 How many people know about, uh, quantum physics? Yeah? Yeah? So I was looking at this, uh, I was looking at this, this, this, uh, this talk synopsis and I'm like, maybe this is gonna be a good talk? Maybe not. Maybe it won't. I guess I won't really know until I take a look at the talk. Yeah? Learned that from a baby book. Yeah. Awesome. Alright. So, let's give Andreas a big round of applause for coming all the way to Vegas from Sydney, Australia to talk to us about quantum cryptography. Have a good time, man. Thank you very much. Alright. Welcome everybody. Um, yeah, after that introduction, uh, hopefully you walk away and learn something in this talk. So, um, quantum computing, if you read whatever is in the press, you either think we are completely doomed and you know the internet's gonna end or nothing's gonna happen because they will never exist. So I thought I wanna explore this topic a little bit more from an algorithmic point of view and really see where we are, not so much on the hype but more really what are the algorithms that we talk about right now. So, um, I started various companies in the security space, you know, starting in 2002, which, um, makes me feel slightly old right now. Um, but first I'm speaking at DEF CON, very happy about this, you know, long-term AT&T but never spoke here, so let's get right into this. So when you talk about cryptography, we mainly, you know, look into two different types of cryptography. One is a symmetric cryptosystem, which is a symmetric shared key, uh, you know, kind of like AES for example, both sides encrypt and talk to each other with the same key. And we have asymmetric, uh, cryptosystems which use public key infrastructure where basically I use a public key to encrypt a message and a private key to, uh, decrypt it. Um, there's various forms of this, uh, obviously for digital signatures as well. And, um, in, in this realm, um, virtually every cryptosystem right now that is deployed anywhere is what we call computationally secure. That is secure in the sense that there are known algorithms that can break them, but all of the algorithms that can break them are not easy to do in the sense that, you know, uh, if I want to break an, uh, you know, 2048 RSA key with a normal computer takes me a couple trillion years, which means I'm secure even though there's a known algorithms, uh, that can break them. Uh, there are information theoretic algorithms out there, most notably an algorithm called, um, a one-time-pad or random ciphers, but they're really tricky and not really practically usable. For example, it's one-time-pad, you do need to use the same amount of keys as you want to transmit. So if you want to transmit a one-megabyte file, you need to have a one-megabyte key. Basically for every byte, you need a different, um, uh, for every byte data, you need a one byte key. So you would have to manage massive amount of key material, which is not really, uh, practically, but I mean, they do exist. But outside of this, virtually every, uh, cryptosystem is just computationally secure. And, um, uh, when you look at this, uh, quantum realm, and I'm going to quite some detail about this, uh, for those two different types of algorithms, it is much more interesting to look at the asymmetric part of the, uh, of the cryptosystems. Because in the symmetric part, there is a quantum algorithm as well called Grover, which basically looks into, um, a, or provides a quadratic speed up to the classical, um, version. Basically in the classical world, if I want to look for the shared key, I need to basically brute force every different combination, which obviously takes forever. Uh, I get a squared root up, um, a squared speed up in the quantum version, which is a fantastic speed up. You know, if I can speed up 150 trillion years, it's, you know, a lot of years, but it's still obviously 150 trillion years, uh, to break it. So, that's not really too interesting. So, we want to focus here on the asymmetric part, where, um, the, uh, speed ups at quantum computers can provide are massive. And, uh, we want to go into quite some detail, uh, why, uh, their speed up is so big as it is, and, uh, how they work. So, let's revisit just a little bit of how RSA encryption works, and it's really just a basic, uh, introduction so we can use them, uh, to understand how the, uh, quantum versions of these algorithm works. Basically, I choose two prime numbers, P and Q, and, um, uh, with those, I, I just multiply them, get the number N. Now with the number N, I can calculate this lambda N function, which is a Carmichael function, which is just the function, I can easily calculate this. And once I have this, I just choose another parameter E, which is smaller than the lambda N, uh, value, and then this N together with the number E is my public key. I can give this to everybody out there, who I want to choose to do, um, uh, the isometric encryption. And I basically retain my private key, which is this, uh, uh, number D here, which is just the modular inverse of the number E, which is the, the public key. Obviously mod, mod lambda N, always mod lambda N kind of, uh, in, in this, uh, scenario, which is the private key that I retain. And with this private key now, with this scenario, I can now look into high, I can now encrypt something and send something, um, from Alice to Bob. And as everybody knows, with isometric encryption, I can only encrypt something that is smaller than my key. So if I have a 24, uh, 2048 bit key, I can only encrypt something that is smaller than, uh, 2048. Um, so I need to pat my plain text into, um, uh, a number N. So I turn this big M into a small number M. Um, uh, there's various ways for this, ways for this, I don't go into too much detail, but this is where the padding scheme comes in. And then I basically end up with this number, uh, uh, small M. And my ciphertext, my encrypted version's really, I just take, uh, this number M to the power of E, mod N, and that's basically my ciphertext. And this is what I encrypt with the public key. And I can now send this, uh, number C to, uh, um, to Bob, uh, or receive this. And if you have the private key, you can easily decrypt this as well on the other side. And you can easily see how this works. It's, it's really very straightforward. If someone has the C and the ciphertext and the D, the private key, by definition C is M to the power of E. So you see, um, uh, but the definition of D was, that is actually the inverse of E. So this E to the power of D just, uh, equals out. So I end up with M mod N. So, uh, if I have the private key, I can easily recover, um, uh, the, uh, the small M. And obviously by just reversing the padding scheme, I have now my, uh, my message again. So this is basically how RSA encryption works into some detail. So, my task is now, I do have a public key because that's public. Everybody knows what the public key is. How do I turn this into a private key? Now, from the, uh, from the definitions, it's really pretty straightforward and simple. Um, I need to find those prime numbers that make up this number N. The number N is known. It's part of the public key. And if I can do this, I can easily calculate lambda N, which is really just the, uh, least common, uh, multiplier of, uh, lambda p and lambda q. And from that, I can easily derive the private key D. Um, uh, and I'm done. So all I need to do to basically go from a public key to private key is to find those two prime factors p and q, um, that I chose in the very beginning when I set up my key. Um, and then I have everything I need to do to basically derive a private key from a public key. Um, while that sounds pretty easy and straightforward, actually to do this and to factor this number N into the two prime parts p and q is, um, uh, is really, really hard. And all of the classically known algorithms are all from exponential complexity, which means they're really, really hard to solve. Even, you know, the, uh, GNFS, uh, algorithm is, uh, slightly sub exponential but still massive in scale. So that gives you those assurance that if you have, if you use any of the asymmetric algorithms, uh, people would need trillions of years to de-grip them so they're fairly secure for generations to come. But in 1984, a guy called Peter Shaw, he was a, um, theoretical physicist, came up with this algorithm. If we were to use quantum computers, obviously in 1984 there was all just a theory, quantum computers didn't exist, and they hardly exist today, but, um, but the theory says he came up with an algorithm of how to factor those numbers in just polynomial time. And in just polynomial time really is a difference that is, that is almost incomprehensible. Because it really means instead of taking a trillion years on a classical computer with a trillion operations per second, let's suppose I have a quantum computer which just does a million operations per second, I can actually do the same thing in just 10 seconds. So the difference between exponential complexity and polynomial complexity is just out of this world. And that obviously, if we could run this algorithm, would pose a big threat to basically the whole, um, crypto systems as it is deployed. Because the base of this, whether it is, um, you know, for RSA or elliptic curves or for digital signatures, ECDSA which is used in Bitcoin or for key exchange like Tiffy Hellman which is mainly used in everywhere you go on SSL, TLS exchanges. So the base foundation of this is used virtually everywhere in today's internet. So that would be a big threat. So let's explore a little bit, um, how Peter Shaw could come up with his algorithms, what is actually needed and how they work in, uh, in reality. So now we need to do a little bit of an introduction into quantum computing and, uh, it gets only as deep as I thought we need to go to understand how Shaw's algorithm works and, uh, what we need to understand. Um, uh, so hopefully it, it's not, it's not too bad. So basically there are two big types of quantum computers that we look at right now. One is called gate based quantum computers. That's a big chunk what everybody's working on. All the big guys, IBM, Intel, Microsoft, Alibaba, they're all working on gate based quantum computing which is called universal quantum computing because I can solve virtually any problem similar to a classical computing, uh, on this computer. There's in a different computer, um, uh, called quantum annealers or adiabatic quantum computing which is, what's the first quantum computer that was available was from D-Wave. And D-Wave's computer, this adiabatic quantum computer is not a general quantum computer. You cannot solve every problem on this quantum computer. It is very specialized to only solve a particular optimization problem. So it's very much, um, you can look at this basically as a physical system. And physical systems tend to always end up in the lowest energy state which we call the ground state of this physical system. So if I can now define a function that I want to solve and I basically define those functions in a way that the lowest energy state is basically the same as the solution to this optimization problem. I can use this physical system to solve the problem that I have because I know the physical system will end up in the lowest, uh, energy state in the ground state. And I know then this also tend, this also represents in the state where my optimization problem reached the lowest point. And there's a really cool theorem, um, which actually guarantees to me that I end up in the lowest state that there is. You can really think of this as kind of like mountains and valleys. And you can end up in a valley that is just halfway through and you're not really in the lowest state. But there's a theorem, um, we are gonna explore this a little bit which guarantees, which gives me a way how I can really be at the lowest state so I can solve or I can find the optimal solution to this optimization problem. But it's really just solving optimization problems. The guide-based quantum computing, uh, is really a general quantum, is a general computing, um, uh, architecture where you start with an input, you apply all sorts of different calculations to it. Technically those are all guide-based calculations. You do an AND guide, you take two qubits, do something to it, you get a result. But essentially you have an input, you calculate something and you have an output and you basically, uh, you can calculate every, uh, everything you wanna calculate with these, uh, universal quantum computers, uh, while quantum computers like Debase can really only solve, um, optimization problems. But actually as it turns out, both approaches can be used to solve the factorization problem. And, uh, we have short algorithm from 1994, which, uh, um, uses gates to, um, solve this problem. And in quantum annealing, we have various approaches since 2002 and everyone explored those a little bit in the, uh, next couple of slides as well, how they work to actually, um, solve the factoring problem as an optimization problem. So, let's dive a little bit into quantum computing and what I need to understand to, to explore a little bit short algorithm and really with the idea of giving you an understanding of how can someone derive an algorithm that gives me now such a dramatic improvement over a classical algorithm which takes, uh, exponential time, uh, to solve. So the basic building blocks for, uh, quantum computers are what we call qubits. Qubits is the equivalent of a classical bit. A classical bit is either zero or one. A qubit is now a, you can almost think of it as a quantum mechanical system which can be in any state you want it to be and you don't actually really know what state it is. But once you measure this quantum mechanical system, it is either gonna be zero or one. And this is an, uh, this is something that we're gonna exploit later on. That why, before we measure the system, we don't know which state it is. But it can be actually in a superposition, it can be in a state where all of these, um, qubits can, um, interact with each other and only at the very end of my processing set, I will measure the system and all of those superposition states will, uh, basically terminate and I know it's either zero or one. But it's really a quantum mechanical system. You don't really know what it is. It's neither zero, it's neither one. It is something in between. Uh, quite often we then assign, um, uh, variables to it. And here you can see a representation of one of those qubits. We have this, uh, two bases, zero and one, which basically represent this, uh, zero means if I measure this particular qubit in 100% of the cases, I will get the, the measurement outcome of zero. The one means in 100% of the case of measurement, it will give me the measurement outcome of one. And now qubit is in the superposition of those two with alpha and beta. Those are two complex numbers. I can represent those and, uh, that can now define, uh, the state of this particular qubit. Now we call alpha and beta probability amplitudes because if I measure this particular, uh, my qubit, I will now get the probability of the measurement outcome for, uh, to get the measurement outcome zero, the probability is going to be alpha squared. And the probability of getting the measurement outcome of one, it's going to be beta squared. Remember when I measure this particular thing, even though I have two complex numbers associated with it, when I measure it, it's going to be either zero or one with a certain probability associated with it. And the probabilities are really defined by those two numbers, uh, and basically to the squared, um, uh, for alpha and beta. Uh, we know I know it's going to end up in zero. And with those two numbers, I can represent those qubits. It's basically a mathematical representation of the quantum mechanical system, uh, that the quantum computers operate in. But remember, all of these measurements and everything we do in the quantum world is probabilistic. Everything is just a probability. I can put a quantum in a state where I can tell you in exactly half of my measurement, it's going to be zero. In half of my measurement, it's going to be one. Which is perfect for random numbers for example, because I can tell you, hey, you don't really know whether it's zero or one. It's exactly equal probability of getting zero and one. So I just take one qubit, measure it five trillion times and I get five trillion, uh, random bits. But obviously, I don't really know whether I get zero or one. It's all defined by probabilities. Which has a big implication on the algorithms. Because the algorithms will also only give me probabilities. There's no algorithm that can give me, I run through this algorithm once and it will give me the answer, yes it is this answer. It will always only give me, yeah, I think with 83% probability it's going to be this answer for example. So quite often you run these algorithms multiple times to really see, uh, uh, where you end up with. The second, um, uh, principle that we need for Schor's algorithm is the concept of entanglement. And, uh, that gets slightly philosophical. Um, I want to focus a little bit more on the mathematical part of this. Entanglement is basically a property where I can have two qubits and I know that there's some correlation between those two qubits. In the classical world, I have two bits and the two bits are completely independent of each other. Neither of those, those bits will interact with the other. And if I, if this qubit, if this bit is one, it doesn't matter what this is. In the quantum world I can have a, a relationship, a correlation between those two qubits. And a simple example is the spell state of two qubits. So this state is here a state where you can set, where you have two qubits. And now it's funny, now tations, the first zero is the value of the first qubit, the second zero is the value of the second qubit. But if I would measure this qubit here, and let's suppose I measure the first qubit as being zero. It cannot be the second one because, you know, the first zero, the first qubit was zero. So the second qubit has to be zero as well. I know that the second qubit is gonna be zero, simply because I measure the first qubit. And there's no way, because I don't have zero ones or one zero in there, that the second qubit could something different than zero. So I take basically two qubits, give them into this quantum mechanical system, prepare this spell state. And now if two qubits, they're separate from each other, but in this quantum mechanical system, those qubits are now correlated, or what we call entangled. And now I could give one qubit to Alice, and send her to the moon, and one qubit to Bob, and send him to Mars. And I know that if Alice looks at her qubit, and Alice says, oh, I got zero. I know Bob has a zero as well. Even though there's no communication between those, simply because there's this correlation in those properties now, I need obviously those two qubits. I need to prepare them together, and then I can send them anywhere I want. And they are correlated without any communication in between those two. There's lots of philosophical implications because I could give, I could put those two qubits light years away from each other, and did I really find a way of communicating faster than light? No, I didn't, because if Alice measures, it's going to be zero. If she wants to tell Bob, hey, I measured zero, she needs to communicate this information to Bob, which obviously she needs a few light years to do so. But it's an important principle that we're going to use in Schwarz's algorithm as well. And the main thing for you to understand is the exponential large size I can look into when dealing with those quantum systems. Let's suppose I take two classical bits, I can represent four possible states with two classical bits. But only one of them at a time. So, you know, if, I mean, you see the four states there, my system with those two bits is in one of those states at any point, at any point in time. In a quantum world, I can take two qubits, and basically at the end when I measure this system, it's also going to be in one of those four states. But before I measure this system, the, because of superposition, those qubits can be in all four states at the same time. And only when I measure the system, the system will collapse to one of those four states. And this is exactly now a situation we're going to exploit. The way if I have n qubits, I can represent two to the power of n states. While I do calculations, I still at the end of the day need to know what the result is of my calculation. So I need to measure at some stage. And then it will collapse obviously to those n states. But during calculation, I have two to the power of n states, which is a massive amount of states that I can represent with just a few amount of qubits. So now I, now I have everything kind of to look into Schor's algorithm and how it works. And we're going to look into this. So the main idea for that Schor had was actually, if I want to look into how to factor n into p and q into those prime, two prime numbers, I don't actually need to solve that problem. That problem is equivalent to a different problem. And basically he looked into number sequences. And he realized from number theory that you have a number sequence. For example, uh, you look at the number sequence here, um, you multiply the previous number by two. One, two, four, eight, sixteen, thirty-two. If you now do, if you now use this number sequence and do this mod fifteen, for example, in, in this example, you end up with a number sequence one, two, four, eight. One, two, four, eight. One, two, four, eight. This is what we call a periodic, um, sequence. So it's always going to be the same, uh, kind of, uh, sequence of one, two, four, eight. And we can now define a, um, uh, a number which is called the period, which is four, which is basically the, the number of, the, the amount of numbers before it repeats itself. And, um, uh, the underlying algorithm I'm sure is that if I want to find out the factors for this number N, if I want to find out this P and Q, I can actually transform this into a problem of finding the period R. And that turns out for that problem, I can run it very easily on a quantum computer. So basically, um, if I look into this and the cool thing is, and I want to show you this on the next slide, the mathematics behind it is actually fairly trivial, a basic level of linear algebra gives you everything to understand how this works. So the only thing you need to accept is that out of number theory, there's a theory which basically says this number, this function, uh, F, F I, X to the power of I mod N is a periodic function. Um, if X has, uh, particular properties, and now I only need to find, uh, the number, uh, the period R. And with this, I have my algorithm sure, which we run through in quite some detail actually, but essentially it's comprised of three phases. First is, I turn this factoring problem into a period finding problem, and that's actually trivial. Then I use a quantum computer to actually give me this period R, to solve this period R on a classic computer is again really, really hard. Actually on a classic computer it's still of exponential, um, complexity, which mean that this algorithm on a classic computer does not give me any advantages whatsoever, but I can use a quantum Fourier transform and that gives me the speed up. And then basically once I have the period R, I can really very trivially, um, use this to find the factor. So stage one and, or step one and step three are really trivial. Step two is where all the magic happens and that's where the, um, uh, that's where the main speed up comes. Now I don't want to go into too much detail, but it's actually really simple. So I think you can, uh, download the slides and you can look through this. I know that F A is periodic. I know that X to the power of zero is one. I mean everything to the power of zero is one. And if R is not my period, I know because the function is periodic that X to the power of R mod N equals one two equals the same what it was before because it is period. And really with basically linear algebra I can now use the X to the power of R equals X to the power of R half to the power of two. And I can, uh, um, just write it in a different form which gives me this, um, uh, multiplication of two numbers that will give zero mod N. So if I can use this, if I have this R, I, I have these two numbers. So, but if those two numbers, um, mod N is an, those are an integer multiple of N because their product is zero mod N. So that means they're an integer the multiple of N. So either those are directly factors or if they're not directly factors, each one of those has a factor in common with a number I want to look at. So the greatest common divisor which is actually, um, not too hard to compute, uh, classically it's just an N squared complexity. So by computing the greatest common divisor for each of those numbers with N, I have my factors, uh, for, uh, for N. And, uh, that is really simple, but to get to this R is really, really hard. But I can put this together in a really, uh, quick example. Let's suppose I have N equals 15. Now everybody can calculate in the head that the prime numbers are three and five. Basically I choose any integer between one and fifteen and let's really use for the sake of simplicity. Let's use X equals two. So you can see my period here mod 15 is one two four eight. Uh, so I have the period four. I can see this. That's a really hard part to, uh, calculate. But with the period four, the greatest common divisor of X to the power of, uh, uh, R half is R is four. So R half is two. Uh, X is two. So that's two to the power of two, which is four. So the greatest common divisor of three and fifteen and five and fifteen. So, so, uh, four minus one and four plus one is obviously three and five. And when you calculate this through, actually in every case you come up with three and five. So that's exactly what Shor's algorithm is all about. But the really hard part is, uh, figuring out, uh, what is this period R? And this is kind of where the quantum computer, uh, quantum algorithm comes in. And those quantum computers or those quantum algorithms always work in the same principle. You basically, you, you initialize basically the result that you want to see and say, let's think of, we want to get a 256 bit number or 2048 bit number. And you basically every bit, every bit of this bit representation is going to be either zero or one. So you basically put this in an equal superposition. So every bit you basically put at 50 percent zero and 50 percent one because you don't really know what it is. So it's really kind of like, uh, at 50 percent. Then you run through this, um, quantum Fourier transform which will use amplitude amplification. So with every iteration of this algorithm those amplitudes will now go towards one or two zero which is going to be the final result. And you run this through, um, a number of times and then you measure it at the end and you will see when you end up with. I'm going to have an example of this, uh, um, when we run this through on a, on a real quantum computer. But just to, um, summarize, short algorithm all together is, uh, fairly simple. You choose any random number A which is smaller than N. You compute the greatest common divisor. If this is not one, actually you found a, you found a fact and you're done. Uh, but that's, uh, obviously not the, most likely not the case. I use my quantum computer to find this period R. And once I have R I just need to find the greatest common divisor of those, uh, two, um, uh, two terms and I'm done. So, um, uh, another example, I choose randomly, uh, number seven. Calculate period R, R equals 4. If this greatest common divisor 48 and 15 and 15 and 15 gives me, uh, 3 and 5. So it all works fine. I can now use this and use a, um, a library, a toolkit called KISS Kit, which is an open source toolkit. There's now at least five or six different open source platforms. How you can use quantum computers and how you can program quantum computers, um, either on quantum simulators or on real quantum hardware. And I gave you some references here. You can look up those. It's actually kind of fairly easy, um, uh, to go through. But they all start the same. And here you see an example of this amplitude amplification. Basically in the end you see all of the possibilities what the, my prime numbers could be. They're all in the same probability what they could be. That's my starting point. And once I run through this algorithm and I ran through this, uh, Schor's algorithm on, from these references, the amplitude of the correct results have now been amplified and the amplitude of the wrong results have now been kind of like gone down to zero. And I actually see that there's two results. R equals 0 and I equals 4. I equals 0 is obviously trivial, um, um, probability. So I discard this. And I end up with R equals 4. So this was now executed on a quantum simulator. Quantum simulator, I can simulate a quantum state on my normal computer. But remember, in quantum computing we're exploiting this fact that I have this massive large space of two to the power of n. So I'm gonna really trouble simulating more than whatever a hundred qubits or so on a normal computer. And, um, uh, but for smaller ones, uh, for illustration it's actually quite cool. So the cool thing is IBM has a quantum computer that you can publicly access. You can write a, uh, a quantum computer program, execute it towards their cloud. It's very simple. You just change, hey, my back end is the simulator. You change your back end to, uh, IBM's quantum computer. Um, and if you execute this against a real quantum computer, it's just a five qubit quantum computer right now, I still get R equals 4 with the highest probability. But you see there's lots of other probabilities. And those probabilities are representative of all the errors you have in the system. Simply because those quantum computers that we have right now are really pretty bad. They are what we call noisy. They don't produce the correct results because they're noisy. They produce lots of wrong results. Now by repeating my algorithm lots of times, I can still get around this fact. And obviously in this case, I still have R equals 4 with the highest probability. But obviously that has big implication on performance because I need to now repeat these, uh, my algorithms much more. And obviously I will end up in that case because, uh, obviously the noise will basically, um, reduce the speed up in the quantum effects to zero. And it basically collapses to, um, a, um, a classical computation that I have. But the cool thing is actually with Kiske as well, there is, uh, libraries for every quantum algorithm that, uh, you know, that people know and they kind of, uh, provide easy libraries. If you want to run Schor's algorithm to factor prime, uh, to factor any numbers, you just import Schor's algorithm from Kiske Aqua, which is, uh, which is a library. You just say, all right, I want to factor this number n equals 15. I use a simulator. I do this, uh, 1000 times. And off I run this instance and I get a result. How cool is that you can run this against, uh, against a quantum computer. And the only thing you need to do in this example is if you run this against a real quantum computer, is to change its back end from the simulator to a different back end. And now there's a call out to IBM's, uh, quantum computer to run this, uh, on the back end. It's actually really, really cool. And this feeling when you run a quantum computing, uh, software for the first time is actually, is actually quite cool. So I encourage everybody to look at Kiske or various quantum computing, uh, libraries and, uh, to play around with this. So the problem, obviously, is, um, and you guessed it, that in order to do anything meaningful, I need lots of qubits. So in order to use Schor's algorithm to, um, break RSA 2048, I need 4,000 qubits. And I need 4,000 proper qubits, meaning, without any noise, I need for the time of the computation, there can't be any noise on the computation as well. And it's not really a surprise because when Schor came up with this in 1984, there were no quantum computers. He didn't have to worry about, hey, cannot really implement my algorithm or not. He really just came up with a system and method. So, um, it was never really meant to run on a quantum computer. And, uh, right now lots of people look at Schor's algorithm and then see, alright, kind of right now we have 70 qubit. So it's every, the qubit count doubles every year, whatever. So it's going to be another 10 years before we have, uh, Schor's algorithm. Nobody's going to run Schor's algorithm because it was just a theory. So let's look at some of the, the, uh, researchers where people took, people took Schor's algorithm and modified them and optimized them to run on real quantum, uh, quantum hardware. So the first one was Fowler in, uh, 2012. Basically, the, the first approach was really kind of, I need to tweak this algorithm so it can be, so it can sustain errors. Because Schor's algorithm really was an assumption, there's no errors or the qubits are fantastic, uh, no errors. So basically they used what's called surface codes to allow for errors to occur and the error rate is 0.1 per side of the, uh, of the gate error rate. And, um, uh, Fowler came up, I can run Schor's algorithm and I can factor 2048 bit number but I need 1 billion qubits, uh, to do so. Which is obviously a massive amount, uh, in terms of overhead, um, uh, to run this. So that was in 2012, not, not too long, not too long ago. And then in 2017, with first optimization from a government, we suddenly kind of like, uh, had an, uh, had an algorithm where we reduced 1 billion qubits to just 230 million qubits, uh, in 2017. And that was a really optimization of the physical connectivity of those qubits. And, uh, then George who kind of reduces further to 170 million qubits. So you can see there's algorithmic improvements without any hardware improvements, obviously that's happening at the same time as well. But obviously I get down from 1 billion qubits to right now 170 million qubits. And the biggest, um, uh, contribution was from Gidney and Akira from, um, uh, Google and, uh, University in Stockholm where they, uh, provided paper just not long ago earlier this year where they, uh, looked into how they could do the same thing what everybody else is doing with just 20 million qubits. Now we went in 2012 from 1 billion qubits to 2019 to 20 million qubits. And we are far from the end of the research there in terms of optimization, uh, to this problem. Now I won't go into too much detail of this, uh, uh, of what they do, but basically they also look into lots of optimization of how things work. And they basically, uh, also choose similar to show, not really look into factoring the numbers directly. So they basically convert this factoring problem into short discrete algorithm problem. And, um, uh, they have a part that is computed, computed classically and a part that is computed, um, uh, quantumly on a quantum computer. And they can show that in order to find P and Q, they can, uh, come up with, obviously they know what N is, which is the, uh, the multiplication of those two. They can come up with a number where they know the addition of those numbers are D, so D is known. So if they have two, um, two equations for two variables, which they can fairly easily solve, fairly easily solve with an oversightment because they still need, uh, 20 million, uh, qubits, uh, to do so. Um, uh, but obviously the, um, the reduction from 1 billion qubits to 20 million qubits is massive. And, uh, I expect in the next couple of years, there's gonna be lots of optimization to short algorithm. And especially to get in the Keras, um, uh, algorithm, uh, where this is gonna be, uh, reduced further on. Obviously 20 million qubits is still a long way away from, uh, quantum computers that are accessible today. Um, uh, where we are in a realm of, you know, slowly below 100 qubits, um, uh, at this point in time. So I wanna spend the next, you know, or the last 10 minutes of my presentation on approaching quantum annealing. Those are the second type of quantum computer. And, uh, that is actually what's quite surprising to me, even though everybody's talking about show and the implication of crypt, cryptography. Actually quantum annealing right now is much, much further ahead in terms of solving this factorization problem. And we're gonna look into a little bit how, uh, these algorithms work. So as mentioned before, quantum annealing, those computers are really, computers where I can solve an optimization problem. I need to, I need to define my problem as an optimization problem. And then basically quantum annealing computer can take this problem and find the minimum of this, uh, problem because it represents a physical state. And I know the physical state will always end up in the ground side. And, uh, I can read then this ground side and I have this solution to my problem. And there's really a cool, a cool theorem, um, uh, where you wanna find, you wanna go into the lowest point, you wanna find this lowest point on the right hand side. So how do we end up in this lowest point and not get caught up in those, uh, minimas, uh, in between. And there's lots of ways how you can do this from the, uh, from the physical system. And there's a really cool case on this quantum annealing case where there is a theorem that says, if I start in a really, in a very easy quantum mechanical system, in this really easy quantum mechanical system, I know the ground state. So this is my problem I wanna solve is here. I am starting here and I really know where I am. I can now slowly evolve. And adiabatic means slowly evolving the state from this here to the state where I really wanna be. And now this theorem gives me a guarantee or physical proof that I will end up in the, in the maximum or in the optimal minima of the problem I wanna solve. And it's really cool. So I have Hamiltonians are functions that define a physical system. But basically if you look at the first function, if you put in S equals zero, you end up in this H zero, which is my easy to understand system where I know the local minima. And in my calculation, I slowly move S from zero to one. And if I'm at one, I'm in a stage H one, which is the problem that I really wanna solve. But this adiabatic theorem guarantees to me that I will end up in the maximum minima, uh, for the problem that I really wanna solve. Which is really, really cool because it gives me, I'm, I know I'm not gonna be caught into some local minima. But still essentially I wanna solve an optimization problem. How do I do this? And the first research came from Bergen's in 2002 from Microsoft where, you know, he provided a foundation of, hey, I wanna solve, basically if I wanna look into the problem N equals P times Q, I'm looking for P and Q, um, so that this equation is true. So I just need to solve this, I need to write this as an optimization problem. And basically we, we rewrote this as N minus P Q squared. And this is a positive function, this is always greater than zero. And this obviously only zero if N equals P Q. And if you write it this way, you have what's called a QBO, a quadratic unconstrained binary optimization problem, which you can happily run on any quantum annealer that is out there. And you basically use binary representation as really just a fancy way up here of writing PI and QI are just the I's, you know, bit, it's either zero or one. And you basically now, uh, write this down and it's a very simple example. My example 15 is five times three. Now, um, in binary notation P equals X1, one, the last bit always has to be one because the prime number can't be an even number. And I just, you know, N minus P Q squared, I just write this through and kind of by hand and see, oh, this is function I need to minimize now. And I can run this against D-Wave's quantum computer. And if I find the minimum, I know N equals P Q because that's by definition a positive function. So I can use quantum, uh, um, D-Wave's quantum computer that provide a library as well. And, um, you see the link here, you can download it. It's basically the same thing, I just call factor P. P is my, um, uh, product. And I can run this on this, uh, D-Wave's quantum computer. The problem is if I just use this without any optimization, I need N squared qubits for this. So I mean, my number of qubits that I need really kind of like grow quite heavily. And for larger numbers, this is not sustainable, um, uh, to do. But I wanted to show you, it's all probabilistic. So if I run this one time, I end up with, um, my 415, uh, for the P and Q for my two prime numbers is one and seven, which is obviously wrong. So I ran this once and I didn't really end up in the, uh, in the right spot. But I ran this five times. Now I've already have five and three. It's already 60 percent, um, uh, you know, probabilities. And if I ran this 50 times, you know, I know my prime numbers are, uh, three and five. So I know, I need to run those quantum algorithms more and more often to make sure I end up in the same results. Um, I'm gonna skip over some of those things because virtually all optimizations of now, this base, you know, of, of purchase work where he basically looked into, hey, my multiplication matrix that you write out as a function to be minimized. There can be lots of optimizations. Virtually all of the, uh, work that I will present here now is based on optimizations of how you do the multiplications down below here. If you've ever done, uh, multiplications by hand, you know, you start on the right and you kind of multiply the lowest numbers and you have carryovers to the left. And virtually all of those optimizations, um, uh, go through this, uh, how I can do this multiplications much easier. 3D and Agassi did some work in 2016 where they used some of these optimizations to remove some of the, all of the degrees. So they were already able to factor a number, greater than 200,000 with almost 900 qubits. Now D-wifes qubits on quantum annealing are not as, don't have to be as good as universal quantum computer qubits. So D-wifes announced a system with, uh, I think around 5000 qubits for next year. So 900 qubits what was, was, what available then, then, uh, back then. On universal quantum computers, the biggest prime number is less than 100. And they, these guys in 2016 could already now factor a number that was over 200,000. The big breakthrough was from Jung and, uh, in, uh, Indiana, uh, in April 2018 and it's really kind of mind blowing, uh, you see the next one which was really just two months after. Really around optimization of this, uh, multiplication map. And they've now raised, they could factor a number which is greater than 350,000 with just 94 qubits. Remember D-wifes comes up with 5000 qubits, uh, quantum computer, uh, uh, next week, uh, next year. Um, uh, and it's all based on this optimization, uh, problem that we solve for factoring and with optimization to the multiplication table. And then paying in 2000, uh, in earlier this year, really, um, uh, and you can see this, uh, submission was received in July while the previous submission was, I think, uh, submitted in April or something, it's just months after. Optimize is even further and they've been able to factor a number that is right at one million with just 90 qubits. So that's already 20 bit number. So right now when we look into the problem of hey, can I use a quantum computer to, uh, factor prime numbers? Universal quantum computers and short algorithms are nowhere compared to quantum manilas. And with quantum manilas, I can already, um, um, do this with, uh, 20 bit, uh, 20 bit numbers. So, um, there's three things really interesting. So they, they could run this on already existing hardware today. And all of those algorithms, that's a really big takeaway, um, that you have to do this. I don't have just one quantum problem that I want to solve. It's always a hybrid model of some classical computation and some quantum computation. I really use a classic computer what he's good at and a quantum computer, what a quantum computer is, uh, um, uh, is good at. So, um, my point is quantum manilas are a thousand fold better right now than short algorithm on universal quantum computers. But because they are too noisy right now, we are far away from breaking anything that is, uh, in, used in practical terms. Right now the biggest number is a 20 bit number. But obviously we, we know, uh, those two, uh, kind of like converging curves here. The algorithms are getting better and better. At the same time the quantum hardware gives me more and more qubits as well. So both of them will actually have a big impact. I can't just rely on my prediction saying, hi, the number of qubits grow by 50 percent every year so I'm gonna be fine for the next 50 years. You're neglecting the improvements that the algorithms will make over the next, uh, over the next couple of years or two. So, a couple of, uh, myths and reality. Sure, nobody's gonna implement show on any quantum computer whatsoever. Um, uh, show was a theoretical work. There are practical work, um, uh, you know, derivations of this work that will be implemented. Um, at some point obviously, on the, on the base of show's algorithms, people will break, um, uh, the RSA encryption. It is a matter of time. Now we can argue whether it's 10 years, 20 years, 50 years, but we are only arguing about the time. We are not arguing about, arguing about that it will happen. And obviously there's lots of cases where this is already as an impact right now. If I have bitcoins right now and if my public key is known, I don't care whether it takes me 20 years to, uh, get the private key to those, uh, to those bitcoins for getting 20 years. There's, you know, one and a half million bitcoins from Satoshi flying around, which is around 12 billion dollars right now. Hey, if someone comes to me and say, hey Andreas, you know, can you, can you build me quantum computer? It's really hard. It takes me 12 billion dollars, you know? Hey, here's 12 billion dollars right there. So, um, um, so anyway, uh, it takes, it will be quite a while, but I want to provide an overview of the algorithms. I started this talk, talking about how just the asymmetric world of the RSA world, but there's plenty of work, and this is, uh, kind of, you know, from this Chinese paper in the very, very end. That's the, that's the, uh, the end statement. There's plenty of work on the way right now to use quantum manilas also to look into symmetric, uh, encryption. So if you say, hi, I just use symmetric encryption, I find that might not be holding up for too long. And I thank you very much. I'm out of time. Thank you very much for your time. We have time for questions. We don't have time for questions. You can find me anywhere if you have some questions. Happy to engage with you. Thanks so much.