The Quantum Security Precipice: Why Michele Mosca is Building Cryptographic Resilience Before It's Too Late

Justin Beals: Hello, everyone, and welcome to SecureTalk. I'm your host, Justin Beals. 

Just a quick note before we get started:  I wanted to let everyone know that I'll be attending the Gartner Security and Risk Management Summit from June 9th to the 11th in Washington, DC. Strike Graph will be hosting a sunset cruise on the Potomac on June 10th. If you'd like to join us, please use the link in the episode description to sign up. Also, please stop by the StrikeGraph booth and say hello. Thanks!

And onto our episode:  I'm by nature a very curious person. I'm fascinated by science broadly and especially physics. Friends often laugh at me when I tell them I have a favorite physicist that I like to read. 

One of the major areas of research, and really new findings and learnings in physics, has to do with quantum physics and kind of the quantized nature of the universe and how we deal with that from a mathematical perspective. It all gets really bizarre and mind-bending as you learn more about it, but it is constantly working in some of our most innovative technologies. 

Much of computer science is based upon our understanding of quantum physics and how we're able to predict certain outcomes in the nature of the universe. 

Now of course, this is all getting closer and closer together. You know, we're building computers based upon the literal function of quantum physics, call it quantum computing It's hard to describe because the words are both technical and fantastical when you start to put them together. 

But what we do know is that it continues to hold really powerful promise in what quantum computing can do. And it's not just something that is theoretical anymore. There are quantum computers. We are layering in the error management systems required to function in uncertain spaces, not something computer scientists like to say.

And we are getting very close to a real revolution in the types of computers we build, the types of software we write, and the types of information science that has powered so much of human progress over the last 50 to 75 years. 

But there's a paradox to all this quantum computing opportunity. The same technology that promises incredible advances in medicine, in material science, and climate modeling also threatens to undermine the very foundation of our digital security infrastructure. And unlike many of our cybersecurity threats that kind of emerge overnight, this one has been developing in plain sight for decades, with not a lot paying attention to it deeply, but of course, we don't think it's an immediate problem. 

Now, I've heard the hyperbole around security and quantum computing for a little while now. And I,  of course, and as a part of the mission of SecureTalk, want to talk to an expert that can really help highlight exactly where we're at and how dangerous or immediate the problem might be. 

And so we look for someone that we could chat with, and we're really fortunate to have them join us today. 

For over 25 years, this individual has been at the intersection of quantum physics, mathematics, and cybersecurity, really translating between these communities and helping prepare our digital infrastructure for the quantum era.

What I find most compelling about our guest's approach is his balanced perspective. He's neither an alarmist predicting imminent doom, nor a complacent optimist assuming solutions will materialize when needed. 

Instead, he's offering a rigorous understanding of both the threats and the opportunities quantum computing presents and practical pathways towards what he calls cryptographic resilience. 

Our guest today is Michele Mosca. Michele serves as co-founder and director of quantum risk management company, EvolutionQ. He also co-founded the Institute for Quantum Compute at the University of Waterloo, where he's a faculty member in the Department of Combinatorics and Optimization.  Michele was a founding member of the Perimeter Institute for Theoretical Physics and co-founded Software Q, Inc. 

In addition to his academic roles, Michele serves as the chair of the board of directors of the non-profit Quantum Safe Canada and chair of ETSI's Quantum Safe Cryptography Working Group. 

His work has earned him recognition as a fellow of the Royal Society of Canada, the Institute of Physics, and the Canadian Institute for Advanced Research. He received a Commonwealth Scholarship to complete his doctorate in quantum computer algorithms at Oxford University. 

Join me on SecureTalk as we explore the frontier of quantum computing and how we can secure our digital future in a world where the mathematical problems that have protected us for decades suddenly become trivial.

—-

Justin Beals: Michele, thanks for joining SecureTalk today. We're really glad to have you.

Michele Mosca: Well, it's great to be here, Justin. Thanks.

Justin Beals: Excellent. As I was researching this episode, I was just totally impressed with your academic journey as someone that didn't make it past his bachelor's degree. I'm actually a huge fan of great science and good work. Your journey took you from mathematics at Waterloo to being a Rhodes scholar at Oxford where you attained your doctorate in quantum computing algorithm.

And I was just a little curious about how quantum algorithms captured your attention from your early work at University of Waterloo.

Michele Mosca:  Yeah, and it was Commonwealth Scholar, but it's saying that journey.

Justin Beals: Yeah.

Michele Mosca: And sorry, the question was how quantum, yeah.

Justin Beals: Yeah, how did you kind of first start to engage around quantum algorithms? I'm sure it was a discussion in your mathematics work, but the computer science, the applied side, must have been a leap.

Michele Mosca: Yeah. So it was really thinking of myself as a mathematician. I got interested in cryptanalysis with classical computers in the early 90s, just as we were starting. Almost nobody knew about it, but we were starting to use public key cryptography to secure the internet. Didn't even call it the internet, but secure global telecommunications and digital systems in the early 90s. 

And my supervisor, well, my supervisor actually, my academic advisor at Waterloo was Scott Vanstone, who happened to be one of the people trying to champion the development of elliptic curve cryptography in addition to RSA. So I was working on cryptanalysis of other Diffie-Hellman schemes with him. So was a lot of fun. Got to apply my mathematical know-how, I got to program, so we were trying to implement a of code-breaking. You just have to see if it works and test some of your conjectures.

So, it was a lot of fun. Actually, I did. Just ironically, in 94, I met Don Coppersmith at Crypto. And Don's a famous code breaker. I've read his work and was a huge fan. And because he built on earlier work of Scott and then Ron Mullin and others, because they improved some discrete log attacks. Don saw that and came up with the first L1 third, you know, these attacks that were exponential in the cube root of the key length instead of the square root.

And it's because of that. And that was for discrete logs, but then it was generalized to factoring. So both discrete logs and factoring went from attacks that were exponential in the square root to exponential in the cube root. Why does that matter? What it means is if you want n bits of security, you used to need n squared bits of key. But with these attacks, you needed n cubed bits of key.

N bits of key means you have to do 2 to the n work basically to break the code. So you want n to the 128 at least and maybe 256 if you really want to be safe. And the beauty of elliptic curves is you only needed n bit keys on the order of n. So multiple of n, but not n squared or definitely not n cubed bit keys to get n bits of security. So it's a lot smaller. 

It's a lot more efficient to get the same amount of security, and almost nobody cared. But he saw the potential in that and his colleagues. And by the late 90s, it was fundamental in enabling the smartphone. Because suddenly you want to put RSA on these very constrained devices, with the performance of back then, it was a problem. 

And ECC was a fundamental enabler, and it became really the method of choice for the US government and many others. Because it's so much more efficient in many ways, it's more secure because it was not susceptible, if you did it right, to these sub-exponential attacks. 

The attacks were kind of naive brute force attacks. was factoring and other Diffie-Hellman schemes. There's ways to start attacking them a little bit cleverly. So that was cool. He was my advisor. I had no clue what was going on. 

So,  I met Don Kompersmith. I knew of his work. And I was like, just, hey, like, what are you working on? And he told me, well, he was helping a friend, a colleague of his, turns out it was Peter Shore, kind of improve or tidy up his algorithm where you would trap these, you know, you'd trap these atoms and you'd shine lasers on them, do exponentiation and then do a Fourier transform to see the period. And I kind of understood the mathematics, but I thought he was joking. I thought it was like, yeah, whatever. And then I, I thought,

Justin Beals: It's very sci-fi sounding.

Michele Mosca: Yeah, lied before, right? And I'd never heard of this before. I thought he was joking, accidentally insulted him. And I was like, oh, sorry, I didn't realize you were serious. Then, so anyway, then also Scott also showed me a paper in the early 90s about quantum cryptography. And I looked at it, I said, Oh, this is like science fiction and ignored it. And then when I went to Oxford to keep working on the mathematics underlying communications, again, this damn quantum stuff kept coming up.

And my supervisor happened to be at the same college as Arthur Eckert. My supervisor was a famous randomized algorithms person and other discrete mathematics, but they were at the same college and he knew the physicists could break our same ECC easily with this quantum computer, right? And the question was, can you build it? And people didn't know, and they needed more discrete mathematicians to really work on a lot of the problems in the field.

But I thought it was like a total waste of my time. thought I was really into what I was doing with discrete mathematics and Markov chains and all this cool, you know, Sorry for that beeping. don't know. Okay. I should just turn off my email.

Justin Beals: No, it's no problem.

Michele Mosca: I'm assuming that was my email.

So, you know, your supervisors, I have supervised many students, they often ignore what I tell them. And I don't mind if they end up doing something more interesting than what I tell them. I'm, you know, not as happy when they do something less interesting than what I told them. But anyway, I was kind of slow walking this quantum stuff. But he kind of insisted, and he introduced me to Arthur, and I realized, okay, he's not completely crazy.

And then he said, well, look, I was very skeptical because I was doing just fine. But they were trying to convince me to work on the algorithmics of quantum computing back then. And he said, Well, come to Torino. There's a group of people. Because he was a physicist. He knew we were different DNA. I wasn't. So he wanted me to meet computer scientists, right? That helps. 

Because then we can kind of really cut to the chase and understand each other better. And there I met people, pioneers like Richard Cleave and Peter Schor, Gilles Brossard, who I actually had already met briefly before, but they could explain to me in more mathematical CS terms what we're talking about. And then I was converted. I realized, okay, I was wrong. I met pioneers on the implementing quantum computing side of things. And I realized this was eventually gonna, I learned what quantum error correcting codes. So the pieces started to come together. I realized, okay, this is not a hoax.

And I realized people were, I met Dave Wineland who was already trapping ions back then. He since won a Nobel Prize for it. But I got to meet all these people, and I realized, okay, this is gonna come together. More than 20, it'll take more than 20 years, but I was in my mid-20s, so I realized this kind of makes, let me try it out at least. So I started working on, well, what else, what can quantum computers do? What codes can they break? What codes can't they break?

So I started working on quantum algorithmics. A lot of fun. I mean, a lot of this work is still being used today. Actually, 10 years later, I also started work as we had bigger devices that you could no longer manually program. I started working on other elements of the software stack. So in addition to the algorithmics, how do we compile them? Because we had theorems that said, oh, up to polynomial overhead, it'll all be fine. polynomial overhead, that'll kill quadratic advantage if you're not careful.

And we actually need the code. So we work on a lot of the elements of compiling, which led to all sorts of cool mathematics problems. So the pure mathematics background was really helpful because we'd analyze the problem and people would say, like, we have to optimize this. And I'd be like, you need Matroid theory there. And then they'd go off and we'd solve it. They'd say, what about this? I'm like, well, that's a Diefontian approximation question. Like, complete different areas of mathematics, right? 

And we really helped develop the discipline of of quantum compilation and quantum software more broadly. So very reluctantly, you know, we got into quantum, but I went through the Schopenhauer phases really rapidly of rejection, know, ridicule, violently oppose, and then accept the self-evident. So I did that kind of quickly. I did not, you know, it was easy, relatively easy for me because I was new to the field.

To kind of let go of my old assumptions. Other people who've been living with those assumptions for 20, 30 years, they've been a little more reluctant to let go of their old assumptions. Even though we're not throwing them in the garbage, we're really just reinventing and building on those ideas. 

But I was one of the first to be really excited and interested in cryptography and what we now call cybersecurity for the foundations of cybersecurity. Because, of course, cybersecurity is a lot more than cryptography. Cryptography is a fundamental piece of it and quantum computing. So I've been sort of the chief translator between the communities because cryptographers like me, just like I was like, this is BS, not worth my time. That's everybody's instinct. 

And I was trying to eventually say, look, I've been there. know it, but it actually is not something we should completely ignore. And on the flip side, the quantum people feel like, fixing these codes that we're going to destroy, well, how hard could that be, right? And I've been trying to translate the key messages between the two communities for a long time now.

Justin Beals: I tell my teammates a lot of times that if you can cross-connect two areas of expertise, you can really create a unique expertise. think your drive from computer science to mathematics and back and forth creates, to your point, a different way of perceiving both opportunities for solutions where other models might have been created that someone like me that just learned a program wouldn't necessarily be aware of.

Yeah. Can I just say I wish that you were my high school mathematics teacher? I complained to this day that I spent hours factoring polynomials, never to understand that they expressed a curve. And if someone had just told me this is a curve in space, I would have found it the most magical idea. You also are leading a company, Evolution Q.

Can you tell us a little bit about what evolution queue, like little of the background and where it's going and the problems you're solving?

Michele Mosca:  Yeah, the background. was even when I was a student and so on, was always interested in people that asked for help in industry or government. I had fun doing that. So I mean, love doing the academic side too, but I also, but usually back then, my supervisor or somebody who would find those opportunities. But as I got more, you know, more senior in the field, you know, as academics, you get really good at telling other people what they should do. And then

Most of them ignore, you know, ignore it. And then every once in a while, somebody would be like, you know, you're making a good point. Can you help us? Right? And I was like, well, I was kind of hoping my talk would be enough for you to get to, but sure, you know. So I was doing consulting opportunistically. I didn't look for it, honestly, but you know, I was really just trying to very passionate and say, look, I'm doing my part, right? I'm studying how to break the codes. I'm figuring out how to fix them, but there's a lot of stuff you need to get ready for. 

And I go off and do it and of course they wanted help and it was so important that of course I would try. But it kind of got too much in the sense that it was not work I could do on my own anymore. it's concretely the CIO of Canada asked me once, what should I do? And I told her, well, your team should get together with my team and we should do blah, blah.

I said, okay, great, let's do that. Of course, I didn't have a team, right? So I had to go put a team together. And then I went and I met my, you know, talked to my colleague who's an expert in quantum communication. And then started talking to my friends, the friends I've made over many years in industry and saying, look, who are like, because I do the top and the bottom of the stack, like I can do the fundamental mathematics, and I can sell the ideas, but then what all the hard work in between? Like I knew I couldn't do that.

So I needed security engineers and people who could really analyze the systems and all that. So we started a professional cert. started, so we need to set up a company because we can provide a lot of the niche expertise, but we really need people who can help us do a lot of the work and let us help more people and better if we had a team. So we built sort putting together a team. We're like professional services company basically.

One of the first services we defined was a quantum risk assessment. Because we realized, as you know, in cybersecurity, the hardest part is not the technology problem. And the more we frame it as a technology problem, the less we succeed. And so one of my wise friends from government said, if I were on the customer side of what you're trying to do, I'd want a threat risk assessment. So I could justify whether I really need to worry about this. I convinced my upper management, blah, blah. I'm like, great, you can lead our quantum risk management.

So we did those things and it was around 2020.

You know, despite being academics, we were pretty pragmatic and well grounded. So my founder, he was at the company that built the first quantum cryptography product about 20 years too early. Right. we do intuitively what product market fit was and what being too soon was. And so we're very customer focused. while we had strong views on what works and what doesn't work, what people maybe should do, we're also very pragmatic.

You have to meet them where they are, right? Like that's the critical thing that I've just, by luck, I've always been lucky to be at the interface of the people who were building on the research. So if you want to do something together, you kind of have to meet them where they are. And so in 2015, nobody was ready for quantum. Well, this is before, like this is before the NSA announcement that we started the company. So nobody, almost nobody cared about, we did.

I was also very aware that almost no one else does. And I was trying to get people excited and occasionally I would succeed, and it was heating up enough that I thought it was time to set up a company. And then the PQC stuff really started ramping up in 2015, 2016 or so. Again, I've been working on this effectively since 1996, and then part of the rogue academic community who cares about this.

And the problem, we said, look, we're going to, you, what's your business plan? Well, our plan is to help people and then come up with a plan because we obviously want to be a product company or not. Like either we're going to be a successful product company or we'll just stay a services company. But we obviously wanted to be a product company, but obviously we need a product that actually created value and that we could do better than anyone else. And that people wanted the value that it would create. 

And we started seeing it around 2020, where all the quantum innovation, which is starting to heat up more more and more, was spawning a lot more more investment in building these quantum networks to do quantum cryptography, to achieve these awesome key exchange functionalities, which the practical cybersecurity world profoundly did not care about. 

They totally ignored it, and if they paid attention to it, it was to cheap-shot it. And explain how useless and pointless it was, which I found not helpful at all. I found that culture clash not constructive, but there was money being put into it. And I believed, I knew where this was going, right? Because although, but there's this problem and that problem, we know. We know that. We can solve every one of those problems, and let's give them a chance to solve them. On the flip side, you know, just achieving the physics, the technology side, you've only done 10 % of the heart, like you got to do all the other stuff. And so we kind of architected, you know, again, we've been working on this along with others in academia for many years, like how would we, let's look at where the puck is going. We have these networks, how are we really going to, because these one-off gimmicky POCs where you manually grab keys from your boxes, put them into a, you know, video chat and say, like, If I say, want that on my 10,000 node network, you're not ready to do that.

So we really architected a simple, elegant way, what we call the quantum delivery network, to turn these heterogeneous point-to-point links into what, to the application layer, looks like a fully meshed network, but in a way that was sound, cryptographically sound, efficient, scalable, interoperable. You don't have vendor lock-in at the hardware layer and so on. So that was our first product, which is really coming more from the innovation quantum world and bringing it one really, really important step closer to being a useful cybersecurity tool. 

And then that was kind of the first product. And the second product is really, I'll just fast track it, a way to achieve the same sort of end-to-end key exchange, but without quantum technology. And that was really for people who couldn't care less about quantum networks.

But they wanted resilience. So maybe I should have, to sum up, we really realized the way the world is heading, we don't just need scalable security for the Internet, we need scalable resilience. In the 80s, we didn't really protect the Internet. Nobody even knew what it was. And wasn't protecting. There wasn't a lot to protect. In the 90s, when we decided we were to use this for finance and government, well, we need to make it secure. 

And by the late 90s, was clear PKI is the way they get scalable security because you took all of the pain in the ass part of, you know, securing communications was out of band key exchange, managing the keys. It gets a nightmare to do it scalably. Then PKI does a lot of the out of band stuff in bit, not everything, as you know, the certificate authorities and anchors of trust, but one of the heavy lifting is in-band. 

Was a fundamental enabler of last 30 years of economic growth. So what meant, but it's sort of, its own success meant it's now an existential threat if this stuff is broken. So the stakes are higher, the threats are fiercer, it, Shor's algorithm is not what worries me, because we know about it. I don't, we don't, I've been working quantum algorithms for 30 years, we actually don't know what they're good at, right? 

And now combined with AI,on the ingenuity side and then if you do break something how quickly you could exploit it. Like, one natural reaction would be to panic, right? But you don't need to. I think you just have to do the same thing we did with authentication. When passwords stopped being, they worked fine for a long time, right? But then we relied on them more, adversaries got better. We just started developing multi-factor authentication. So we knew we needed some sort of MFA type approach.

And there's really only, you know, aren't that many magical ways to exchange keys. So we took the symmetric key approaches. We think sort of symmetric key infrastructure as we're calling it is really the scalable way to achieve two things. Resilience through defense and depth. Of course, defense and depth, need diversity. If your authentication is almost going to have two passwords, that's not going to help. You know, there's layers, but the more different they are, the better. 

And I know they all have their strengths and weaknesses, but that's kind of the Swiss cheese model of as long as the weaknesses are different, you get a really stronger outcome. And so the SKI approach, which again, quantum networking and QKD is kind of like the biometrics or it's like kind of the next, it's yet another mode to add so we can have this cryptographic resilience. So let's just prepare it and embrace it, and use it when we can be able to use it more more and it'll be cheaper and so on. 

So, in addition to the resilience, the defense and depth, but also the cryptographic primitives of symmetric key cryptography are more long considered more robust, right? Cause it's one way function-based. It's not like to get that magic of in-band key exchange, there's a price and they need some mathematical complexity, which I love. And I think it's great and we should use it, but it's more complex.

The symmetric key primitives are generally considered less risky from a long-term security perspective. So applications really needing long-term security are very, very low risk tolerance. The symmetric key techniques are useful. They're helpful addition to the public key method. So this is a new category, because up until recently, who cared about cryptographic resilience? 

Now, when we're seeing quantum makes it viscerally concretely real that these codes really can be broken. And two of the missed shortlisted candidates were broken. So the idea that they probably won't be broken, but it's not probably bet your house on it. So you do need that additional resilience and defense in depth. So we saw this new category emerging, and that's where there was a product opportunity, because it didn't exist. So it's not like the existing people just do it.

No, they're busy trying to catch up with their PQC migration. There's really an opportunity for newcomers to create this category.

Justin Beals: That's exceptional. The thing that I think is really true, and you mentioned it, we've seen this in computing or networked computing over the era in which we've been operating, is that we're finding new applications for these tool sets. Then security has to keep up with, we want to use the internet for government and finance, right? And certainly, I think that I'm curious where you see the state of quantum computing as a solution from a computing perspective broadly, 

What do you think the state of the computing tools are right now in its best applications?

Michele Mosca:  Yeah, so it's way, way ahead of where we were 30 years ago, right? There's a lot of people like the harp on, well, it's still not at this level. I'm like, I know, but I didn't know. 

Where I was in 1996, in 1996, we had a proof of concept that we can correct quantum errors. And it was basically a theorem that said if A, B, C and E are true, and we knew they were almost not going to, certainly not going to be true, but they weren't completely ridiculous. 

Then with some completely absurd overhead, know, we could get, we can actually correct errors. And practically people said, but that's not reasonable, it'll never work. I'm like, look, from impossible to nearly impossible, that's a big leap. And then over the next 10 years, guess what? Those assumptions were removed or improved, the error rates are improved, we got nearest neighbor, because one of the assumptions was every qubit can instantaneously or within one clock cycle talk to any other quantum bit. And we're like, I don't know how to do that. And so when people realized they found a way with just a nearest neighbor, like a mesh, and you only talk to some nearby qubits, you can actually tolerate a 1 % error., whereas in 96, it was like a 10 to the 1 in a million error with all sorts of unreasonable architecture assumptions. 

So we came a long way, and we've had other leaps and bounds just in the last five years with another family of codes called low-density parity check codes. we've orders of magnitude closer to this. And we're now, if you think of all the stages to get a cryptographically relevant or commercially useful quantum computer that is fault tolerant, large-scale, we've come several orders of magnitude. We're in the last one or two phases now.

And we're now in the era of fault-tolerant quantum error correction, where we're validating at very substantial scales the hypothesis that quantum error correction actually works. We knew it would, but that was really extrapolating what we knew, just say, here's the results. But now we have three different platforms.

So it's not like one platform did it, and we're like, no one else was able to recreate it. You got the ion traps, neutral atoms, and superconducting qubits are doing massive hundreds of thousands of physical qubit experiments, validating that look, you do error correction, and you reduce the error rate and use a bigger code, and you reduce the error rate more. Like, those are the kinds of things they're showing. It's still early days, but we've come a long way. 

Now let me step back maybe five, ten years. Back then, we crossed once we had close to 50 to 100 physical quantum bits with a low enough error rate; you could do some completely artificial tasks nobody cared about that would take astronomically more resources on a regular computer. So we kind of validated the hypothesis, and we reached a point where I couldn't say, well, I could just do that on my laptop, right?

Finding something useful to do with these noisy intermediate-scale devices. know, some people will argue, we found some useful commercial applications. And then maybe they are useful. I'm not done due diligence on many or most of them. But I think it's fair to say most people don't believe these are massive, you know, wealth-generating applications just yet. But I think it's a very valuable R&D tool at the very least. 

And I don't want to rule out the serious people are saying, no, we actually, we can use a quantum computer to get us to train our neural networks at same quality, but much lower cost than a supercomputer. So who am to tell one of the largest banks in the world they're wrong? So some people are finding these applications. They're not economic game changers just yet.

But now, but that was not fault-tolerant yet. To me, the most important application of noisy intermediate scale quantum bits as implementing their correcting code that you can scale up to many qubits. 

Now we are soon reaching the regime, like soon I mean in a few quarters, where we'll have more logical qubits than we can simulate on a classical computer. So that'll be a whole other era that we're in. And honestly, once we're at 100, it only takes two to 4,000 to start breaking public key cryptography. 

And we have to keep in mind, like you don't have that many bits of security, right? The gap between Like Shor's algorithm is very efficient. So it's not like, I just add another 100 bits to my ECC key and I'll be fine. It's like, well, no. Like that doesn't... It's a poly time algorithm. don't get there's not 100 bits of security gap between having 100 logical qubits and having a thousand logical qubits. You're scarily close.

We look at it as an engineering challenge. Oh, how much does it scale this up? By a factor of 10 or 100 or 1,000, but 1,000, it's like 10 bits of security, right? I mean, just loosely hand waving here and somewhat comparing apples and oranges, but just trying to, the analog, it's not that much of a security buffer. The one we're used to in cryptography between what we could, the codes we can break, the key parameters we can break and those we can't, we want an enormous gap today and because quantum algorithms are so efficient, once we have a few hundred or even a hundred logical qubits, we're tremendously close to quantum code breaking. 

I'm not sure I answered your question about the useful applications, but I think what I want to say is quantum validated, mean, quantum code breaking validated, is, nd then finally, use cases, honestly, very few organizations have been trying very hard. Many, okay, so some are, but a lot of them are hyper-focused on NISC and short-term wins. And guess what? Many of them are not getting some massive ROI if you're measuring it by how much money are, you So I think the short-term breakthroughs in ROI we should absolutely look for, but I think we need to take a longer view.

Look at what fault-tolerant quantum computers can do, too. It's the same journey. You've to find the problems, see if there's at least an asymptotic possibility, and then see if you can optimize it and achieve it with a small quantum volume that today's devices can do. So it's the same exercise, but I think if we renormalize our expectations and realize the potential impact is astronomical, so we should be happy with a small probability of success to justify exploring it. And it can be rapid, right? Sure, like we went from zero impact on RSA to it's broken. It wasn't incremental. I think businesses need to do that. More and more are doing that. Again, too many are probably looking for the easy, quick win. But it's not a spectator sport. You need to get your serious R&D teams engaging with quantum computing experts.

Justin Beals:  Yeah, I have played with some of the programming tools. You know, it's my favorite interface for understanding how something works a little bit. It's my old lever. And, you know, definitely as I think there was a system that I was playing with that would allow you to put in more classical programming, and it would translate that classical style programming to something that was more of an optimized way. You might program a quantum computer. And of course I remember the days where I had to set aside a memory space for an allocation and reference it and stuff like that. 

And just moving from like and or modalities into quantum decision matrices reminded me of the switch into data science where I, all of a sudden I wasn't dealing with, you know, kind of something I could rely on, you know, this value is in this memory location, but something that was a probability.

And I feel like both our hardware and our software, you know, when we think about AI are kind of moving on similar tracks, and they will conjoin at some point and support each other.

Michele Mosca: The hardware and the software? 

Justin Beals: Yeah, in that, you know, we have these quantum computers that are probabilistic, you know, where we're setting a bit or there's fault tolerance issues or error issues, and we need to think about computing on more probabilistic terms than completely fault tolerant terms.

Michele Mosca: I see. Yeah, I think, well, there's a whole stream that tries to, like, what are problems where the noise and the, you know, maybe isn't so detrimental, and we can still get some advantage. Yeah, yeah. Or where, I mean, there are probabilistic algorithms too. So there is a stream that tries to, you know, leverage the quantum coherence we have and still look for examples where the noise doesn't kill.

It's not hard to be honest, but I think not a lot of people have tried to mature that. And there's an example I know of with algorithmic cooling, where ideally we'd like this coherent, basically quantum data compression algorithm to help cool or reduce, you know, increase the polarization of our bits. So this is one use cases, magnetic resonance imaging, right?

And ideally, we want this perfect air corrected, better compression. But we found a way where even if there's some noise, it'll still cool the system. And you'll get more polarization, a better image with weaker magnet, all the good stuff we want. But found an example where you didn't need perfect coherence. Yeah. 

I mean, it's funny with quantum computing because on the one hand, we're working with the low-level stuff from the 60s and 70s, circuit description languages. But then we have all these amazing, fancy, insightful new tools with functional program, whatever it is now, call it nowadays. And these two worlds, I mean, you need smart people to kind of figure out, where do we want to use, where should we still be doing it the old way? But how can we leverage the last many decades of insight in software engineering and so on?

So it's exciting to see the field mature. And they're even looking at, okay, so I have a quantum processor alongside my GPUs and blah, blah, blah, blah. How do I stitch these together to solve my business problem? So they're even looking at the software platforms. Because when you go beyond POC and you really want to use it in real-world systems, and you want it to be efficient to, and like, I don't know of any quantum algorithm that doesn't need fast classical processing. 

So it's always going to be integrated with fast classical computing, FPGAs and whatever else. So we do need to anticipate how are these architectures going to converge and run together. It's not my area of expertise to be honest. more, I've done the compilation, the building blocks of efficient compilation, but I've, you know, mentored and seen other people try to stitch it all together into a real useful platform.

Justin Beals:  Yeah. So NIST here in the United States National Institute of Science and Technology has been working on selecting some post-quantum algorithms for standardization. And I just love your thoughts on how that process is run and also how the outcomes have looked to you in trying to develop some of these security tools.

Michele Mosca: I think they've done an amazing job. They stepped up, so first of all, they've been kind of preparing. We're getting some internal know-how and experience, and they are having workshops before the NSA announcement in 2015, requesting the standards, because really, standards should be developed because people need them. Sorry.

So there were serious users and authorities who wanted these standards and this stepped up. And you know, it took nine years to come up with the first steps, right? And that worries me, I mean, but I don't think they could have gone faster. So that's where we need to keep that in mind because what about the next time? Are we going to have nine years to after somebody asks for, it just took many years for them to decide to make that decision. 

But I thought they did a really impressive job of engaging the global community. Like a lot of the work was done abroad, outside of the US, but the US showed leadership and vision. So everybody put a lot of effort into the game. It wasn't that the US did everything for the rest of the world, but the US did bring a lot to the table in terms of leadership and expertise. 

It was done in a transparent way, so people kind of trust it. So I think it's to me that was a success story, and that the world we did come together and you know many players contributed, came up with trustworthy algorithms. There's still a long way to go, obviously, under the current you know efficiencies and so on, the team is you know going to be strained in terms of capacity, but we're all hoping there's enough capacity to keep this important work going. Because it's most important, obviously, for the US, but the rest of the world. They really played a valuable role in convening global experts to really work on this common problem.

Justin Beals: I love how they did it in a very open way. I think you and I would agree that we like the fact that we can allow the broader marketplace of ideas to pressure test some of these security concepts, that there's not a lot of security and secrecy actually. Yeah.

Michele Mosca: Yeah. I mean, trust, we need trust, but you need trustworthiness. And the process was really fundamental in getting a result that people would actually trust.

Justin Beals: Yeah. So I'm curious about, we always ask about the future a little bit, Michele, and know, your impression of it. I feel like, of course, quantum computing from a computer science perspective is, think a big part of where the future is. And, then your focus on the securitization of both the systems and the networks and the data we provide, but what worries you, what are you excited about as you think about maybe the next three to five years? I think sometimes we look too far out. Very hand-wavy. Yeah.

Michele Mosca: Well, one thing that worries me, but there's a positive side to this, like this so-called quantum threat. Nobody's, well, we're not, most of us, any working on quantum computing, we're not building it to try to break anything. We're trying to harness all this amazing possibility to create new materials that make the world better, and like, value, and solve important problems for humanity. Just so happens it breaks these codes.

In the grand scheme of all our security problems and cybersecurity, I don't think it's, can't really draw a line between cybersecurity and security. And this is just, this is one of the really simpler to understand and resolve ones. And there's, would say clear market failures in how, like, why did it take so long? And many of us really pushing the rope, like nobody was paying us to, like we were just doing it because we were passionate about it, instead of doing our day job. 

So that's not a great model for resolving really important problems. And it was just, you see all these mismatches where a lot of enthusiasm to create the problem, but then there's a gap right between the problem it creates and where the cybersecurity world is able to meet it. 

Cybersecurity is drowning. Like we're failing cyber security, think it's getting worse, right? So saying, but they'll just magically, in addition to what they're already dealing with, they're supposed to prevent this potentially massive catastrophe that quantum causes. building people are drilling. I'll probably be able to fix that later. it's like, well, whose job is it to, because a lot of the quantum, most of the quantum strategies are lot of the proponents, and like, yeah, it's not our problem, you know, or we have the NIST algorithms now, no thanks to us, but now it's resolved, right? It's like, no, and like, whose job is that anyway? So why are we failing? And then the other gap was, but quantum creates this new key exchange capability, which is amazing. Like imagine a world where there's end-to-end quantum entanglement, why wouldn't you use it to do exchange keys?

And yet, but there's a gap to turning it into a real, usable, scalable, certified product. So a lot of boring stuff that not many people want to do. And it's like, who's in charge of that? Right? Again, I don't think it makes sense to say, well, you guys who are drinking water from a fire hose and defending against today's threats, can you figure that out too? Like they're obviously not. So there's a lot of, so many different kinds of gaps in policy and in risk sort of innovation policy, economic, industrial policy, but also risk governance. Like, why are we, part of it is I think, because cryptography is invisible. Like when it was a guy, somebody with a briefcase, it was an explicit physical product or company doing the cryptography, it'd be in your risk register somehow, right? You'd see the concentration risk. You'd see the supply chain risk. This is a mathematical algorithm sitting there.

We're not saying, but wait, somebody who can solve a math problem can basically hijack that critical dependency in our supply chain, and it's systemically owned by an average, like, I don't see our risk models properly modeling and dealing with that in a responsible way. So on the one hand, I'm very worried. On the other hand, quantum has now shined a light on this in a way that  I call a blessing in disguise.

Because it's bright enough that for the more, you know, kicking and screaming, but we're kind of seeing it and acknowledging it and hopefully by mitigating, it's triggering kind of an immune response and the new sort of frameworks we're now going to use to handle the so-called quantum threat. If we do it properly, if we take advantage of this, don't just kind of quickly slap a band-aid on it, now please go away. If we get into properly managing our cryptography,

And just identify what were we missing in our risk governance? What was it? And let's fix that. I think we will be much better positioned to deal with a lot of the unexpected challenges of the future. Again, scalable cryptographic resilience is one part of making things better going forward. But I'm sure there's other things that we're understanding and addressing as we go forward.

Justin Beals: One thing that definitely resonates with me, Michele, is that I think of all the people I've talked to in the security industry broadly. Everything from physical security to security leadership to cybersecurity is that almost everyone feels overwhelmed. And they are kind of drowning in a sea of challenges and a lot of times feel like they're treading water more than making real progress. And I think that we should be sensitive about looking for tools.

To your point, that solve all those problems instead of effective practices and building a capacity for it. I think it's just the best way to set up for a positive result. Kelly, this has been amazing. I really appreciate it. Obviously, your expertise is fun and given me an insight into a space that I love learning about. And so we're really grateful for you spending time with us.

Michele Mosca: Well, it's been a lot of fun chatting with you, and I hope it's helpful to your listeners as well, as we all have some role in making the world more secure and a safer place that then also sees all these positive opportunities. So I hope it's helpful and interesting for them as well.

Justin Beals: Wonderful. All right. Thanks for joining us, everybody, today, and we'll see you next week.