When a Quantum Computer Is Able to Break Our Encryption, It Won’t Be a Secret

On Oct. 23, 2019, Google published a groundbreaking scientific research article announcing one of the “holy grails” of quantum computing research: For the first time ever, a quantum computer had solved a mathematical problem faster than the world’s fastest supercomputer. In order to maximize impact, the Google team had kept the article tightly under wraps in the lead-up to publication—unusually, they had not posted a preprint to the arXiv preprint server.

The article sank with barely a ripple in the expert academic community.

That wasn’t because anyone disputed the significance of the Google team’s milestone. Many experts still consider Google’s demonstration to be the most important milestone in the history of quantum computing, comparable to the Wright brothers’ first flight in 1903. But most experts in the field had already read the article. A month earlier, a NASA employee who was involved with the research had accidentally posted a draft of the article on NASA’s public web site. It was online for only a few hours before being taken back down, but that was long enough. Schrödinger’s cat was out of the bag. 

This anecdote illustrates a fact with important policy implications: It is very difficult to keep groundbreaking progress in quantum computing secret.

One of the most important quantum computing algorithms, known as Shor’s algorithm, would allow a large-scale quantum computer to quickly break essentially all of the encryption systems that are currently used to secure internet traffic against interception. Today’s quantum computers are nowhere near large enough to execute Shor’s algorithm in a practical setting, and the expert consensus is that these cryptanalytically relevant quantum computers (CRQCs) will not be developed until at least the 2030s.

Although the threat is not yet imminent, the consequences of a hostile actor’s execution of Shor’s algorithm could be incredibly dire. Encryption is at the very bedrock of most cybersecurity measures. A hostile actor who could read encrypted information transmitted over the internet would gain access to an immeasurable amount of critically sensitive information—from personal information such as medical or criminal records, to financial information such as bank account and credit card numbers, to cutting-edge commercial research and development, to classified national security information. The U.S. National Security Agency has said that “the impact of adversarial use of a quantum computer could be devastating to [National Security Systems] and our nation.”

Fortunately, preemptive countermeasures are already being put into place. The U.S. National Institute of Standards and Technology (NIST) is standardizing new post-quantum cryptography (PQC) protocols that are expected to resist attacks from both standard and quantum computers. Upgrading communications systems to use post-quantum cryptography will be a long, complicated, and expensive process that will extend over many years. The U.S. government has already begun the process: In May 2022, President Biden issued National Security Memorandum 10, which gives directives to all U.S. government agencies regarding the U.S. government’s transition to post-quantum cryptography. Recognizing the long timelines that this transition will require, the memorandum sets “the goal of mitigating as much of the quantum risk as is feasible by 2035.”

Several experts have stated that one of the most important factors that will determine the severity of the threat posed by a CRQC is whether or not the public knows of the CRQC’s existence. As soon as the existence of the CRQC becomes public knowledge—or is even considered plausible—and the threat becomes concrete, most vulnerable organizations will immediately move to upgrade all their communications systems to post-quantum cryptography. This forced transition may well be very expensive, chaotic, and disruptive, but it will fairly quickly neutralize most attack vectors (with one important exception mentioned below). The true nightmare scenario would be if a hostile actor (such as a criminal or terrorist organization or a hostile foreign government) covertly operated a CRQC over a long time period before PQC becomes universal, allowing the actor to collect a huge amount of sensitive information undetected.

Fortunately, it is extremely unlikely that any organization will develop a CRQC in secret, for at least four interrelated reasons.

First, anyone trying to develop a high-performance quantum computer will face stiff competition from commercial industry. Quantum computers have the potential to enable many commercial applications that have nothing to do with decryption, such as drug design, materials science, and numerical optimization. While there is huge uncertainty in the pace of technology development and the timelines for useful applications, some people have predicted that quantum computers could deliver over a trillion dollars in economic value over the next decade. Many private companies are racing to produce state-of-the-art quantum computers in order to profit from these applications, and there is currently no clear technical industry leader. Moreover, these companies are collectively extremely well funded: U.S. quantum computing startups alone have raised over $1.2 billion in venture capital, and that total does not include other major players such as national laboratories, large self-funding companies, or non-U.S. companies.

In the near term, these companies face some incentives to publicize their technical capabilities and other incentives to keep them proprietary. But in the long run, companies need to advertise their capabilities at a reasonable level of technical detail in order to attract customers. The closer the state of the art in commercial industry comes to the technical performance required to execute Shor’s algorithm, the clearer the threat will become to potential targets, and the more urgently they will prioritize upgrading to PQC. 

Any organization attempting to secretly develop a CRQC would therefore need enormous financial resources in order to compete with the well-funded and competitive commercial industry, and it would need to stay far ahead of that industry in order to keep the element of surprise.

The second reason that a CRQC is unlikely to be developed in secret is that a relatively small number of people are at the cutting edge of quantum computing development in industry or academia, and they are well known within the expert community. Any organization attempting to secretly develop a CRQC would need to acquire world-class talent—and if many of the greatest technical experts suddenly left their organizations or stopped publishing in the technical literature, then that fact would immediately be fairly evident, just as it was during the Manhattan Project. (However, this point may become less relevant in the future as the commercial industry matures. As the pool of expert talent grows and more information becomes business proprietary, public information about the top technical talent may decrease.)

Third, a CRQC might be physically difficult to hide. It’s extremely difficult to estimate the physical resources that will be required to operate a CRQC, but my recent research suggests that a CRQC might plausibly draw 125 megawatts of electrical power, which is a significant fraction of the total power produced by a typical coal-fired power plant. A device that requires its own dedicated power plant would leave considerable evidence of its existence. Certain very capable organizations (such as national governments) might be able to conceal such a project, but doing so would not be easy and could well be impossible for smaller organizations.

The fourth reason has to do with the relative resources required for various quantum computing applications. As with most technical questions regarding the future of quantum computers, there is a huge amount of uncertainty here. But there is fairly strong theoretical evidence that many commercial applications of quantum computers will be significantly technically easier to implement than Shor’s algorithm. There is already very active research into the question of whether even today’s crude quantum computers, known as noisy intermediate-scale quantum computers, might be able to deliver practical applications in the near future, although we don’t yet know for sure.

In a more conservative technical scenario, all useful quantum applications might require a technically challenging hardware stabilization process known as quantum error correction, which has very high hardware requirements. But even in this scenario, there is evidence that some commercial applications of quantum computers (like the scientific modeling of chemical catalysis) will require lower hardware resources than Shor’s algorithm does. For example, one recent analysis estimated that computationally modeling a chemical catalyst used for direct air carbon capture would require only 20 percent as many qubits as executing Shor’s algorithm would. (A qubit is the basic building block of a quantum computer and one of the simplest ways to quantify its hardware performance.)

These analyses imply that commercial applications of quantum computing will very likely become technically feasible before decryption does. Unless an organization attempting to develop a CRQC is far more technically advanced than the commercial sector—which is unlikely, given the potentially huge economic value mentioned above—commercial companies will probably beat the organization to applications, and they will announce their success. Even in the unlikely event that an organization does manage to develop a CRQC before the commercial industry develops a commercially useful quantum computer, that organization will face an enormously high opportunity cost of not using its CRQC for commercial applications that could deliver billions of dollars of value. Even if the organization were government sponsored, its government sponsor would face an enormous economic incentive to use its quantum computer for commercial applications rather than for intelligence collection.

What this means for policymakers is that the ultimate worst-case scenario, in which a hostile actor secretly deploys a CRQC for many years against totally unsuspecting victims, is highly unlikely. This does not in any way lessen the importance of quickly upgrading all critical communications systems to post-quantum cryptography, however, since doing so defends against harvest-now-decrypt-later attacks, in which a CRQC is deployed retroactively against saved encrypted data that was intercepted previously.

Operators of communications systems that transmit highly sensitive information should already be preparing to upgrade those systems’ cryptography to PQC, and they should perhaps develop contingency plans for even further accelerating that adoption if signs arise that CRQCs are approaching unexpectedly quickly. But policymakers should also understand that the commercial applications of quantum computers will probably emerge well before intelligence-collection applications do. This conclusion may carry implications regarding appropriate national-security-related policies such as export controls and outbound investment restrictions, as well as the broader balance of risks and benefits around quantum computers. 

Finally, policymakers and cybersecurity analysts should avoid messaging that emphasizes the risk that CRQCs developed in secret could be imminent or already operational (unless, of course, they have additional information that runs counter to the points raised above). There is already more than enough reason to upgrade our communications systems to resist attacks from quantum computers as soon as possible. Even if completely unexpected attacks from a black-swan quantum computer are unlikely, attacks from known or suspected quantum computers would already be plenty bad enough.