How will the world learn that Q-Day has arrived?

Question

I wonder how the world will come to know that scalable, fully fault-tolerant quantum computers capable of running Shor's algorithm have arrived. The day when this happens has been referred to as "Q-Day".

If this information gets out, especially if Q-Day arrives well before the world converts to post-quantum crypto, then the implications for security and commerce will likely be enormous. Maybe honest actors will work to schedule the announcements by slowly releasing RSA challenge factors, over the course of a year or so, to give the world a heads-up that RSA's writing is on the wall. Or, there could be dishonest actors acting maliciously to attack and siphon off dormant bitcoin wallets, for example.

How will the world learn that scalable, fully fault-tolerant quantum computers capable of running Shor's algorithm on cryptographically relevant keys have arrived?

Will it be with a bang or with a whimper? Has this been gamed out in any literature?

Answer 1

How will the world learn that scalable, fully fault-tolerant quantum computers capable of running Shor's algorithm have arrived?

Well, one thing to note is that cryptanalysis is not the only thing a Real Quantum Computer would be good for. Another thing would be analyzing chemical reactions; a chemical reaction between molecules is an inherently quantum process, and so a Quantum Computer would be expected to model it far better than a conventional computer.

And, I expect that:

• Modeling a chemical reaction should be easier than Shor's; I believe that fewer qubits are involved, and the circuit depth is far smaller.

• Insights into what happens during a chemical reaction may translate into being able to better optimize an industrial chemical engineering process, and even a modest optimization can translate to billions of dollars/euros savings.

• Chemical manufacturing companies would have little reason to keep their use of Quantum Computers secret (and would not be allowed to hide their increased profits and/or reduced costs). I would assume that they would loudly proclaim the message "We are now greener when making fertilizer".

Hence, until we see significant advancements in the chemical engineering space, I don't believe that Q-day has arrived yet.

(All this IMHO)

Answer 2

Frame challenge: "Q-Day" is a mental shortcut for what is not actually a sudden event.

Quantum computing, nuclear fusion, AI, flying cars - there's a number of technologies that have been "just around the corner" for decades.

It is highly likely that "Q-Day" will actually be "Q-Year" or something like that. That over the course of several years we inch closer and closer, make small steps here and there, solve this issue and that, and slowly, slowly, we get there.

It is highly improbably that someone comes out of the woods one day and announces a full-blown quantum computer. Instead, there will be many announcements, by many research institutes, over the course of the next decade or two. Heck, there was one today.

That means that the transition to post-quantum encryption - which has already started - can progress equally slowly, and as we get closer, those who haven't already moved will feel more and more that they should.

By the time the RSA-Quantum-Breaker(tm) arrives, there will be only a few left who are really lagging very much behind.

Answer 3

I'm a professional cryptographer for a major financial company, and I've been doing crypto professionally for 37 years. If anyone can develop a QC capable of factoring big key-moduli, it'll be a well-funded national cyberwarfare group, like the NSA or China's APT groups. There's no way that any cyberwar group will announce its QC capabilities, period. We won't know until it's too late.

That said, I very much doubt that such large QC's will ever get built, because of the quantum noise problem, and because of other problems. We'll still have to prepare to move to post-quantum ciphers, because the financial industry's regulators will require PQC as a sober precautiion.

Answer 4

How do we know it hasn't already? Perhaps I have a working quantum computer in my basement that is currently breaking a thousand RSA keys a second? Can you prove that I have not?

Well, the public will know when:

• Someone says they built a quantum computer that can break RSA and demonstrates it.
• There is credible evidence that some organization can break RSA.
• A technological breakthrough is publicized that makes the construction of an RSA-breaking quantum computer a trivial endeavor.