> -----Original Message----- > From: IPsec <[email protected]> On Behalf Of [email protected] > Sent: Wednesday, July 18, 2018 11:03 AM > To: [email protected] > Cc: [email protected]; [email protected] > Subject: Re: [IPsec] Modp-12288 and Modp-16384 > > > > > On Jul 18, 2018, at 10:55 AM, Scott Fluhrer (sfluhrer) > <[email protected]> wrote: > > > > Answering to give some info about what we know about the likely > capabilities of Quantum Computers. > > > >> -----Original Message----- > >> From: Tero Kivinen <[email protected]> > >> Sent: Tuesday, July 17, 2018 5:17 PM > >> To: Scott Fluhrer (sfluhrer) <[email protected]> > >> Cc: [email protected] > >> Subject: RE: [IPsec] Modp-12288 and Modp-16384 > >> > >> Scott Fluhrer (sfluhrer) writes: > >>> If the requirement for AES-256 is to handle the scenario "someone > >>> gets a quantum computer", then in that scenario, there is no > >>> realistic DH group size that is secure. > >> > >> That we do not know until we know what those quantum computers can > >> really do... I have not seen anybody saying how many qbits you need > >> to break MODP-2048. > > > > It's about twice as many as you need to factor a 2048 bit composite; so > about 4k (logical) qubits. > > > >> Most of the things I have seen talks about factoring RSA, and even > >> then they do not provide numbers. > > > > How about https://arxiv.org/abs/quant-ph/0205095 - to factor an n bit > number, you can do it with circa 2n qubits. > > That, times a factor for error correction. I've seen various opionions on how > large that factor is; one estimate was 100 if not higher.
Well, yes, this is logical qubits. As for how many physical qubits you need to implement a logical one, well, that depends on the error correction logic you use (and that selection depends a great deal on the error rate you get on the physical qubit operations, and various proposed implementations of quantum computing differ quite a bit on their likely error rate). > An interesting > question is whether coherence across half a million qubits is achievable. Actually, that's the point of quantum error correction; you don't need to achieve consistent coherence across all those physical qubits; it suffices if you get coherence across enough of them.. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
