Factoring will be okay for tracking progress later; it's just a bad benchmark now. Factoring benchmarks have little visibility into fault tolerance spinning up, which is the important progress right now. Factoring becoming a reasonable benchmark is strongly related to quantum computing becoming useful.

Perhaps? The sort of quantum computers that people are talking about now are not general purpose. So you might be able to make a useful quantum computer that is not Shor's algorithm.

I always find this argument a little silly.

Like if you were building one of the first normal computers, how big numbers you can multiply would be a terrible benchmark since once you have figured out how to multiply small numbers its fairly trivial to multiply big numbers. The challenge is making the computer multiply numbers at all.

This isn't a perfect metaphor as scaling is harder in a quantum setting, but we are mostly at the stage where we are trying to get the things to work at all. Once we reach the stage where we can factor small numbers reliably, the amount of time to go from smaller numbers to bigger numbers will be probably be relatively short.

Yes, in fact they might be useful for chemistry simulation long before they are useful for cryptography. Simulations of quantum systems inherently scale better on quantum hardware.

https://en.wikipedia.org/wiki/Quantum_computational_chemistr...

I believe the primary most practical use would be compression. Devices could have quantum decoder chips that give us massive compression gains which could also massively expand storage capacity. Even modest chips far before the realization of the scale necessary for cryptography breaking could give compression gains on the order of 100 to 1000x. IMO that's the real game changer. The theoretical modeling and cryptography breaking that you see papers being published on is much further out. The real work that isn't being publicized because of the importance of trade secrets is on storage / compression.

One theoretical use case is “Harvest Now, Decrypt Later” (HNDL) attacks, or “Store Now, Decrypt Later” (SNDL). If an oppressive regime saves encrypted messages now, they can decrypt later when QCs can break RSA and ECC.

It's a good reason to implement post-quantum cryptography.

Wasn't sure if you meant crypto (btc) or cryptography :)

From TFA: ‘One more time for those in the back: the main known applications of quantum computers remain (1) the simulation of quantum physics and chemistry themselves, (2) breaking a lot of currently deployed cryptography, and (3) eventually, achieving some modest benefits for optimization, machine learning, and other areas (but it will probably be a while before those modest benefits win out in practice). To be sure, the detailed list of quantum speedups expands over time (as new quantum algorithms get discovered) and also contracts over time (as some of the quantum algorithms get dequantized). But the list of known applications “from 30,000 feet” remains fairly close to what it was a quarter century ago, after you hack away the dense thickets of obfuscation and hype.’

Fun fact: the Planck mass is about 22 micrograms, about the amount of Vitamin D in a typical multivitamin supplement, and the corresponding derived Planck momentum is 6.5 kg m/s, which is around how hard a child kicks a soccer ball. Nothing inherently special or limiting about these.

In a world where spying on civilian communication of adversaries (and preventing spying on your own civilians) is becoming more critical for national security interests, i suspect that national governments would be lighting more of a fire if they believe their opponents had one.

I really doubt we are anywhere close to this when there has been no published legit prime factorization beyond 21: https://eprint.iacr.org/2025/1237.pdf

Surely if someone managed to factorize a 3 or 4 digits number, they would have published it as it's far enough of weaponization to be worth publishing. To be used to break cryptosystems, you need to be able to factor at least 2048-digits numbers. Even assuming the progress is linear with respect to the number of bits in the public key (this is the theoretical lower bound but assume hardware scaling is itself linear, which doesn't seem to be the case), there's a pretty big gap between 5 and 2048 and the fact that no-one has ever published any significant result (that is, not a magic trick by choosing the number in a way that makes the calculation trivial, see my link above) showing any process in that direction suggest we're not in any kind of immediate threat.

The reality is that quantum computing is still very very hard, and very very far from being able what is theoretically possible with them.

He's making it sound that way, although he might plausibly deny that by claiming he just doesn't want to speculate publicly.

Either way he must have known people would read it like you did when he wrote that; so we can safely assume it's boasting at the very least.

I don't think he is saying that. As I said in my other comment here I think he is just drawing a potential parallel to other historic work that was done in a private(secret) domain. The larger point is we simply don't know so it's best to act in a way that even if it hasn't been done already it certainly seems like it will be broken. Hence the move to Post-Quantum Cryptography is probably a good idea!

It is more, many companies can't do what they claim to do, or they have done it once at best and had no more consistency. I sense most companies in the quantum computing space right now are of this ilk. As someone that works in academic and private quantum computing research, repeatability and methodology are severely lacking, which always rings alarm bells. Some companies are funded off the back of one very poor quality research paper, reviewed by people who are not experts, that then leads to a company that looks professional but behind the scenes I would imagine are saying Oh shit, now we actually have to do this thing we said we could do.

Just you

I ran it through ROT13, base64, reversed the bits, and then observed it....The act of decoding collapsed it into ...not imminent...

Wouldn't the comparison be more like the 1920s for computing. We had useful working computers in the 1940s working on real problems doing what was not possible before hand. By the 1950s we had computers doing Nuclear bomb simulations and the 1960s we had computers in banks doing accounting and inventory. So we had computers by then, not in homes, but we had them. In the 1920s we had mechanical calculators and theories on computation emerging but not a general purpose computer. Until we have a quantum computer doing work at least at the level of a digital computer I can't really believe it being the 1960s.

Not to be snarky, but how is it comparable to 60's computing? There was a commercial market for computers and private and public sector adoption and use in the 60s.

Eh, quantum computing could very well be the next nuclear fusion where every couple of years forever each solved problem brings us to "We're 5 years away!"

Yet, for sure we should keep funding both quantum computing and nuclear fusion research.

In the 60's we actually had extremely capable, fully-developed computers. Advanced systems like the IBM System360 and CDC 6600.

Quantum computing is currently stuck somewhere in the 1800's, when a lot of the theory was still being worked out and few functional devices had even been constructed.

> it will happen.

If you were to guess what reasons there might be that it WON’T happen, what would some of those reasons be?

What makes you confident that it will happen?

The people who are inside the machine are usually the least qualified to predict the machine's future

the funny thing is that nobody will ever do that. The moment someone uses quantum computing or any other technology to crack bitcoin in a visible way, the coins they just gave to themselves become worthless because confidence collapses.