-
6 comments
Contribution received to the FET Flagships consultation:
Contribution received to the FET Flagships consultation:
I have no issue with any lobby group proposing any area/topic as a new flagship, but I understood the selection process would be somehow be public and competitive; Now I see announcements that Quantum Technologies has been selected as the next flagship and a process to implement this set in motion - this before the effectiveness of the flagship model via the current two flagships has been evaluated.
In my view, there should be a detailed evaluation of the human brain and graphene flagships to clarify what works, and what does not work, refine the flagship model appropriately (should it be €1 billion in scale, or 4x€250 million, or 2x€500 million???) before any additional flagships are initiated. Simultaneously, so the process is not excessively long, select several strong contenders for new flagships in ranked order, and fund a second phase flagships.
As the coordinator of the PQCRYPTO project (Post-quantum cryptography for long-term security ICT-645622), I am enthusiastic about the European efforts to build quantum computers and to investigate quantum computing. I had hoped to endorse the Quantum Manifesto, but after a more careful read I cannot endorse it in its current form.
Post-quantum cryptography is a branch of cryptography that searches for cryptographic systems that remain secure even when the attacker is equipped with a quantum computer. It is known that RSA and ECC, the most commonly used public-key cryptosystems, are fatally broken by quantum computers. There some other, less studied systems for which no efficient quantum attacks are known and that are likely (with correctly chosen parameters) to resist quantum attacks, but the complexity of these attack algorithms is largely unknown. Post-quantum cryptography basically deals with the fallout of progress in building quantum computers.
Society needs to be prepared for these advances. Most urgently, we need to change the way we do encryption because cryptosystems remain on the market for 20-30 years once they are fielded and I do expect quite some progress on building large quantum computers in that time frame. Even worse, if an eavesdropper stores a message that he is unable to decrypt now he will be easily decrypting it once he has a quantum computer -- and for many kinds of people (the health-care sector, journalists, lawyers, diplomats, ...) the secrecy of their messages matters for the years to come. If people have to fear that their communication will (eventually) be read by outside parties it has a chilling effect on their expression and leads to self-censorship, see e.g.,
https://www.washingtonpost.com/news/wonk/wp/2016/04/27/new-study-snowden...
Right now this is also visible in the uptake of cryptography and anonymization services following the Snowden revelations -- but all used public-key cryptography does not resist quantum computers.
Given the urgency of the matter, as PQCRYPTO we have published initial recommendations for post-quantum cryptographic algorithms
https://pqcrypto.eu.org/docs/initial-recommendations.pdf
These recommendations are highly conservative but also highly inefficient, to the extent that they place a high burden on users' computation and bandwidth. More research is urgently needed to assess the security of more efficient proposals under quantum attacks -- to find more efficient attack algorithms, to optimize them, and to compute their complexity. The analysis is closely related to quantum algorithms but these cryptosystems typically run on current conventional computers (PCs, laptops, mobiles, RFID chips, smart cards, etc.), requiring research in secure and efficient implementations. The PQCRYPTO webpage
https://pqcrypto.eu.org/index.html
contains more information on the project and the topic. Standardization bodies such as NIST, CRYPTREC, ISO, ETSI, and the IETF have recognized the importance of finding alternative cryptosystems and are scrambling to issue recommendations while recognizing that more research effort is needed. Companies in IT security are alarmed because they realize that progress in building quantum computers means that they cannot keep their security promises. There is a great potential in Europe's research and industry leading the path towards long-term security but other countries, most notably Canada, Japan, Taiwan, and the US are investing strongly in this area. Research in quantum computing, quantum algorithms, and post-quantum cryptography is of extreme importance and high urgency.
Unfortunately, looking at the draft manifesto I noticed that cryptography appears only in the context of quantum cryptography, which is not solving the problems. Quantum cryptography does not run on the existing networks, does not help in protecting today's sensitive communication, and most importantly, it does not protect the last mile: the connection between the quantum node and the end-user device, such as a mobile or other wireless device. Quantum cryptography fundamentally cannot solve authenticity problems such as electronic signatures or establish communication between partners that do not share any common secret. This means, it is impossible to use it to secure operating-system updates or to establish authenticity of an Internet banking site. It has only the limited functionality of generating a random sequence of bits which then can be used the same way that a stream cipher is used. However, stream ciphers are not significantly affected by quantum attacks. Endorsing the manifesto would mean endorsing this technology which is leading away from a solution, rather than towards one.
I strongly encourage the authors of the manifesto to include post-quantum cryptography in place of quantum cryptography. Post-quantum cryptography is of high urgency and relevance for society and democracy as a whole and offers a significant potential to European business.
It is inspiring to see progress towards, and continued investment in, building large universal quantum computers. It is clear that if these computers are built then they will be much faster than conventional supercomputers for many important computations, notably the "combinatorial searches" that arise in many areas of science and that consume huge amounts of computation today.
However, it is important to recognize the critical roles of computer science and software engineering inside quantum computation. Quantum hardware is useless without quantum software! The speedups from quantum computers will not come from simply running existing software: the speedups come from developing new algorithms that take advantage of quantum computation. The manifesto does mention both (1) building quantum computers and (2) designing quantum algorithms; but the manifesto should be modified to make clear that both of these topics are essential.
It is even more important to defend society against the dark side of quantum computing. Larger and larger fractions of today's Internet communication are being recorded; if this communication is encrypted today with RSA or ECC then it will be broken by future quantum computers. The draft manifesto correctly emphasizes the importance of security, but it only briefly mentions this security disaster, and it says nothing about the the most plausible path towards preventing this disaster: namely, post-quantum cryptography (https://pqcrypto.org). This research area includes (3) quantum cryptanalysis, i.e., analyzing which other cryptographic systems will be broken by quantum computers; and (4) post-quantum cryptographic engineering, i.e., preparing the remaining algorithms for deployment as soon as possible. The manifesto should be modified to include these urgent research directions.
Proponents of "quantum key distribution" and "quantum cryptography" and "quantum communication" and a "quantum Internet" have for many years been claiming that quantum technology provides the solution to its own dark side. However, these security claims for quantum technology have been shredded by security researchers. CESG, the UK government's National Technical Authority for Information Assurance, has a new white paper https://www.cesg.gov.uk/white-papers/quantum-key-distribution concluding that these quantum technologies have "fundamental practical limitations" and that they fail to "address large parts of the security problem", while "post-quantum public key cryptography appears to offer much more effective mitigations for real-world communications systems from the threat of future quantum computers".
Even under extremely optimistic predictions of how technology will improve, quantum technologies 20 years from now will still be unable to solve the core security problems created by quantum computers. The draft manifesto radically overstates the current and future security benefits of quantum technology, and as a result overpromotes a "quantum Internet" while ignoring much more important research into solutions that can be deployed on today's Internet. The manifesto should be modified to avoid claims that are not scientifically justified.
As a result of the draft manifesto's mishandling of security, I am unable to endorse the manifesto at this time, despite my general support for research into quantum computing. I am confident that, if you check with a broad spectrum of security experts, you will find that my views on this topic are widely shared. Please feel free to contact me if you have any questions.
I would like to underline that an important aspect of quantum technologies is their ability to boost technological advance in different but closely related technological fields.
A strong and relevant example where cross-fertilization with quantum technologies will provide a fundamental advance is provided by hybrid opto-electro-mechanical devices at the nano-scale, which have been already considered as a disruptive information technology by the EC.
Hybrid nano-opto-electro-mechanical devices will be essential for the realization of a large scale quantum information network, a "quantum internet", because they represent the most promising technological platform for the realization of interfaces and interconnections able to work with high efficiency at the quantum regime.
For example, microwave-to-optical transducers operating in the quantum regime will allow transmission of quantum information over long distances and make possible secure channels protected by quantum cryptography or even enable “quantum repeaters” – minimalistic processing/relaying nodes that perform error correction algorithms on optical quantum signals within a
superconducting (or any other solid-state) platform operating at microwave frequencies.
A specific advantage of hybrid nano-opto-electro-mechanical devices is that they act as "bridging" technologies that operate well in both classical and quantum regimes. They will allow devices operating in the classical realm to interoperate with quantum-enabled sensors and devices. For instance, cryogenic microwave non-reciprocal devices are a sought-after technology for both classical and quantum information processing with solid-state devices (e.g., superconducting circuits). Simultaneously, classical chip-scale non-reciprocal devices are in high demand for analogue processing of radio-frequency signals to mitigate in-band interference signals before they reach electronic receivers. This would allow radio and radar operation in more congested RF environments.
While I agree that Quantum Technologies offer interesting opportunities, I do not believe that these large flagships are the best instruments, for the following reasons;
a) Large funding naturally focusses on few institutions who have to demonstrate "critical mass". Inevitably, this means that mediocre reasearchers will be drawn in for the sole reason that they were in the right place at the right time.
b) I do not believe that the potential outcomes of large flagships justify the opportunity cost. The funding pot is finite, so the more money flows into flagships, the less there will be for other programmes. The success rate of FET Open of around 1% means that thousands of hours of valuable researcher time are wasted. I suggest more funding into FET Open would be a much better use of the available resource.
Dear Thomas,
I share your opinion: FET Open should not be starved of funding. However, this does not lessen the necessity of a Quantum Technologies (QT) flagship. The nature of FET Open makes it difficult for researchers around Europe to pursue a concerted effort around a theme as broad as QT. Small-scale research programmes that are funded through FET Open must demonstrate short-term results as well as promising long-term impact. This makes it very difficult to fund projects that are fundamental in nature, of which there are many in QT, with the result that fundamental research is often tacked onto goal-oriented research proposals.
A Flagship carries with it responsibilities in managing the funding allocated to it, such that:
a) Member regions that do not have a "critical mass" are given access to funding. This is explicitly listed on p. 3 of the Quantum Manifesto.
b) Valuable researcher time is used properly. More funding in FET Open would leave unsolved the problem I mentioned above; i.e., much fundamental research is being passed over because of a perceived lack of short-term results, industrial involvement, etc. Creating a structure within which this research has a place, as the QT Flagship presumably will, will actually alleviate some of the pressure from the FET Open programme as well as creating opportunities for funding research across the entire spectrum of applicability.