermediate steps or the wave function collapse in general?
  • 34:28 - 34:30
    What is the difference between those?
  • 34:30 - 34:32
    And if there is more than that?
  • 34:32 - 34:35
    Because you named two, but maybe there is more.
  • 34:35 - 34:38
    Yeah, good question.
  • 34:38 - 34:56
    So, as far as I know, you don't measure much during the computation in variational algorithms, but you can measure intermediate things in provable algorithms.
  • 34:56 - 35:01
    There are other models.
  • 35:01 - 35:05
    For example, annealing is one of those.
  • 35:05 - 35:14
    Also, there are two, three papers where they try to do something in between variational and provable.
  • 35:14 - 35:19
    It works by Kerenidis and Prakash, some recent results from them.
  • 35:19 - 35:24
    But no, this is what I know.
  • 35:24 - 35:28
    So, just these two, three things.
  • 35:28 - 35:33
    So, we still have a little bit of time and we have a question yet again from the internet.
  • 35:33 - 35:35
    Yes, internet is on fire today.
  • 35:35 - 35:36
    Okay.
  • 35:36 - 35:44
    So, the question is, is there an equivalent for, in quotes, gigahertz or speed measure for quantum computers?
  • 35:44 - 35:45
    Absolutely.
  • 35:45 - 35:46
    Yeah, yeah, yeah.
  • 35:46 - 35:47
    Absolutely.
  • 35:47 - 35:53
    I think, depending on the hardware, you have different clock speeds.
  • 35:53 - 36:00
    I didn't mention that, but it's really platform dependent.
  • 36:00 - 36:13
    Some architecture are faster than others, but in general, for superconducting, I think the clock speed is in megahertz.
  • 36:13 - 36:25
    So, this is also why we are very slow to get practical quantum advantage, because the clock for quantum computers is much slower than the clock of classical computers.
  • 36:25 - 36:27
    Question from microphone three.
  • 36:27 - 36:37
    I come from a math background, so maybe the question is stupid, but the matrices where you said you need linear time with classical algorithms to process it.
  • 36:37 - 36:44
    How do you get the matrix in sub-linear time into your quantum computer to process it?
  • 36:44 - 36:45
    No, no.
  • 36:45 - 36:46
    So, imagine you...
  • 36:46 - 36:47
    No, no.
  • 36:47 - 36:49
    It's a very good question.
  • 36:49 - 36:52
    You give the matrix classically.
  • 36:52 - 36:57
    And then, in linear time, you can build quantum access to this matrix.
  • 36:57 - 37:03
    And then, the quantum algorithm is polytime or whatever time it is.
  • 37:03 - 37:04
    Okay.
  • 37:04 - 37:05
    Yeah.
  • 37:05 - 37:07
    So, one...
  • 37:07 - 37:09
    I get maybe final question from microphone one.
  • 37:09 - 37:13
    So, this is more of a general question.
  • 37:13 - 37:15
    You said that there's a lot of hype.
  • 37:15 - 37:20
    I mean, there is a lot of hype around quantum computing in general.
  • 37:20 - 37:23
    And I'm curious, what are your opinions on...
  • 37:23 - 37:30
    Not the hype, but what is the most promising application that quantum computing can bring?
  • 37:30 - 37:34
    And if any, or are there some things currently being overhyped?
  • 37:34 - 37:35
    Or what do you think?
  • 37:35 - 37:36
    What's your general opinion?
  • 37:36 - 37:37
    Great question.
  • 37:37 - 37:38
    Okay.
  • 37:38 - 37:51
    So, I mean, for the crypto that we're using nowadays, I'm sure it will eventually work.
  • 37:51 - 37:57
    Maybe quantum finance is slightly overhyped.
  • 37:57 - 38:02
    So, quantum algorithm for pricing derivatives and these kinds of things.
  • 38:02 - 38:05
    Estimating the risks of something.
  • 38:05 - 38:16
    But maybe quantum chemistry is something where we can have advantage in the next years.
  • 38:16 - 38:23
    So, new molecules, new material, estimating ground state of things.
  • 38:23 - 38:24
    Yeah.
  • 38:24 - 38:26
    Maybe that.
  • 38:26 - 38:27
    Okay.
  • 38:27 - 38:28
    Thanks.
  • 38:28 - 38:29
    Thank you.
  • 38:29 - 38:34
    I don't see any further questions, so let us thank Alessandro for this fantastic quantum talk.
  • 38:34 - 38:35
    Thank you.
  • 38:35 - 38:36
    [Transcribed by Pekka P]
  • 38:36 - 38:42
    (KYBS2004 course assignment at JYU.FI)
Title:
https://www.youtube.com/watch?v=PDjAuSAcbY4 The impact of quantum computers in cybersecurity
Description:

The impact of quantum computers in cybersecurity
In in this talk we explore the potential ramifications of quantum computing in the field of cybersecurity We'll delve into two critical aspects: the application of quantum machine learning algorithms for defence and the impact of quantum attacks on cryptography and post-quantum cryptography for offence. We'll present insights on the theoretical advantages of quantum algorithms, improvements in factoring large numbers, and the impacts of post-quantum crypto attacks. While the hype around quantum technologies is growing, the estimates in the resources needed to run a quantum algorithm and the current number of qubits pose caution in the enthusiasm. The limitations in terms of available qubits, error rates, and scalability are critical factors that need to be considered when assessing the real-world applicability of quantum computing.

We will start with a fundamental introduction to quantum computing to ensure that the audience has a solid grasp of this model of computation, but without discussing the technicalities of quantum physics. Taking a "software development" perspective, we introduce the problem of estimating the resources needed to perform a quantum computation. Then, we will shift our focus to the two facets of our investigation: applications for offence and defence.
more » « less
Video Language:
English
Duration:
38:58

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.