How Quantum Computers Break The Internet... Starting Now

00:00

- Right now some nation states

00:02

and individual actors are intercepting and storing lots

00:06

of encrypted data like passwords, bank details,

00:09

and social security numbers.

00:11

But they can't open these files.

00:13

So why are they doing it?

00:15

Well, because they believe that within

00:16

the next 10 to 20 years,

00:18

they will have access to a quantum computer

00:20

that can break the encryption in minutes.

00:23

This procedure is known

00:25

as Store Now, Decrypt Later or SNDL.

00:29

And it works because there is information around today

00:32

that will still be valuable in a decade.

00:34

Things like industrial and pharmaceutical research

00:37

and top secret government intelligence,

00:39

and everyone is aware of this threat.

00:42

The National Security Administration

00:44

says that a sufficiently large quantum computer,

00:46

if built would be capable of undermining

00:49

all widely deployed public key algorithms.

00:52

- You know in a five to 10 year timeframe,

00:54

quantum computing will break encryption as we know it today.

00:58

- Even though sufficiently powerful quantum computers

01:00

are still years away,

01:02

they're already a threat because of Store Now Decrypt Later,

01:05

which is why the US Congress just passed legislation

01:08

mandating all agencies start transitioning

01:11

right now to new methods of cryptography

01:13

that can't be broken by quantum computers.

01:17

You know, our current encryption schemes

01:19

have been remarkably successful

01:20

working effectively for over 40 years.

01:23

Up until the 1970s, if you wanted to exchange

01:27

private information with someone,

01:28

you would first have to meet up in person

01:31

and share a secret key.

01:33

This same key would be used to encrypt and decrypt messages.

01:37

So it's known as a symmetric key algorithm.

01:41

As long as no one else gets their hands on the key,

01:43

your messages are safe.

01:46

But now what if you wanna send information

01:48

to someone you've never met,

01:49

and it's too hard to arrange an in-person meeting.

01:53

You can't share a key over an unsecured channel

01:56

like a phone line or the mail,

01:58

because it could be intercepted.

02:00

And this is what in 1977, led three scientists,

02:04

Riverst, Shamir, and Adelman

02:06

to come up with an encryption breakthrough.

02:09

Today it's known by their initials RSA,

02:12

and it works something like this.

02:14

Every person has two really big prime numbers,

02:17

all their own which they keep secret.

02:20

They multiply these numbers together

02:22

to get an even bigger number,

02:24

which they make public for everyone to see.

02:27

Now, if I wanna send someone a private message,

02:30

I use their big public number to garble my message.

02:34

And I garble it in such a way that it is impossible

02:37

to ungarble without knowing the two prime factors

02:41

that made that number.

02:42

This is an asymmetric key system,

02:44

since different keys are used to encrypt

02:47

and decrypt the message.

02:49

So it's easy for my intended recipient to decode,

02:53

but impossible for everyone else,

02:55

unless they can factor that large public number.

02:59

Now, someone could try to factor it, using a supercomputer,

03:02

in the best known factoring algorithm

03:04

the General Number Field Sieve, but modern cryptography

03:07

uses prime numbers that are around 313 digits long.

03:11

Factoring a product of two primes this big,

03:13

even with a supercomputer,

03:15

would take around 16 million years,

03:17

but not on a quantum computer.

03:21

See, in normal computers, a bit can only

03:23

be in one state at a time, either a zero or a one.

03:27

So if you had two bits, they could be

03:29

in one of four possible states, 00, 01, 10 or 11.

03:36

Let's say each of these states represents a number,

03:38

0, 1, 2, or 3.

03:41

If we want to do a calculation, for example, raising seven

03:44

to the power of one of these numbers,

03:45

we can only do it for one state at a time,

03:48

in this case seven squared

03:50

and so we get the answer 49.

03:53

Quantum computers consist of qubits

03:55

which also have two states, zero or one.

03:58

But unlike a classical bit, a qubit,

04:01

doesn't have to be in just one state at a time.

04:04

It can be in an arbitrary combination of those states,

04:07

a superposition if you will, of zero and one.

04:10

So if you have two qubits, they can exist simultaneously

04:14

in a superposition of 0, 1, 2, and 3.

04:20

Now, when we repeat the same calculation,

04:22

it will actually perform the calculation

04:24

for all of those numbers at the same time.

04:27

And what we're left

04:28

with is a super position of the different answers.

04:31

1, 7, 49 and 343.

04:35

If we add another qubit,

04:37

we double the number of possible states.

04:39

So with three qubits, we can represent eight states,

04:42

and thus perform eight calculations all at once.

04:46

Increase that number to just 20 qubits,

04:48

and you can already represent

04:50

over a million different states,

04:52

meaning you can simultaneously compute

04:54

over a million different answers.

04:57

With 300 qubits, you can represent more states

05:00

than there are particles in the observable universe.

05:04

This sounds incredibly powerful and it is,

05:07

but there is one very big catch.

05:11

All of the answers to the computation are embedded

05:13

in a superposition of states,

05:15

but you can't simply read out this superposition.

05:19

When you make a measurement, you only get a single value

05:21

from the superposition basically at random,

05:24

and all the other information is lost.

05:27

So in order to harness the power of a quantum computer,

05:30

you need a smart way to convert a superposition of states

05:33

into one that contains only the information you want.

05:37

This is an incredibly difficult task,

05:40

which is why for most applications,

05:41

quantum computers are useless.

05:43

So far, we've only identified a few problems,

05:46

where we can actually do this, but as luck would have it,

05:49

these are precisely the problems that form the foundation

05:52

of nearly all the public key cryptography we use today.

05:56

In 1994, Peter Shor and Don Coppersmith figured out

06:00

how to take a quantum Fourier transform.

06:03

It works just like a normal Fourier transform,

06:05

apply it to some periodic signal,

06:07

and it returns the frequencies that are in that signal.

06:10

Now this may not seem particularly interesting

06:12

but consider this.

06:14

If we have a superposition of states that is periodic,

06:17

that is the terms in the superposition are separated,

06:20

by some regular amount,

06:22

well we can apply the quantum Fourier transform

06:24

and will be left with states

06:25

that contain the frequency of the signal.

06:28

So this we can measure.

06:30

The quantum Fourier transform,

06:32

allows us to extract frequency information

06:34

from a periodic superposition,

06:37

and that is gonna come in handy.

06:41

So how does a quantum computer factor the product

06:43

of two primes much faster than a conventional computer?

06:47

I want to explain this by first walking

06:48

through a simple example with no quantum computer required,

06:52

and then I'll show how a quantum computer

06:54

could execute this method

06:56

even for a very large number in a short period of time.

07:00

So let's say we have a number N,

07:02

which is the product of two primes, p and q.

07:06

For the sake of this example, let's set N equal to 77.

07:10

Now I bet you can guess the prime factors,

07:12

but let's pretend for the moment that we don't know them,

07:15

because with a product of really big primes, we wouldn't.

07:19

Now I want to use a fact about numbers

07:21

that feels like magic.

07:23

Pick a number g that doesn't share any factors with N.

07:27

If you multiply g by itself over and over and over,

07:32

you will always eventually, reach a multiple of N plus one.

07:38

In other words, you can always find some exponent r,

07:41

such that g to the power of r, is a multiple of N plus one.

07:46

Let's see how this works.

07:48

Pick any number that is smaller than 77.

07:50

I'll pick the number eight.

07:51

This number doesn't share factors with 77.

07:54

And if you were doing this with big primes,

07:56

it would also be extremely unlikely

07:58

that you just happen to pick a number

07:59

that shares factors with N.

08:02

Now multiply eight by itself once, twice, three times

08:06

four times, and so on, raising eight to ever higher powers

08:10

and then divide each of these numbers by 77.

08:14

We're not really interested in how many times

08:16

77 goes into the number, just the remainder,

08:19

what's left over, because at some point,

08:22

77 should divide one of these numbers

08:24

with a remainder of exactly one.

08:27

So eight divided by 77 is zero with a remainder of 8,

08:30

64 divided by 77 is zero remainder 64.

08:34

512 divided by 77 is six remainder 50.

08:38

And as we keep going, we get remainders

08:40

of 15, 43, 36, 57, 71, 29, and finally one.

08:49

So there we have it, eight to the power of 10

08:53

is one more than a multiple of 77.

08:56

So we've found the exponent R that satisfies this equation.

09:00

But how does this help find the factors of N?

09:03

Well, we rearrange the equation

09:05

to bring one over to the left hand side,

09:08

and then we can split it into two terms like so.

09:11

And now as long as r is even, we have one integer

09:15

times another integer is equal to a multiple of N.

09:20

This looks remarkably similar to p times q equals N.

09:25

I mean since we know that p and q

09:27

are on the right hand side of this equation,

09:28

they must also be on the left hand side

09:31

just multiplied by some additional factors.

09:35

So one way to think

09:36

about what we've done is

09:37

we've taken a bad guess for one of the factors G,

09:40

and by finding the exponent r,

09:43

we've turned it into two much better guesses

09:46

that probably do share factors with N.

09:50

Since r was 10, the two terms

09:52

on the left hand side are eight

09:54

to the power of five plus one, 32,769

09:58

and eight to the power of five minus one, 32,767.

10:04

These two numbers probably share factors with N.

10:07

So how do we find them?

10:09

We use Euclid's algorithm.

10:13

If you wanna find the greatest common divisor

10:15

of two numbers, say 32,769 and 77,

10:20

divide the bigger number by the smaller one

10:22

and record the remainder.

10:24

In this case, 32,769 divided by 77 gives a remainder of 44.

10:30

Then shift the numbers one position left and repeat.

10:34

So now we divide 77 by 44 and we get a remainder of 33.

10:40

Repeat the process again.

10:41

44 divided by 33 gives a remainder of 11

10:45

and again 33 divided by 11 equals three remainder zero.

10:49

When the remainder is zero,

10:51

the divisor is the greatest common factor

10:54

between the two numbers you started with.

10:56

In this case, it's 11,

10:58

which is indeed a factor of 77 and 32,769.

11:03

You could do the same procedure

11:05

with the other number or just divide 77 by 11 to get seven,

11:09

its other prime factor.

11:11

So to recap, if you wanna find the prime factors p and q

11:15

of a number N, first, make a bad guess, g,

11:19

second, find out how many times r you have to multiply g

11:23

by itself to reach one more than a multiple of N.

11:26

Third, use that exponent to calculate

11:28

two new numbers that probably do share factors with N.

11:32

And finally use Euclid's algorithm

11:34

to find the shared factors between those numbers and N,

11:38

which should give you p and q.

11:41

Now, you don't need a quantum computer

11:42

to run any of these steps, but on a classical computer,

11:46

this method wouldn't be any faster than other methods.

11:49

The key process that a quantum computer speeds up

11:51

is step two, finding the exponent you raise G2

11:55

to equal one more than a multiple of N.

11:58

To see why, let's go back to our example,

12:01

where eight to the power of 10 is

12:03

one more than a multiple of 77.

12:05

Watch what happens to the remainders

12:08

if we keep going past eight to the power of 10,

12:10

to 8 to the 11, eight to the 12, and so on.

12:14

Well, we get remainders of 8, 64, 50, 15, 43, 36,

12:21

57, 71, 29, and again one.

12:27

The remainders cycle and they will just keep cycling.

12:32

Notice how the exponent that yields a remainder

12:35

of one is 20, which is 10 more than the first exponent

12:38

that yielded a remainder of one.

12:40

So we know that eight to the 30

12:42

and eight to the 40, 8 raised to any power divisible

12:45

by 10 will also be one more than a multiple of 77.

12:49

It's also worth noting that if you pick any remainder

12:53

say 15, the next time you find that same remainder,

12:56

the exponent will have increased by 10.

13:00

So you can find the exponent R that gets us

13:02

to one more than a multiple of n,

13:04

by looking at the spacing of any remainder, not just one.

13:09

Remember that.

13:11

Here I'm plotting out the remainders on a log scale

13:14

so you can see they are periodic with a period of 10.

13:17

If I had made a different guess,

13:19

say I had picked G equals 15 instead of eight,

13:22

well then the period would be different

13:23

and the remainders would be different

13:26

but there would always be a remainder of one.

13:30

Why is this?

13:31

Well, now that you can see this is a repeating pattern,

13:35

we can go back to the beginning

13:36

and any number raised to the power of zero is one.

13:42

So that is actually the first remainder.

13:44

So it must also appear when the cycle starts again.

13:49

Now we are ready to use a quantum computer

13:51

to factor any large product of two primes.

13:54

First we split up the qubits into two sets.

13:57

The first set we prepare in a superposition of zero

14:00

and one and two and three

14:03

and four and five and six and seven and eight and nine,

14:05

all the way up to 10 to the power of 1,234.

14:10

Yeah, this is a huge superposition,

14:14

but if we had perfect qubits,

14:16

it would require only around 4,100.

14:19

The other set contains a similar number of qubits

14:22

all left in the zero state for now.

14:25

Now we make our guess G,

14:28

which most likely doesn't share factors with N.

14:31

We raise G to the power of the first set of qubits

14:35

and then we divide by N

14:36

and store the remainder in the second set of qubits

14:40

leaving the first set of qubits as it was.

14:43

Now we have a superposition of all the numbers

14:46

we started with and the remainder of raising G

14:49

to the power of those numbers divided by N.

14:52

And through this operation,

14:54

we have entangled our two sets of qubits,

14:58

but we can't just measure this superposition.

15:01

If we did, we would get a random value and learn nothing.

15:04

But there is a trick we can use.

15:06

If we don't measure the entire superposition,

15:09

but only the remainder part,

15:11

we will obtain some random remainder.

15:14

But this remainder won't occur just once.

15:17

It will occur multiple times

15:19

every time it comes up in the cycle.

15:22

Imagine we were doing this with the example

15:24

from before with N equals 77 and G equals eight.

15:27

If the remainder we measured was say 15,

15:31

then there would be multiple terms in our superposition.

15:34

Because there are multiple exponents

15:36

you can raise G2 that give this same remainder,

15:39

exponents 4, 14, 24, 34, and so on.

15:44

They are each separated by 10,

15:46

and that value is the exponent that satisfies our equation.

15:52

So more generally after measuring the remainder,

15:55

we will be left with a superposition of states

15:57

that all share the same remainder

15:59

and the exponents will all be separated

16:01

by the same amount r.

16:03

This is the number we are looking for.

16:06

Since the remainder is now the same for all states,

16:09

we can put it to the side

16:11

and we now have a superposition that is periodic.

16:14

Each term is separated from its neighbors by an amount R.

16:18

If we now apply the quantum Fourier transform

16:20

to this superposition of states

16:22

and I'm simplifying a little here,

16:24

we will be left with states containing one over R.

16:28

So all that's left to do now

16:29

is perform a measurement and find R by inverting it,

16:33

and that's it for the quantum part.

16:36

Now, as long as r turns out to be even

16:38

we can use r to turn our bad guess g

16:40

into two numbers that likely share factors with N.

16:44

And as long as these terms themselves

16:45

are not a multiple of N,

16:47

we can use Euclid's algorithm to find the factors of N

16:49

and break the encryption.

16:51

This would only take several thousand perfect qubits,

16:55

but the qubits we have today are imperfect,

16:58

so we need additional qubits

16:59

to act as redundant information.

17:02

In 2012, it was estimated

17:04

that it would take a billion physical qubits

17:06

to break RSA encryption,

17:08

but by five years later that number

17:10

had dropped to 230 million.

17:12

And in 2019, after more technological breakthroughs,

17:15

that estimate plummeted to just 20 million physical qubits.

17:20

So how many qubits do we have today?

17:23

Well, if we look at the state of IBM's quantum computers,

17:26

we are nowhere near that number of qubits,

17:29

but progress looks to be exponential.

17:32

So now it's just a question

17:34

of when these two curves will collide

17:36

before all our existing public key encryption can be broken.

17:42

Because we've long known this threat is coming,

17:45

scientists have been looking for new ways to encrypt data,

17:47

which can withstand attacks

17:49

from both normal and quantum computers.

17:51

In 2016, the National Institute of Standards and Technology

17:54

or NIST, launched a competition

17:56

to find new encryption algorithms

17:58

that aren't vulnerable to quantum computers.

18:00

Cryptographers from all over the world

18:02

submitted 82 different proposals,

18:04

which were rigorously tested, some were broken.

18:07

And then on July 5th, 2022,

18:09

NIST selected four of the algorithms to be part

18:12

of their post-quantum cryptographic standard.

18:15

So how do they work?

18:17

Well, three of the algorithms are based

18:19

on the mathematics of latices.

18:21

So let's do a simple example in the 2D plane.

18:24

Take two vectors, r1 and r2, by adding together

18:29

different integer combinations

18:30

of these vectors, say three times r1 and one times r2,

18:34

you can get two different points

18:36

and all the points you can get

18:38

to by combining these two vectors

18:39

in different ways is what is called a lattice.

18:42

Now I will also give you the point C,

18:45

and your task is to tell me which combination of r1 and r2

18:49

will bring me to the lattice point closest to c.

18:53

It's pretty easy to see that we can get there

18:55

by going in the direction of r2 twice

18:57

and in the negative direction of r1 twice.

19:00

Simple enough.

19:01

But those vectors, r1 and r2 are not

19:04

the only vectors that can give you this lattice.

19:07

Take b1 and b2 for example.

19:10

These vectors also build up the same lattice.

19:13

And now if I ask you the same question again,

19:15

can you tell me the combination of b1 and b2

19:18

that gets you to the lattice point closest to c?

19:21

This has become a lot harder, but why is that?

19:25

Each time we're taking a step, we're trying to get closer

19:28

in either the X or Y direction, but with the b vectors,

19:32

each time we take a step in the right direction

19:34

with one vector, it puts us off in the other direction.

19:38

And that's why these vectors are a lot harder to work with.

19:41

In the end, it takes us a combination

19:43

of eight times b1 and negative six times b2

19:47

to get to the closest lattice point.

19:49

That is a lot harder than before,

19:52

but it's still a relatively easy problem to solve.

19:55

But if we extend it to three dimensions,

19:57

this already becomes a lot harder,

19:59

especially because you're not given the collection

20:02

of all lattice points.

20:03

You're only given the vectors that make it up.

20:05

So when you find a lattice point close to the target,

20:08

you must still find all the other lattice points near it

20:10

to make sure yours is indeed the closest.

20:14

Let's take a circle of radius r in two dimensions.

20:16

The number of lattice points inside the circle

20:19

is proportional to r squared.

20:21

Add a third dimension and the number of points

20:23

in the sphere is proportional to r cubed.

20:26

So just watch how the number of lattice points grows

20:29

as we increase the number of dimensions.

20:34

Solving the closest vector problem

20:35

is a piece of cake for your computer in three dimensions.

20:38

Even a hundred dimensions should be manageable.

20:41

But in proposed future encryption schemes,

20:44

we'll use around a thousand dimensions.

20:47

Take one step in the right direction

20:48

on one of those dimensions, and you could potentially

20:51

be taking a wrong step in the other 999 dimensions.

20:56

You win some, you lose everything else.

21:00

With that many dimensions,

21:01

it becomes extremely hard to find the closest point

21:04

even for the most powerful computers,

21:06

that is unless you know a good set of vectors.

21:10

So how do we use that to encrypt data?

21:13

Well, let's go back to our two-dimensional example.

21:16

Each person has a good set of vectors

21:18

that describes a lattice,

21:19

but they keep these vectors secret,

21:22

and they only share their lattice publicly

21:24

using a set of vectors that is hard to work with.

21:27

Now, if I want to send someone a message,

21:29

I pick a point on their lattice, for example,

21:32

say this point corresponds to the number seven.

21:35

So if I wanna send the number seven, I can take that point

21:39

but then add some random noise to it.

21:42

So the message I send is not precisely

21:44

at that point but close to it.

21:47

Now, to decode the message, my recipient must figure out

21:50

which lattice point is closest to the message point.

21:53

In a thousand dimensions,

21:55

this will be extremely hard to do

21:57

unless you have the nice set of vectors,

22:00

which my recipient does.

22:02

So it's easy for the recipient,

22:04

who has the good vectors, but hard for everyone else.

22:07

And as far as we know, this problem is extremely

22:11

difficult to solve for both normal and quantum computers.

22:15

Behind the scenes, there's an army of researchers,

22:18

mathematicians, and cryptographers,

22:20

we're gonna make sure your secret data stays secret.

22:23

These are some of the unsung heroes

22:25

that will keep us safe moving forward,

22:27

avoiding mass surveillance by governments

22:29

keeping critical infrastructure protected

22:31

and allowing you to live as if quantum computers

22:34

were never invented in the first place.

22:37

(digital buzzing)

22:43

Something that fascinates me is being able

22:45

to see where the world is headed.

22:47

And right now it's clear that quantum computers

22:49

and AI chatbots are going to play bigger and bigger roles

22:53

in our lives in the coming decades.

22:54

Even if we don't know exactly how they'll be implemented,

22:58

I think it's important to learn how they work right now

23:01

and you can do that with this video's sponsor, Brilliant.

23:04

Brilliant has an incredible course

23:06

on quantum algorithms.

23:08

This one was co-developed with Microsoft and Alphabet X.

23:11

I love that you can simulate quantum gates and write

23:14

and execute real quantum algorithms right in the lesson.

23:17

No need to set up your own development environment.

23:20

And if you want to dive deeper into cryptography,

23:22

making and breaking codes is really a matter of statistics.

23:26

Strong statistical reasoning skills

23:28

help us find patterns in data

23:29

and make sense of them,

23:30

which is crucial to mastering

23:32

just about any topic in math

23:34

and computer Science.

23:35

Brilliant's course on data analysis

23:37

will help you ramp up fast.

23:39

It uses everyday situations,

23:40

like business models to illustrate key concepts

23:43

in statistics and it's interactive,

23:45

so you can get hands on with data visualizations

23:48

and develop a real intuition for interpreting them.

23:52

You know the thing that sets Brilliant apart

23:54

is they know how to break fundamentals down

23:56

into their core building blocks,

23:57

whether you're learning math, computer science

23:59

or data analysis, Brilliant's

24:01

thousands of bite-sized interactive lessons

24:03

help you master key concepts

24:05

and build to more advanced topics.

24:07

You can try everything Brilliant has to offer

24:09

for free for a full 30 days.

24:11

Just go to brilliant.org/veritasium.

24:14

I will put that link down in the description.

24:16

And for viewers of this video, Brilliant is offering

24:19

20% off their annual premium subscription

24:21

to the first 200 people to sign up.

24:23

So I wanna thank Brilliant for sponsoring this video,

24:26

and I want to thank you for watching.