 I'm very happy to be here. They asked me if it was my first time speaking at DevCon. I said yes and no. Last year it was a much smaller room. So I'm happy to see so many people. I've been talking about quantum computing and its relation with security. How many of you know how quantum computer works? How many of you know quantum physics? Oh, good. Because you need to know about Schrodinger equation. The basic entanglement, Bell states, EPR pairs. So this is the very basics that you need to know to get the talk. Interim matrices, complex number, real analysis and help spaces obviously. If you don't have those please leave the room. Okay. I'm kidding. The nice thing is you don't need to get all the stuff to understand quantum computing. If you're a physicist you want to understand quantum mechanics then obviously you need these notions but not for quantum computing. So I'll try to convince you that's true. So the art line, I will be, it will be a talk very broad, not very deep. There might be some deep ideas but one of them says that I won't go into the technical details or how things work in details. I'll give you the ideas and the applications. Very brief crash course about quantum computing. So for the quantum mechanics, it's based on quantum mechanics and you can see this as the operating system of nature. It's like the framework on top of which the theories like gravity, electromagnetism and nuclear forces are running. So you get these theories in blue, the expansion of nature and you try to adapt them to the quantum mechanics operating system. And this is already on some mathematical notions. So that's where we stand. The very basic, this is my only slide about quantum mechanics. So that's the most important thing for us. What it says is that the particles in the universe like photons, electrons and so on, they behave randomly. So not randomly in the sense unpredictable because we don't know all the parameters but it's really randomly. Like you have no way to predict what's going to happen. But what's different compared to what the randomness you know is that the probabilities can be negative. Not only negative, negative and complex numbers, so you see the numbers with the I letter. So that seems a bit counterintuitive. But you have to trust me and to trust the physicists that it does make sense mathematically to have negative probabilities like negative amount of money. All right. So you know what is a classical bit? It's either one or zero. A quantum bit can be one and zero at the same time. We call this as a proposition. So when you have not looked at the qubit, it's in this state where you know that if you observe the qubit, if you ask him what's his value, it will be zero with some probability and one with some other probability. The notation space is zero. You have this, for example, alpha and beta as coefficients and the strange notation of the straight line and the bracket. It's called the bracket notation. You don't need to remember this. But what you need to know is that the alpha and beta values, they are called amplitudes. They can be negative. They can be complex. And the actual probability, so you take this value, you square it and that's the actual probability that you get. So number between zero and one. And when you observe the qubit, it stays zero one forever. So it's no longer a quantum object. It's like a classical object. It's zero at one. That is. So you can generalize it to, you know, quantum bytes. It's having just one bit. You have eight bits. And you have different probabilities for each byte. So you have this sequence of eight quantum bytes. And if you look at it, maybe it will be zero XFF with some probability. Maybe it will be zero XZ1 with some other. Maybe it will never be zero XZ0. And so on. So that's it. You can generalize to quantum world, study the bits, 64 bits, whatever number. And using these objects, you build a quantum computer. So it's like a normal computer. You have registers. It's going to be bits or bytes or walls or anything you want. And you will transform the state. So that's how you will compute. You have kind of quantum assembly. But you will have just different instructions than the classical instructions that you know. The important thing to remember is that the operation will all be reversible. You go from one state to the next state. But you can also go back in the past. So you don't have this information. You don't really have the classical assembly. You have the end operation. You register one and register two. And you write it and register one. You can't go back in the past. You can't know the previous value. And here you have what you will modify. So it's these quantum objects. And actually you will just change the probabilities doing very simple operations, what you learn in high school, linear algebra. So like matrix multiplications. You will just do matrix multiplications to transform the probabilities. And obviously what you want is that when all your probabilities sum to one, because you want something to happen, obviously, you want the new vector probabilities to sum to one as well. All right. I wouldn't go much more technical, but that's the idea. You just remember that quantum computing is just multiplying together some probabilities that can be negative or complex. And that's it. So in the end, you have this set of registers that can be both one and zero at the same time. And then you observe one bit or one byte or more. And that's your result. And the important thing is that you cannot simulate this using classical computer. Why? Because let's say you have quantum bytes. So this single quantum byte encodes 256 different probabilities. All right. So you might be able to store this on your normal computer, but now let's say you have a quantum world of 32 bits. How do you store this classical? It's a few gigabytes of information. Might be doable, but now if you have a 64-bit world, obviously you cannot store this on your classical computer. Well, on the quantum one, it's just 64 qubits. Okay. So you can try this online. There's a few simulators, quantum computing playground. You cannot go too far, because like I just said, you would need gigabytes, zero bytes, beta bytes of memory, but this one goes up to 22 qubits. Okay. Actually, the initial motivation for all this was to simulate quantum physics. And for the same reason that you cannot simulate a quantum computer using a classical one, you cannot simulate quantum physics using classical computer. So Richard Feynman said, okay, so to simulate this, we need to invent a quantum computer. And that's what the initial motivation to understand how physics works, how nature works, by simulating all the quantum phenomenon. Okay. I will just go through two common misunderstandings about all this. So people sometimes say, yeah, quantum computer, it's a super, super quantum computer that's way faster than solve all the problems. So sorry, it doesn't solve all the hardest problems, especially the NP-complete problems. So I don't know if it's far me out to you, like the traveling assessment problem where you have a list of cities and you must find the optimal route, scheduling problems, scanning crash, Maya Bross. All those hard problems have some structure that makes them difficult and practically impossible to solve on normal computer. It's the same for quantum computer. You won't solve these hard problems, with a quantum computer. So that was the first bad news. A good news is that you do have some, why it's called quantum speedup for some specific cases. In other words, making the impossible, possible on a quantum computer. So the postage is the factoring problem, you have a number N, which is equal to P times Q. And going from N to P times Q is difficult on a normal computer, but it's easy to solve on a quantum one. So obviously the application that, the interesting application is breaking RSA. I'll talk about this later. Okay, so the last caveat is quantum parallelism. Some people say, eh, you have the superposition notion, so it's like trying everything in parallel, so parallelism for free. That's not actually the reality. The idea is that in some sense, you compute several values at the same time, but you can only look at one result. You cannot look at all the results. So it's like all this parallelism is useless. You can only look at one other result and you cannot condition. You cannot say, okay, I want to look at the result that gives this value. You look at the random result. So there's no magic here. Okay, so that was it for the theory. Let's move to the practical, the practical part. So like I said, the most common application is factoring numbers. So I'm happy to tell you that we know how to factor 15. It's three times five. We also know how to factor 153 and 56,153. But there's a caveat here. They don't, for those numbers, they actually use a special number. And in some sense, they had to know in advance what was the solution before searching for the solution. The actual quantum factorization, it was only done for 15, three times five. So I just want to say that we are very far from a useful application of quantum computer. And the reason is that it's amazingly difficult to build. First of all, you have to find an object to simulate your qubit. So typically you will take some physical particles, sometimes take photons, molecules, and the superconducting phenomenon. I want to explain the details of this as you can do this up. But the main problems they're facing in quantum computers is what we call decoherence. That qubit gets mixed up with the environment. They will interact with the rest of the world, with the rest of the system. And this will complicate the system. It's going to cause some noise. So we know that in theory there's this whole field of quantum error correction where in theory you can correct all the errors in real time, but in practice it's much more difficult. You also have to have the computer at very low temperature, close to the absolute zero. It's a technical detail. And we don't know how to scale to several hundreds or thousands of qubits. So we have this result with four or five qubits as I showed before. But if you want to break RSA to break all the crypto in the world you need thousands qubits. And we're far from this. Breakthrough, nine qubits this year. It's better than four. It's not even an actual quantum computer. It's just a set of nine qubits that could live together for a few seconds while correcting the errors induced by the environment. And they use quantum non-demonition party measurements. I have no idea what it is, but it's probably interesting. Okay. Breaking cryptography. No, the NSA doesn't have a quantum computer. I don't think they do. Probably don't. Okay, so like I said, we're doomed. If tomorrow's quantum computer comes up, RSA broken. Even the elliptic of the version of the hell man. Very briefly explain why. So RSA, like I said, is based on the harness of factoring numbers. If you can factor numbers then you can break RSA. If you can break RSA you can probably factor numbers. So it's hard on a classical computer. We don't have an actual mathematical proof of this, but we, cryptographers, mathematicians, pretty much convinced that it's our problem. It's not an NP-complete problem. Factoring is not NP-complete. But it's easy on a quantum computer. It's because of an algorithm by a guy called Peter Shaw. It's called Shaw's algorithm. And it's doing a quantum Fourier transform and finding a period in some function. And it gives you the result. What's nice with this algorithm is it's not specific for factoring. It's actually for a whole class of problem that we call the hidden subgroup problems. Fighting a subgroup in some bigger group. And it turns out that the discrete logarithm is another type of this problem. So the problem behind the Feynman-Kirch-Riemann teleptic curves, problem is essentially you have a number G. And you know G to the power of Y. And you don't know Y. So you look for Y. It sounds pretty easy like this. But you can try it. It's not easy if you do it on big numbers. And again it's easy on a quantum computer. So what about symmetric ciphers? Things like AES or even hash functions. It's a little bit faster if you had a quantum computer but not that faster. It's just that the search for the key would be much faster. So instead of having a security of 128 bits with a key of 128 bits, you would get half of that, 64 bits of security. Now if you do some advance mathematics, you say, okay, if I want 128 bit security, I just need a key of 256. And we have an AES version of 256. And we can have even ciphers with a key of 512 bits. The reason behind this is that with Grover's algorithm you can search in a table of n elements in time square root of n instead of n. So if you have 2 to the n values, it's complexity of 2 to the n values. So there's a field called post quantum cryptography or quantum safe. What's got is to find alternatives to RSA and Diffie Helman and NECC. Otherwise that would be resistant to quantum computing. So it's not a joke. It's a thing. People have been working on it for years. Even Nest is caring about this. It was a workshop this year. I don't see the date here but it was in spring 2015. And it's a workshop next year in Japan. So I'll show you four of those, not the other schemes, but the family of schemes. The first one is based on hash functions. So things like Shawan, Shattu, Shastri, Blake. And it's based on the problem of inverting hash functions. It's a problem that we don't know how to solve easily even on a quantum computer. And you're pretty confident that it will remain difficult. Maybe the state of the art, if you're interested in this, you can look up what is called Sphinx designed by Dan Bernstein, Zuko, and other guys. It's pretty secure. They have some proofs. Very nice paper. But the only limitation is that you have pretty large signatures. So instead of being, I don't know, like 256 bits, it's 40 kilobytes. It's better than 40 megabytes, but still not as small. And the keys instead of being short, while they are one kilobyte, same for the private key, it's pretty slow. Instead of doing thousands or hundreds of thousands per second, it's more like 100. But it works. Another field is multivariate signatures. So don't be scared. Multivariate just means equations with many variables. And just means that you, the variables are combined in such a way that you do not only additions, but also multiplications. And once you have multiplications, it becomes much, much, much harder to solve. If it's just additions, it's what we call linear, so we can solve it efficiently using Gaussian elimination. If you do multiplications, and if you take a random system of equations, it's NP harder. So it's impossible. But if you want to use it, in reasonable time, you need to have a much shorter system. You need to use some tricks, some structure. And that's the reason why some schemes of this family were broken. I don't put much open on this. Now, something important to understand is that if two models, a quantum computer that's created, it might break your signatures, but you can still, you know, salvage signatures by issuing new ones with a quantum-safe system. So you can still sign your document and get this notion of authenticity. But if you encrypt something with a non-quantum-safe cipher, then it's too late. It's going to be decrypted. It's of no use to re-encrypt again. So the bottom line here is that it's more important to have post-quantum encryption deployed as soon as possible than post-quantum signatures. You can still wait until the quantum computer is created. So very briefly, what's about two types of post-quantum encryption techniques. One based on codes. So it's not, it's nothing new. It's IDs from the 70s, 80s, Maki is an iterator. Again, you have very large keys, kilobytes, but you know, today we have a terabyte hard drive. So what, maybe a few kilobytes is not such a big deal. It's not very fast, but it's not like it takes hours, small milliseconds. And the other one is the latest base crypto, which uses lattices. It's very deep mathematically, but very simple to understand. It's like, you have a function and you don't know the function. You know roughly how it looks like, and you want to learn the function. But the adversary is putting some noise on the function. So you cannot, you cannot guess how it works. Okay. So the fifth part is quantum key distribution. It's what we also hear as quantum cryptography. And here the problem is like, it's key agreement. It's like a quantum Diffie-Aleman. Instead of using normal Diffie-Aleman, you would just use physical phenomena. It's not really quantum computing, it's just using quantum mechanics. And the USP for this, the argument is that it's as strong as the law of physics. The argument is that if you're in the middle, you can't do a man in the middle because it will be detected by the adversary. By the laws of physics, if you observe a photon, it will be modified. So when you receive it, you will see the modification. You cannot copy quantum bits. And also the keys are truly random. So this one is the standard, the simplest game, BB84 by two Canadian guys in 1984. I'll explain it very quickly. It's pretty simple. Just Alice and Bob, they want sure key. So Alice, she selects a few bits, random bits, here 01, 01, 01, 01, 01. And she has to select an encoding. Here it means just a polarization of the photon. But you can see just simply coding. So either the blue one, autogonal vertical, or the green one, the diagonals. So she selects blue, blue, green, blue, green, green, green, blue. And she will send this to Bob. And Bob, he doesn't know the encoding. So we'll pick a random encoding as well. And the thing is, if you have the same encoding, you will observe the right value. If you don't have the right encoding, you will see a random value. And it will be too late to correct because once you observe it, it's no longer a quantum bit. So Bob, he observes the bits that he received, and then he publishes his encoding. And Alice says, okay, here you get the right one, you get the wrong one. And they just pick the bits where they have the same encoding. And so the actual scheme is a bit more complicated, but that's the general ID. Okay, but of course it's not as secure as it pretends to be. You always have unexpected vulnerabilities in this kind of system. The first one is, you know, it's a quantum, but it's not a quantum because when you encrypt the stuff, when you use your keys, you use things like AS. When you store it in your system, you also use classical crypto. So you just use the quantum part for the key agreement. So the people who tell you, yeah, but the sick classical crypto might be broken, you should use QKD, say, well, yes, but then what do you do? You have to eventually use classical crypto. And even if you ignore this thing, some implements have been broken because in practice, you have to send some metadata to make some error correction and so on. So there's people, a group in Norway that was into what I call quantum hacking and actually broke some of the first QKD systems. Now there's a practical limitation, too. You can't do this over internet. You need dedicated optical fiber links and it's point to point. So there's one party to another party and it's limited in distance, less than 100 kilometers, I don't know, 80 miles. So what do you do if you have to connect with someone, you know, a thousand kilometers away? You can put repeaters or make money in the middle, but no, it's a bit annoying. Okay. So application is quantum copy protection. If you wonder why I put this banknote here and if you recognize this guy, Schrodinger, right? Okay. Here the idea is to leverage the no cloning principle. The idea is extremely simple. The details are extremely not simple. But the idea is that when you have a quantum bit, you can know like its momentum or its position, but you cannot know both at the same time. Modern day, you cannot know everything about a quantum object. So if you don't know everything, obviously you cannot copy it. Because you can't copy what you don't know. See, in physics you have this theorem that is called non-cloning theorem that you cannot clone a physical object to an exact copy. Okay. So you see the relation with quantum cache. You leverage this to, you know, make bits that cannot be counterfeited. You will put some qubits on your banknote and they will have some encoding that only the bank knows. Only the bank can authenticate the built-in and create real ones. And there's also a variant that is decentralized where everyone got verified with this. So obviously that's just, you know, a theory. So experiment is not practical because it could be way too difficult to just, you know, put qubits on a banknote to have them live for years instead of seconds and to deal with the occurrence problem. So you will never see this for real, but you can imagine that it exists. You can also imagine quantum software protection. So it's a generalization of this. So using this idea of quantum non-cloning, you obfuscate, say you have a function here in green, the verification of a password. What you can do, let's say you find, you get the code of this function, you reverse-engineer it, maybe it might be obfuscated, but you can always reverse engineer the code. Maybe there's a hash function. Maybe you don't check the quality of the password, but you check the hash. If it's a strong hash, you cannot find a password easily, but you can still verify if it works. And if you have a binary, you can copy the bytes. So here's the idea of quantum protection. First of all, you cannot copy the program. You have the program which is a list of qubits, and you cannot copy the qubits. And you have no idea about what the program is doing. Except if you give the right password and you get one, but that's it. So again, like quantum cache, it's not something that will happen for real, but that's something that, in theory, might be possible if we have the right tools and the right technology. Okay. So my last part is about machine learning. I've seen a few talks about machine learning. It seems to be pretty, well, hot these days. I've seen very good talks and not so nice talks. Anyway, so machine learning on one slide is pretty difficult to summarize, but you can see there's a science of getting computer to act without being programmed. It's either learning patterns or finding patterns, not sort of supervised machine learning or unsupervised, which is more like discovering patterns. So it's been quite a success in fields like filtering spam, fraud detection, you know, from PayPal, for example, is using some things similar to machine learning, OCR, and recommendation systems. It's usually better at finding similarities than anomalies. And in intrusion detection, for example, we want to find anomalies for a specific notion of anomaly. But the problem in security with machine learning is that, well, there tend to be lots of false positives with machine learning. So I don't know if Netflix or Amazon recommends you something that, well, you don't want to say it's not a big deal, but if your intrusion detection system doesn't detect something or detects too much non-attacks, then you might have a problem. And some companies, some vendors claim to use it, but yeah, sometimes they just say, okay, we'll use machine learning just to say that they use machine learning, but maybe they don't. I've never seen any detail about the performance of this. So I conjecture that it doesn't work as a claim. Anyways, some people have been trying to quantumize machine learning, but it's a bit boring, actually, because it's not a brand new algorithm that is completely different. It's just, you know, take the classical machine learning algorithms and run them on your quantum computer. Things like clustering or neural networks or SVMs and other. There are two advantages, well, mainly one. Sometimes you have to search in a big list of data. So you can use Grover, what we've seen before, to speed up the search. So you have this square root improvement. And there are some cases from very specific functions where you do get an exponential speed up, which means that you can do something that you could not do on a classical computer. But there's a quite big caveat here, is that you need a quantum RAM. The idea is awesome here. So you know, a normal memory, you give an address and you get the value at this address. In a quantum memory, a quantum RAM, so you give an address in superposition. So several addresses simultaneously. And you receive the values at this address simultaneously in superposition. I have no idea how to implement this. And apparently the physicists have no idea how to realize this. And the thing is that a few of the quantum machine learning algorithms that give the speed ups, they use quantum RAM. So even if you have a quantum computer, you probably won't have quantum RAM, so it would be useless. All right. So are you time to conclude? So yeah, I'm sorry maybe you were enthusiastic about quantum computing and now you will be leaving the room not saying, yeah, it sucks. It's not the super fast quantum computer I expected. It doesn't even solve NP complete problems and yeah, they may never be built anyway. So this is a real article. But if you're a more, you know, optimistic person, you will see differently. And break everything. Yeah, chaos. You should start collecting, you know, all the RSE cipher that you see and maybe have a quantum computer later, you can break them. And if your mathematician or physicist gives a completely new meaning for computing, so instead of seeing it as a list of instructions of mathematical operations, it's transforming a physical state. You know, you can take this microphone, it's a bunch of atoms. You can imagine operations to transform it. And if you generalize it, you can see that, okay, the world is a big quantum computer that is evolving to another state from another state. And what is the universe computing? Yeah. So what some physicists say, you know, we don't even know if it's physically possible to be the quantum computer. But if we have a proof, a physical proof that it's impossible, then it will tell us a lot about how nature works and about physics. So even if we fail, we will win something. So I hope you like this if you have questions. So I will put the slides online. I'm not a pure physicist, I've just been interested in this stuff for years and years about quantum computing. So if you want to be the quantum computer, don't talk to me. I don't know if it's a good idea. But yeah, I have humans left. When I practice this talk, some people ask me, yeah, why don't you talk about the company that is selling a quantum computer? I won't say the company because this is recorded and I don't know. But this company that is selling big quantum computers, it's not actual quantum computers. It's a different type. It's what we call adiabatic and it cannot factorize big numbers. It may do certain things but not the interesting ones. Okay. So that's it. Thank you for your attention and happy to take questions.