Factoring will be okay for tracking progress later; it's just a bad benchmark now. Factoring benchmarks have little visibility into fault tolerance spinning up, which is the important progress right now. Factoring becoming a reasonable benchmark is strongly related to quantum computing becoming useful.

Perhaps? The sort of quantum computers that people are talking about now are not general purpose. So you might be able to make a useful quantum computer that is not Shor's algorithm.

Basically qc are so far from ever doing a useful computation we need other benchmarks to measure progress. We need to be thinking in timelines of our lifetime not 5 years

I always find this argument a little silly.

Like if you were building one of the first normal computers, how big numbers you can multiply would be a terrible benchmark since once you have figured out how to multiply small numbers its fairly trivial to multiply big numbers. The challenge is making the computer multiply numbers at all.

This isn't a perfect metaphor as scaling is harder in a quantum setting, but we are mostly at the stage where we are trying to get the things to work at all. Once we reach the stage where we can factor small numbers reliably, the amount of time to go from smaller numbers to bigger numbers will be probably be relatively short.

Fun fact: the Planck mass is about 22 micrograms, about the amount of Vitamin D in a typical multivitamin supplement, and the corresponding derived Planck momentum is 6.5 kg m/s, which is around how hard a child kicks a soccer ball. Nothing inherently special or limiting about these.

In some ways i think that is the most exciting possibility. If attempts at making quantum computers let us find exactly where the current theories break down and probe how that happens, it will probably be one of the most important physics discoveries of the century.

The amplitudes aren't small in the 512-dimensional subspace where 256-qubit calculations take place.

2^256 states are comfortably distinct in that many dimensions with amplitude ~1. Their distinctness is entirely direction.

The obvious parallels to vector embeddings and high-dimensional tensor properties have some groups working out how to combine them in "quantum AI", and because that doesn't require the same precision (like trained neurel nets still work usefully after heavy quantization and noise), quantum AI might arrive before regular quantum computation, and might be feasible even if the latter is not.

The magnitude of an "amplitude" is basis dependent. A basis is a human invention, an arbitrary choice made by the human to describe nature. The choice of basis is not fundamental. So just choose a basis in which there are no vanishingly small amplitudes and your worry is addressed.

Are you also uncomfortable with the idea of flipping 256 unbiased coins independently?

First? Try only. I'd be willing to wager a sizeable amount of money that no one save for a few niche research institutions trying to improve quantum computing will ever be using fully quantum setups.

QC is not a panacea. There are a handful of algorithms that are in BQP-P, and most of those aren't really used in tasks I would imagine the average person frequently engaging in. Simultaneously, quantum computers necessarily have complications that classical computers lack. Combined, I doubt people will be using purely quantum computers ever.

Yes, in fact they might be useful for chemistry simulation long before they are useful for cryptography. Simulations of quantum systems inherently scale better on quantum hardware.

https://en.wikipedia.org/wiki/Quantum_computational_chemistr...

One theoretical use case is “Harvest Now, Decrypt Later” (HNDL) attacks, or “Store Now, Decrypt Later” (SNDL). If an oppressive regime saves encrypted messages now, they can decrypt later when QCs can break RSA and ECC.

It's a good reason to implement post-quantum cryptography.

Wasn't sure if you meant crypto (btc) or cryptography :)

From TFA: ‘One more time for those in the back: the main known applications of quantum computers remain (1) the simulation of quantum physics and chemistry themselves, (2) breaking a lot of currently deployed cryptography, and (3) eventually, achieving some modest benefits for optimization, machine learning, and other areas (but it will probably be a while before those modest benefits win out in practice). To be sure, the detailed list of quantum speedups expands over time (as new quantum algorithms get discovered) and also contracts over time (as some of the quantum algorithms get dequantized). But the list of known applications “from 30,000 feet” remains fairly close to what it was a quarter century ago, after you hack away the dense thickets of obfuscation and hype.’

I believe the primary most practical use would be compression. Devices could have quantum decoder chips that give us massive compression gains which could also massively expand storage capacity. Even modest chips far before the realization of the scale necessary for cryptography breaking could give compression gains on the order of 100 to 1000x. IMO that's the real game changer. The theoretical modeling and cryptography breaking that you see papers being published on is much further out. The real work that isn't being publicized because of the importance of trade secrets is on storage / compression.

I really doubt we are anywhere close to this when there has been no published legit prime factorization beyond 21: https://eprint.iacr.org/2025/1237.pdf

Surely if someone managed to factorize a 3 or 4 digits number, they would have published it as it's far enough of weaponization to be worth publishing. To be used to break cryptosystems, you need to be able to factor at least 2048-digits numbers. Even assuming the progress is linear with respect to the number of bits in the public key (this is the theoretical lower bound but assume hardware scaling is itself linear, which doesn't seem to be the case), there's a pretty big gap between 5 and 2048 and the fact that no-one has ever published any significant result (that is, not a magic trick by choosing the number in a way that makes the calculation trivial, see my link above) showing any process in that direction suggest we're not in any kind of immediate threat.

The reality is that quantum computing is still very very hard, and very very far from being able what is theoretically possible with them.

In a world where spying on civilian communication of adversaries (and preventing spying on your own civilians) is becoming more critical for national security interests, i suspect that national governments would be lighting more of a fire if they believe their opponents had one.

So you have one of the scientists at the forefront of quantum computing theory telling you that he has no idea if quantum computing is already in a much more advanced state that he himself knows about?

If results in quantum computing would start to "go dark", unpublished in scientific literature and only communicated to the government/ military, shouldn't he be one of the first to know or at least notice?

From analytical arguments considering a rather generic error type, we already know that for the Shor algorithm to produce a useful result, the error rate with the number of logical qubits needs to decrease as ~n^(-1/3), where `n` is the number of bits in the number [1].

This estimate, however, assumes that interaction can be turned on between arbitrary two qubits. In practice, we can only do nearest-neighbour interactions on a square lattice, and we need to simulate the interaction between two arbitrary qubits by repeated application of SWAP gates, mangling the interaction through as in the 15th puzzle. This two-qubit simulation would add about `n` SWAP gates, which would then multiply the noise factor by the same factor, hence now we need an error rate for logical qubits on a square lattice to be around ~n^(-4/3)

Now comes the error correction. The estimates are somewhat hard to make here, as they depend on the sensitivity of the readout mechanism, but for example let’s say a 10-bit number can be factored with a logical qubit error rate of 10^{-5}. Then we apply a surface code that scales exponentially, reducing the error rate by 10 times with 10 physical qubits, which we could express as ~1/10^{m/10}, where m is the number of physical qubits (which is rather optimistic). Putting in the numbers, it would follow that we need 40 physical qubits for a logical qubit, hence in total 400k physical qubits.

That may sound reasonable, but then we made the assumption that while manipulating the individual physical qubits, decoherence for each individual qubit does not happen while they are waiting for their turn. This, in fact, scales poorly with the number of qubits on the chip because physical constraints limit the number of coaxial cables that can be attached, hence multiplexing of control signals and hence the waiting of the qubits is imminent. This waiting is even more pronounced in the quantum computer cluster proposals that tend to surface sometimes.

[1]: https://link.springer.com/article/10.1007/s11432-023-3961-3

Wouldn't the comparison be more like the 1920s for computing. We had useful working computers in the 1940s working on real problems doing what was not possible before hand. By the 1950s we had computers doing Nuclear bomb simulations and the 1960s we had computers in banks doing accounting and inventory. So we had computers by then, not in homes, but we had them. In the 1920s we had mechanical calculators and theories on computation emerging but not a general purpose computer. Until we have a quantum computer doing work at least at the level of a digital computer I can't really believe it being the 1960s.

Not to be snarky, but how is it comparable to 60's computing? There was a commercial market for computers and private and public sector adoption and use in the 60s.

In the 60's we actually had extremely capable, fully-developed computers. Advanced systems like the IBM System360 and CDC 6600.

Quantum computing is currently stuck somewhere in the 1800's, when a lot of the theory was still being worked out and few functional devices had even been constructed.

What makes it more akin to 60’s general computing development than 60’s fusion power development (that is still ongoing!)? The former is incremental, the latter requires major technological breakthroughs before reaching any sort of usefulness. Quantum computing feels more like there are roadblocks that can’t be ironed out without several technological revolutions.

> it will happen.

If you were to guess what reasons there might be that it WON’T happen, what would some of those reasons be?

Eh, quantum computing could very well be the next nuclear fusion where every couple of years forever each solved problem brings us to "We're 5 years away!"

Yet, for sure we should keep funding both quantum computing and nuclear fusion research.

What makes you confident that it will happen?

The people who are inside the machine are usually the least qualified to predict the machine's future

Could you elaborate as you why you think it is a grotesque strawman? It doesn’t strike me as such, even on rereading.

The guy who spends most of his time posting either in favor of genocide or about how he got cancelled for being a misogynist? He's an excellent scientist but not a calm person.

the funny thing is that nobody will ever do that. The moment someone uses quantum computing or any other technology to crack bitcoin in a visible way, the coins they just gave to themselves become worthless because confidence collapses.

That vastly depends on if we choose to go in the right direction.

You assume no civilizational collapse is in our future.

It is more, many companies can't do what they claim to do, or they have done it once at best and had no more consistency. I sense most companies in the quantum computing space right now are of this ilk. As someone that works in academic and private quantum computing research, repeatability and methodology are severely lacking, which always rings alarm bells. Some companies are funded off the back of one very poor quality research paper, reviewed by people who are not experts, that then leads to a company that looks professional but behind the scenes I would imagine are saying Oh shit, now we actually have to do this thing we said we could do.

He's making it sound that way, although he might plausibly deny that by claiming he just doesn't want to speculate publicly.

Either way he must have known people would read it like you did when he wrote that; so we can safely assume it's boasting at the very least.

I don't think he is saying that. As I said in my other comment here I think he is just drawing a potential parallel to other historic work that was done in a private(secret) domain. The larger point is we simply don't know so it's best to act in a way that even if it hasn't been done already it certainly seems like it will be broken. Hence the move to Post-Quantum Cryptography is probably a good idea!

Just you

I ran it through ROT13, base64, reversed the bits, and then observed it....The act of decoding collapsed it into ...not imminent...