>The likely outcome of quantum computing is the worst of all worlds: all known practically useful cryptography will be broken, and practically nothing will really benefit.
I agree with you on the technical points, but I think this is a tad pessimistic.
Firstly, by the time we have quantum computing we will probably also have quantum cryptography. Quantum cryptography is secure against quantum computers and is also vastly more simple than existing crypto (no complicated algorithms to mess up). So I expect cryptography to improve.
Secondly, while quantum computers won't be useful for everything, they will have amazing applications. The "simulating quantum systems" thing will be hugely useful for studying chemistry. And Grover's algorithm will provide a significant speedup for a whole host of interesting problems, especially in machine learning.
> Firstly, by the time we have quantum computing we will probably also have quantum cryptography.
I disagree for two reasons.
First, because there is a huge difference between having a single quantum computer and quantum computers in every household.
Second, because we don't need quantum cryptography, we need post-quantum cryptography. Quantum computers break only asymmetric cryptosystems, but despite common belief, quantum cryptography doesn't solve this! Post-quantum cryptography does, and there is already good promise in this field.
My point was that quantum cryptography doesn't solve anything that classic cryptography doesn't. (And yes there is classic cryptography that isn't broken by quantum computers.) I'll defer to two of the world's leading cryptographers to back me up:
> Quantum cryptography is secure against quantum computers and is also vastly more simple than existing crypto (no complicated algorithms to mess up).
Can you explain this statement? I understand that algorithms such as RSA might require particular padding or what have you to be secure in practice, but is quantum-resistant crypto much different?
The phrase "quantum-resistant crypto" usually means classical algorithms (e.g. those involving elliptic curves) that are resistant to quantum computers.
What I'm talking about is "quantum cryptography", in which qubits are actually used in the protocol. Quantum cryptography is also known to be secure against quantum computers (indeed it's secure against arbitrary amounts of computing resources, unless our theories of physics are wrong).
It's also simpler than RSA or elliptic curves, so I hope that (after the kinks are worked out) it will also be less susceptible to bad implementations and side-channel attacks.
Apologies as I misread "quantum" as "quantum-resistant" above. However, I would still contest that quantum key exchange is "simpler". I mean, you need a quantum channel and to accurately exchange qubits without disturbance. Not to mention a small initial secret. It doesn't really work too well with our current infrastructure.
Agree with most of your points. But I suspect building a quantum infrastructure will be easier (and therefore occur earlier) than building quantum computers.
>Not to mention a small initial secret
This is interesting, what are you referring to here?
Doesn't quantum transmission infrastructure require direct connections from A to B? I.e. you could use it for a single uninterrupted fiber cable, or for the channel between your antenna and a satellite, but not with our common fiber infrastructure that relies on repeaters / re-transmitters.
As soon as there's any device between you and the recipient that breaks the entanglement, all the guarantees of quantum encryption go out of the window, and it's possible to attack the comms at that retransmission point.
>Doesn't quantum transmission infrastructure require direct connections from A to B?
No, the retransmitters can preserve the entanglement (and A and B can verify that this has been done).
In fact (providing qubits can be stored) the transmission can be done indirectly and in advance.
The telecom company produces lots of entangled qubits and gives a bunch to each customer, keeping half of each pair for itself. Then when Alice wants to communicate securely with Bob they ask the telecom company to take the corresponding qubits and perform a joint measurement. This entangles Alice's qubits with Bob's (like making a connection at a telephone exchange). Then Alice and Bob can measure their qubits (in various bases) to create a one-time-pad.
The clever thing is that Alice and Bob can (by checking that on a portion of the qubits their results always matched when they used the same basis) verify that they did indeed have maximally entangled qubits and therefore no one was listening-in.
Encryption has become pervasive in modern communication, yet it is clear that we still need more to properly protect the things we are doing. Does the quantum infrastructure that you are proposing not imply an almost complete replacement of the current global communications network with quantum channels, or at least to shadow it with a co-extensive one for key distribution? Is that close to being feasible for mobile and other radio-connected devices?
It's completely different. The underlying mechanism is the fact that observing the state on one member of an entangled pair changes the state of the other member.
More specifically, the important fact is that it's impossible for three particles to be (maximally) entangled simultaneously. So you can verify that no one eavesdropped when you agreed your one-time-pad.
They get three photons to be entangled, but not "maximally entangled" in the (impossible) way that would be needed for someone to listen to a communication without being detected.
I agree with you on the technical points, but I think this is a tad pessimistic.
Firstly, by the time we have quantum computing we will probably also have quantum cryptography. Quantum cryptography is secure against quantum computers and is also vastly more simple than existing crypto (no complicated algorithms to mess up). So I expect cryptography to improve.
Secondly, while quantum computers won't be useful for everything, they will have amazing applications. The "simulating quantum systems" thing will be hugely useful for studying chemistry. And Grover's algorithm will provide a significant speedup for a whole host of interesting problems, especially in machine learning.