A fully-fledged quantum computer that can be used to solve real-world problems. For many computer scientists, the arrival of such a device would be their version of the Moon landings: the final achievement after many decades of research -- and the start of a new era.
For companies, the development could unlock huge amounts of wealth, as business problems previously intractable for classical computers are resolved in minutes. For scientists in the lab, it could expedite research into the design of life-saving drugs.
But for cryptographers, that same day will be a deadline -- and a rather scary one. With the compute power that they will be capable of, large-scale quantum devices effectively pose an existential threat to the security protocols that currently protect most of our data, from private voice notes all the way to government secrets.
The encryption methods that are used today to transform data into an unreadable mush for anyone but the intended recipients are essentially a huge maths problem. Classical computers aren't capable of solving the equation in any useful time frame; add some quantum compute power, though, and all of this carefully encoded data could turn into crystal-clear, readable information.
The heart of the problem is public key encryption -- the protocol that's used to encode a piece of data when it is sent from one person to another, in a way that only the person on the receiving end of the message can decode. In this system, each person has a private cryptography key as well as a public one, both of which are generated by the same algorithm and inextricably tied to each other.
The publicly-available key can be used by any sender to encrypt the data they would like to transmit. Once the message has arrived, the owner of the key can then use their private key to decrypt the encoded information. The security of the system is based on the difficulty of figuring out a person's private key based on their public one, because solving that problem involves factoring huge amounts of numbers.
Inconveniently, if there's one thing that quantum computers will be good at, it's crunching numbers. Leveraging the quasi-supernatural behaviour of particles in their smallest state, quantum devices are expected to one day breeze through problems that would take current supercomputers years to resolve.
That's bad news for the security systems that rely on hitherto difficult mathematics. "The underlying security assumptions in classical public-key cryptography systems are not, in general, quantum-secure," says Niraj Kumar, a researcher in secure communications from the school of informatics at the University of Edinburgh.
"It has been shown, based on attacks to these keys, that if there is quantum access to these devices, then these systems no longer remain secure and they are broken."
But as worrying as it sounds, explains Kumar, the idea that all of our data might be at risk from quantum attacks is still very much theoretical. Researchers have developed quantum algorithms, such as Shor's algorithm, that can, in theory, break public-key cryptography systems. But they are subject to no small condition: that the algorithms operate in a quantum computer with a sufficient number of qubits, without falling to noise or decoherence.
In other words, a quantum attack on public-key cryptography systems requires a powerful quantum computer, and such a device is not on any researcher's near-term horizon. Companies involved in the field are currently sitting on computers of the order of less than 100 qubits; in comparison, recent studies have shown that it would take about 20 million qubits to break the algorithms behind public-key cryptography.
Kumar, like most researchers in the field, doesn't expect a quantum device to reach a meaningful number of qubits within the next ten or 20 years. "The general consensus is that it is still very much a thing of the future," he says. "We're talking about it probably being decades away. So any classical public-key cryptography scheme used for secure message transmission is not under imminent threat."
NIST, the US National Institute of Standards and Technology, for its part estimates that the first quantum computer that could pose a threat to the algorithms that are currently used to produce encryption keys could be built by 2030.
Don't let the timeline fool you, however: this is not a problem that can be relegated to future generations. A lot of today's data will still need to be safe many years hence -- the most obvious example being ultra-secret government communications, which will need to remain confidential for decades.
The quest for quantum-safe
This type of data needs to be protected now with protocols that will withstand quantum attacks when they become a reality. Governments around the world are already acting on the quantum imperative: in the UK, for example, the National Cyber Security Centre (NCSC) has accepted for several years now that it is necessary to end reliance on current cryptography protocols, and to begin the transition to what's known as 'quantum-safe cryptography'.
Similarly, the US National Security Agency (NSA), which currently uses a set of algorithms called Suite B to protect top-secret information, noted in 2015 that it was time to start planning the transition towards quantum-resistant algorithms.
As a direct result of the NSA's announcement five years ago, a global research effort into new quantum-safe cryptography protocols started in 2016, largely led by NIST in the US. The goal? To make classical public-key cryptography too difficult a problem to solve, even for a quantum computer -- an active research field now called 'post-quantum cryptography'.
NIST launched a call for help to the public, asking researchers to submit ideas for new algorithms that would be less susceptible to a quantum computer's attack. Of the 69 submissions that the organization received at the time, a group of 15 was recently selected by NIST as showing the most promise.
There are various mathematical approaches to post-quantum cryptography, which essentially consist of making the problem harder to crack at different points in the encryption and decryption processes. Some post-quantum algorithms are designed to safeguard the key agreement process, for example, while others ensure quantum-safe authentication thanks to digital signatures.
The technologies comprise an exotic mix of methods -- lattices, polynomials, hashes, isogenies, elliptic curves -- but they share a similar goal: to build algorithms robust enough to be quantum-proof.
The 15 algorithms selected by NIST this year are set to go through another round of review, after which the organisation hopes to standardise some of the proposals. Before 2024, NIST plans to have set up the core of the first post-quantum cryptography standards.
NCSC in the UK and NSA in the US have both made it clear that they will start transitioning to post-quantum cryptography protocols as soon as such standards are in place. But government agencies are not the only organisations showing interest in the field. Vadim Lyubashevsky, from IBM Research's security group, explains that many players in different industries are also patiently waiting for post-quantum cryptography standards to emerge.
"This is becoming a big thing, and I would say certainly that everyone in the relevant industries is aware of it," says Lyubashevsky. "If you're a car manufacturer, for example, you're making plans now for a product that will be built in five years and will be on the road for the next ten years. You have to think 15 years ahead of time, so now you're a bit concerned about what goes in your car."
Any product that might still be in the market in the next couple of decades is likely to require protection against quantum attacks -- think aeroplanes, autonomous vehicles and trains, but also nuclear plants, IoT devices, banking systems or critical telecommunications infrastructure.
Businesses, in general, have remained quiet about their own efforts to develop post-quantum cryptography processes, but Lyubashevsky is positive that concern is mounting among those most likely to be affected. JP Morgan Chase, for example, recently joined research hub the Chicago Quantum Exchange, mentioning in the process that the bank's research team is "actively working" in the area of post-quantum cryptography.
That is not to say that quantum-safe algorithms should be top-of-mind for every company that deals with potentially sensitive data. "What people are saying right now is that threat could be 20 years away," says Lyubashevsky. "Some information, like my credit card data for example -- I don't really care if it becomes public in 20 years. There isn't a burning rush to switch to post-quantum cryptography, which is why some people aren't pressed to do so right now."
Of course, things might change quickly. Tech giants like IBM are publishing ambitious roadmaps to scale up their quantum-computing capabilities, and the quantum ecosystem is growing at pace. If milestones are achieved, predicts Lyubashevsky, the next few years might act as a wake-up call for decision makers.
Consultancies like security company ISARA are already popping up to provide businesses with advice on the best course of action when it comes to post-quantum cryptography. In a more pessimistic perspective, however, Lyubashevsky points out that it might, in some cases, already be too late.
"It's a very negative point of view," says the IBM researcher, "but in a way, you could argue we've already been hacked. Attackers could be intercepting all of our data and storing it all, waiting for a quantum computer to come along. We could've already been broken -- the attacker just hasn't used the data yet."
Lyubashevsky is far from the only expert to discuss this possibility, and the method even has a name: 'harvest and decrypt'. The practice is essentially an espionage technique, and as such mostly concerns government secrets. Lyubashevsky, for one, is convinced that state-sponsored attackers are already harvesting confidential encrypted information about other nations, and sitting on it in anticipation of a future quantum computer that would crack the data open.
For the researcher, there is no doubt that governments around the world are already preparing against harvest-and-decrypt attacks -- and as reassuring as it would be to think so, there'll be no way to find out for at least the next ten years. One thing is for certain, however: the quantum revolution might deliver some nasty security surprises for unprepared businesses and organisations.