As long as there\u2019s been war \u2014 or proxy wars like politics and finance \u2014 there\u2019s been cryptography. Soon after the first cryptography \u2014 the first attempt to communicate a secret message for whatever reason \u2014 came cryptanalysis, the attempt by outsiders to \u201cread\u201d that message. Code makers propagate code breakers, and vice versa. Technologies and codes give up their secrets. That dynamic mirrors, over many centuries of human conflict, the drive for dominance through ever more potent military technologies. Like armies, cryptography and its sibling cryptanalysis have engaged in a seemingly eternal and mutually reinforcing arms race that continues to this day.1<\/sup><\/p>\n Warfare may be an incubator of cryptography, but today many industries depend on cybersecurity to function. The security of email, passwords, financial transactions, even electronic voting systems requires security objectives such as confidentiality and integrity. Banks send vast payment flows that must be secure against cyber criminals. Consumers use credit cards and payment apps to buy and sell on the internet. Governments not only need to communicate securely, but they are huge repositories of classified secrets. And, of course, militaries, which communicate digitally and increasingly depend on data gathering and computer power, view cryptography as both a powerful offensive tool and a potentially large national security vulnerability.<\/p>\n Today, cybersecurity, cryptography and cryptanalysis are colliding and threatening to disrupt the sprawling network of secure communications that has emerged from the development of asymmetric or public key cryptography. The most famous cryptographic technology, known as RSA, was developed secretly in Great Britain in 1973 and\u00a0rediscovered<\/a>\u00a0in the U.S. in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman (the R, S and A of RSA).2<\/sup>\u00a0RSA has proved to be highly secure, and for more than 40 years it has provided relative cryptographic stability, so much so that Philip Zimmermann, the inventor of Pretty Good Privacy (PGP), which provides strong, RSA-type cryptography for email, has described it as \u201cthe golden age of cryptography.\u201d (Zimmermann has less admiringly called our times \u201cthe\u00a0golden age of surveillance<\/a>.\u201d3<\/sup>)<\/p>\n If the study of cryptography tells us anything, stability is not eternal, particularly in an age of such rapid technological advances. The greatest threat today emerged from a speculative lecture titled \u201cSimulating Physics with Computers<\/a>\u201d that physicist Richard Feynman gave in 1981 at MIT.4<\/sup>\u00a0Feynman imagined what today would be called a quantum computer, which uses the quantum behavior of elementary particles to calculate and compute with enormous speed. Quantum computers are still in their infancy, the challenges to their development remain immense, and there\u2019s little consensus about how long it will be before they can break RSA. However, they do pose a potential threat to the current regime by performing calculations that are beyond the range of the fastest supercomputers, thus opening the possibility for what one policymaker calls \u201ca quantum cryptocalypse<\/a>.\u201d5<\/sup><\/p>\n The threat has stirred up the efforts of hundreds of the world\u2019s cryptographers to understand it and develop responses and new security standards for both classical and quantum computers. These efforts are complicated by the reality that a cryptographic method is normally effective only as long as it remains relatively secure itself. That\u2019s what remains special about RSA, whose specs have been available since the 1990s. Although the technologies are new and complex, the problem is ancient.<\/p>\n Quantum computing (QC) gives rise to many questions, such as: What threats does it pose? Can QC, like other new technologies, be used for both offense and defense \u2014 for cryptography and cryptanalysis? Can RSA adjust and evolve, or do we need entirely new methods? Is there, in fact, any truly unbreakable cryptographic method? In this article, we will survey the history of cryptography before turning to the latest disruption on the horizon.<\/p>\n In the introduction to his history of cryptography,\u00a0The Code Book<\/em>, Simon Singh describes what he calls the evolution of codes: \u201cEvolution is a wholly appropriate term, because the development of codes can be viewed as an evolutionary struggle. A code is constantly under attack from codebreakers. When the codebreakers have developed a new weapon that reveals a code\u2019s weakness, then the code is no longer useful. It either becomes extinct or evolves into a new, stronger code.\u201d6<\/sup><\/p>\n Initially, codes were literally hidden.7<\/sup>\u00a0In ancient Greece, a messenger\u2019s head was shaved and a message written on his skull. As a result, the messenger would have to wait for his hair to grow back before departing. This form of coding is called steganography: The message is in a readable format, but its location is hidden. In China, messages were written on thin pieces of silk, covered in wax and swallowed by messengers. In Italy, they were written in organic ink that could not be seen until heat was applied. The downside was that once these techniques became common knowledge, they were easily decrypted and lost their value.<\/p>\n In time, cryptographers moved on, replacing the readable format with a seemingly random sequence of numbers and letters. The aim was less to hide the message than to disguise the information contained in it \u2014 to encrypt it. Julius Caesar, according to Roman historian Suetonius, used an encryption method for his private correspondence that involved shifting letters of the alphabet by a known amount to produce an unreadable string of seemingly random letters.<\/p>\n For centuries, this type of encryption was thought to be unbreakable. However, as Europe emerged from the Middle Ages, nations increasingly used code breakers to read the diplomatic correspondence of other states. For a time, France dominated code breaking through the efforts of Fran\u00e7ois Vi\u00e8te, a privy councillor, lawyer and mathematician who found the key to the so-called Spanish ciphers, consisting of some 500 characters. King Philip II of Spain refused to believe his ciphers could be broken and demanded the pope execute Vi\u00e8te for witchcraft. Because the Vatican could also decrypt Spanish messages, Vi\u00e8te remained safe.<\/p>\n These types of ciphers had a name \u2014 \u201cmonoalphabetic,\u201d which also describes their flaw. Once the language of the message is known, code breakers can use a letter-frequency database to identify the most common letters and words. In English, the most common letter is \u201ce.\u201d This method is called frequency analysis.<\/p>\n In the 16th<\/sup>\u00a0century, a French diplomat named Blaise de Vigen\u00e8re moved decisively past the flaws of monoalphabetic coding. Rather than use just one alphabetic cipher, the Vigen\u00e8re method employed multiple ciphers \u2014 hence its name, polyalphabetic. It used a plaintext alphabet followed by 25 cipher alphabets, each successively shifted by one letter; this is known as a Vigen\u00e8re square. To unscramble a message, the recipient only needed to know which row of the Vigen\u00e8re square was used to encode each letter. This was achieved by using a keyphrase. The Vigen\u00e8re cipher was invulnerable to frequency analysis; a letter that appeared multiple times in a ciphertext represented multiple plaintext letters and generated tremendous complexity for cryptanalysts. The cipher also offered a huge choice of keys. The sender and the receiver could agree on any word in the dictionary and any combination of words, even fabricated words. The cipher became common in the 17th and 18th centuries, and the development of the telegraph in the 19th century made it popular with business. The Vigen\u00e8re cipher became known as\u00a0le<\/em>\u00a0chiffre ind\u00e9chiffrable<\/em>\u00a0\u2014 \u201cthe indecipherable cipher.\u201d<\/p>\n By the 19th<\/sup>\u00a0century, complexity and information had increased rapidly, and the first mechanical calculators had emerged. Charles Babbage, born in London in 1791, not only designed the first modern computer but, as he wrote in his autobiography, engaged in cryptography: \u201cDeciphering is, in my opinion, one of the most fascinating of arts.\u201d As Singh notes, \u201cCracking a difficult cipher is like climbing a sheer cliff face: The cryptanalyst seeks any nook or cranny that could provide the slightest foothold.\u201d In a monoalphabetic cipher, the cryptanalyst uses letter frequency. In the polyalphabetic Vigen\u00e8re cipher, the frequencies are more balanced, and at first sight the rock face seems perfectly smooth.<\/p>\n Babbage, however, found a foothold in repetitions. In English, the word \u201cthe\u201d has a very high frequency. This provides a clue to the frequency of the repetition \u2014 that is, the length of the keyword. Once the length of the keyphrase is identified (n<\/em>), we know that every\u00a0nth<\/em>\u00a0letter is encrypted using the same row of the Vigen\u00e8re square. Therefore, we can divide the ciphertext into\u00a0n<\/em>\u00a0monoalphabetic problems, which can be cracked by frequency analysis.<\/p>\n Babbage\u2019s successful breaking of the Vigen\u00e8re cipher was probably achieved in 1854, but he never published it. His discovery occurred soon after the outbreak of the Crimean War and may have given Britain an advantage over Russia; it\u2019s possible the British military demanded Babbage keep his work secret. Babbage\u2019s finding came to light only in the 20th<\/sup>\u00a0century, when scholars explored his notes. (Friedrich Wilhelm Kasiski, a retired Prussian army officer, came upon the same idea in 1863.)<\/p>\n In 1894, Guglielmo Marconi invented the radio. Communication through the air was a powerful technology but not secure; messages could be understood by anyone tuned into the correct frequency. In World War I, Germany suffered heavily from security breaches. A German telegram intercepted by the British on January 17, 1917, was immediately sent to Room 40, the British Admiralty\u2019s cipher bureau. Within a few days, the cryptanalysts there had discerned the outline of a new German naval offensive, which would include U-boat attacks on still-neutral American shipping. Their discovery helped draw the U.S. into the war.<\/p>\n Germany quickly caught up, though not quickly enough to win the war. In 1918, German inventor Arthur Scherbius helped found Scherbius & Ritter, an engineering firm. One of Scherbius\u2019 projects was to replace traditional codes and ciphers with encryption that exploited 20th-century technology. He developed cryptographic machinery he dubbed Enigma. To avoid repetition, Enigma used three scramblers that deepened the random appearance of messages. For a full alphabet, these three scramblers would provide 26x26x26, or 17,576, distinct scrambler arrangements. To decipher a message, a receiver needed an Enigma machine and a copy of the codebook that contained the initial scrambler settings for that day.<\/p>\n Scherbius believed Enigma was unbreakable. So did the German military, which over two decades bought more than 30,000 Enigma machines. At the start of World War II, German military communications enjoyed an unparalleled level of encryption.<\/p>\n As the number of Enigma machines grew, Room 40\u2019s ability to decode shrank. The Americans and French also failed, but in Poland in 1932, mathematician Marian Rejewski led a team that, using French intelligence, began to reverse-engineer Enigma. The Poles\u2019 success proved that Enigma was not a perfect cipher \u2014 and proved the value of employing mathematicians as code breakers. Room 40 had been dominated by linguists and classicists, but now there was a concerted effort to bring on mathematicians and scientists. The recruits were sent to Bletchley Park, the home of Britain\u2019s new Government Code and Cypher School.<\/p>\n In the autumn of 1939, Bletchley Park worked to unravel the intricacies of the Enigma cipher and master the Polish techniques. Bletchley had more resources than Room 40 and thus was able to cope with the larger selection of scramblers. Thanks to Alan Turing, a brilliant young mathematician from Cambridge University, Bletchley began to crack the Enigma cipher. As the weeks passed, Turing realized that Bletchley had accumulated a massive library of decrypted messages, many of which conformed to a rigid structure. He believed that by studying old messages he could predict part of the contents of an encrypted message based on when it was sent and its source.<\/p>\n With the advent of digital computers after World War II, governments retired electromechanical devices. In 2012, the U.S. National Security Agency\u00a0declassified a 1955 handwritten letter<\/a>\u00a0by Princeton University mathematician John Nash about an offer he had made in 1950 to help design a new encryption machine.8<\/sup>\u00a0In the letter, Nash made a distinction between polynomial time and exponential time, and conjectured that some problems could not be solved faster than in exponential time. He used this as the basis to pitch a secure system of his own design. He also anticipated that proving so-called lower bounds of complexity was a difficult mathematical problem. Nash\u2019s letter predates a 1956 letter from Kurt G\u00f6del to his Princeton colleague John von Neumann that goes into much less detail about complexity but also anticipates complexity theory and the still-unsolved P versus NP problem.9<\/sup><\/p>\n The NSA, however, pointed out to Nash that his machine \u201caffords only limited security.\u201d When Nash wrote his letter, Colonel William Frederick Friedman, the leading U.S. cryptographer in World War II, responsible for breaking the Japanese Purple Cipher and developing the theory that allowed cryptanalysis of rotor-type machines, declared that no new encryption system was worth looking at unless it came from someone who had already broken a very hard one. He rejected Nash\u2019s plan.10<\/sup><\/p>\n Using a computer to encipher a message \u2014 to convert it into a cipher \u2014 is similar to traditional forms of encryption, with a few differences. First, a mechanical device is limited by what can be built, whereas a computer can mimic a hypothetical cipher machine of immense complexity. Second, computers are much faster than mechanical devices. Third, and perhaps most significant, a computer scrambles numbers rather than letters. Computers deal in binary number sequences of ones and zeros; before encryption, any message must be converted into binary digits. This conversion can be performed according to various protocols, such as the American Standard Code for Information Interchange (ASCII).<\/p>\n In the early days of computers, encryption was restricted mostly to the government and the military. By the 1960s, businesses could afford computers and use them to encrypt important communications such as money transfers or trade negotiations. However, as commercial encryption spread, cryptographers were confronted with a major problem: key distribution.<\/p>\n Say a bank wants to send confidential data to a client via a telephone line but is worried that someone is tapping the wire. The bank picks a key and uses encryption software to scramble the message. To decrypt the message, the client needs to have a copy of the encryption software and know which key was used to encrypt the message. How does the bank inform a client of the key? It can\u2019t send the key via telephone lines, which are insecure. The only truly secure way is to hand it over in person. In the 1970s, banks attempted to distribute keys by employing dispatch riders who personally distributed keys to everyone who would receive messages over the next week. As business networks grew, more keys had to be delivered, creating a pricey, insecure logistical nightmare.<\/p>\n In 1958, the U.S. Department of Defense launched the Advanced Research Projects Agency (ARPA). One of ARPA\u2019s projects was to find a way to connect military computers across long distances; the agency then developed ARPANET, which evolved into the internet. The nascent internet required a new level of electronic security. \u00a0Whitfield Diffie, an MIT-trained cryptographer and computer security expert, wondered how two people meeting on the internet could send each other encrypted messages, such as an email containing encrypted credit card details.<\/p>\n Key distribution suffers from a classic catch-22. If two people want to exchange a secret message, the sender must encrypt it. That means using a key, which is itself a secret.<\/p>\n In 1976, Diffie and Martin Hellman at Stanford University published a paper describing a new type of cipher that incorporated a so-called\u00a0asymmetric key<\/a>.11<\/sup>\u00a0All the encryption techniques were symmetric, which meant that unscrambling the code was simply the opposite of scrambling the message. In an asymmetric key system, encryption and decryption keys are not identical. In an asymmetric cipher, if senders know the encryption keys, they can encrypt messages but they cannot decrypt them. To decrypt, they need access to the decryption key. Computer encryption means the encryption key is a number and the decryption key a different number. The sender keeps the decryption key secret, so it is commonly referred to as a private key. However, the sender publishes the encryption key so that everybody has access to it; that\u2019s the public key.<\/p>\n Ron Rivest, an MIT cryptographer working with colleagues Adi Shamir and Leonard Adleman, focused in 1977 on building an asymmetric cipher that contained a one-way function used to encrypt a message \u2014 a system that remains ubiquitous in electronic communication. A number is plugged into a mathematical function, and the result is the ciphertext, another number. There is a particularly interesting aspect of the function, known as\u00a0N<\/em>, that makes it reversible under certain circumstances and is therefore ideal for use as an asymmetric cipher. This\u00a0flexible aspect<\/a>\u00a0means that each person can choose a different value of\u00a0N<\/em>\u00a0and personalize the one-way function.12<\/sup><\/p>\n For example, to choose a personal value of\u00a0N<\/em>, the sender picks two prime numbers,\u00a0p<\/em>\u00a0and\u00a0q<\/em>, and multiplies them. Say\u00a0p<\/em>\u00a0equals 17,159 and\u00a0q<\/em>\u00a0equals 10,247. Multiplying them together gives\u00a0N<\/em>\u00a0= 175,828,273. (This example comes from Singh.) This becomes the public encryption key. If someone wants to encrypt a message to the sender, they look up the value of\u00a0N<\/em>, then insert it into the one-way function. The receiver now has a one-way function tailored with the sender\u2019s public key. But how can the initial sender decrypt the message? Rivest\u2019s one-way function is reversible only by someone\u00a0who knows the values of\u00a0<\/em>p\u00a0and\u00a0<\/em>q \u2014 that is, the initial sender. In fact, it turns out that if\u00a0N<\/em>\u00a0is large enough, it is virtually impossible to deduce\u00a0p<\/em>\u00a0and\u00a0q<\/em>\u00a0from\u00a0N<\/em>; this is perhaps the most elegant aspect of the RSA asymmetric cipher.<\/p>\n The security of RSA depends on how difficult it is to factor\u00a0N<\/em>, because that is what you would have to do to find\u00a0p<\/em>\u00a0and\u00a0q<\/em>. Two decades ago, Singh noted that for important banking transactions\u00a0N<\/em>\u00a0tends to be at least 10308<\/sup>. With sufficiently large values of\u00a0p<\/em>\u00a0and\u00a0q<\/em>, RSA appears to be impenetrable. The only caveat for public-key cryptography is that at some point someone may find a quick way to factor\u00a0N<\/em>\u00a0and render RSA useless.<\/p>\n Which brings us back to quantum computing and its mate, quantum cryptography.<\/p>\n Singh published his history of cryptography in 1999. His last chapter focused on quantum computing, describing quantum characteristics such as superposition, entanglement, teleportation and uncertainty. Singh argued that only a quantum computer could break the hold that RSA\u2019s private keys have over secure communications.13<\/sup>\u00a0And he outlined the development of quantum cryptography and communications in the 1970s by Stephen Wiesner, then a Columbia University graduate student, who proposed the use of\u00a0quantum uncertainty<\/a>\u00a0to detect intrusion in communications lines.14<\/sup>\u00a0In the 1980s, IBM\u2019s Charles Bennett and Gilles Brassard of the University of Montreal designed what they envisioned as an\u00a0unbreakable encryption key<\/a>\u00a0using polarized light, building on another Wiesner idea, known as quantum money, and his uncertainty error-detection concept.15<\/sup>\u00a0Singh maintained that quantum cryptography would prove not only unbreakable but \u201cabsolutely unbreakable\u201d as long as quantum physics remained viable as a theory.<\/p>\n This was a profound break in a long history. By 1999, cryptography had become all about the math. In the past 40 years, most high-level security schemes, such as RSA, have had at their heart excruciatingly difficult factoring problems. As Jo\u00ebl Alwen of cryptographer company Wickr\u00a0wrote<\/a>, each of the basic security schemes \u201ccomes equipped with a \u2018security proof,\u2019 which is a formal mathematical proof showing that breaking the scheme\u2019s security is at least as hard as solving one of the fundamental math problems like factoring . . . As the security of much of our digital infrastructure amongst other things rests on the watertight security of these building blocks, confidence in the proof is vital.\u201d But, added Alwen, \u201chere\u2019s the problem: If someone ever builds a large scale quantum computer, this entire narrative collapses.\u201d16<\/sup><\/p>\n Today, quantum computing is no longer just a concept. Private and public funding have poured into QC projects around the world. In late 2019,\u00a0Nature<\/em>\u00a0published a\u00a0study<\/a>\u00a0of quantum computer funding, noting that private investors, mostly venture capital, had backed at least 52 QC companies since 2012.17<\/sup>\u00a0That doesn\u2019t include the huge amounts of money invested by large companies including Google parent Alphabet, Hewlett-Packard, IBM and Chinese giants such as Alibaba, Tencent, Baidu and Huawei, as well as academic and governmental organizations. This spending is not just on the Holy Grail of general-purpose quantum computing; venture money has also gone into software companies developing QC algorithms or quantum computers for specialized purposes. That funding is\u00a0producing results<\/a>\u00a0\u2014 and fears of quantum hype and a QC version of the artificial intelligence winter, a period when the hopes for AI seemed to wither.18<\/sup>\u00a0In October 2019, for example, a Google team claimed it had achieved \u201cquantum supremacy\u201d over classical computing, building a machine with 54 qubits \u2014 quantum versions of individual bits that can simultaneously be 0 or 1 \u2014 completing calculations that would have taken the best supercomputer 10,000 years to complete. As impressive as that was, experts calculate that it will require a minimum of 1 million qubits to break RSA.19<\/sup><\/p>\n There\u2019s already an algorithm that could perform those calculations. (Singh notes that an\u00a0algorithm<\/em>\u00a0embodies a general encryption method, while the\u00a0key<\/em>\u00a0specifies the exact details.) In 1995, MIT applied mathematician Peter Shor published an algorithm that showed how a hypothetical quantum machine could quickly solve prime factorization problems.20<\/sup>\u00a0A year later, he published a paper on how to process information as qubits through an error-correction technique that could adjust for quantum uncertainty \u2014 an extension of Wiesner\u2019s work. In 2020, Shor noted that progress had been made, but he offered several nuances. First, if anyone breaks RSA first, he said, it will probably be the National Security Agency or \u201csome other large organization.\u201d Second, there are easier and quicker ways to break internet security than building quantum computers. Although Shor believes quantum computing will succeed and that post-quantum crypto systems will eventually replace RSA, he\u00a0warns<\/a>\u00a0that the effort will be enormous, and \u201cif we wait too long, it will be too late.\u201d21<\/sup><\/p>\n This is what Jon Lindsay, a University of Toronto professor of political science, calls \u201cthe window of vulnerability<\/a>.\u201d22<\/sup>\u00a0Lindsay describes two approaches that the U.S. National Institute of Standards and Technology (NIST) has taken to close that window. The first is what\u2019s known as classical post-quantum cryptography (PQC), which uses mathematical problems that are not vulnerable to Shor\u2019s algorithm and thus not threatened by either classical or quantum computers. The transition to PQC is already underway in the U.S. and will take a decade or more. The second is quantum key distribution (QKD) for communications networks; this approach uses the work that came from Wiesner\u2019s invention of what he called quantum money (which used quantum cryptography to create and validate banknotes) and a technique for detecting errors along communications lines that suggest the presence of intruders. QKD could allow the long-range distribution of private keys, but it\u2019s not quite as far along for practical use as PQC.<\/p>\n Given all this, Lindsay is mildly optimistic that a cryptocalypse can be avoided. The response by NIST, as well as increased funding by the U.S. government, suggest that there\u2019s a growing awareness of the perils.<\/p>\n The deeper question is whether the advent of quantum computing and quantum cryptography marks the end of the historical pendulum swings between code makers and code breakers. Singh was definitive: Quantum computing will, in the end, provide victory for the code makers \u2014 and security. \u201cQuantum cryptography is an unbreakable system of encryption,\u201d he wrote. He admitted that, historically, code makers right up to Rivest and his colleagues expressed confidence that their schemes were unbreakable, but that proved not to be. Singh\u2019s reasoning is based on the belief that quantum theory \u201cis the most successful theory in the history of physics.\u201d In particular \u2014 echoes of QKD \u2014 any attempt at deciphering would be detected. And if it wasn\u2019t, wrote Singh, \u201cit would mean quantum theory is flawed, which would have devastating implications for physicists; they would be forced to reconsider their understanding of how the universe operates at the most fundamental level.\u201d23<\/sup><\/p>\n Lindsay, for his part, is more cautious. \u201cQKD is hardly a silver bullet,\u201d he\u00a0wrote<\/a>.24<\/sup>\u00a0The same mechanism that prevents copying would enable adversaries to \u201cimpose service denial attack on a quantum channel.\u201d He then ticked off a number of other possibilities, including that eternal reality, human gullibility. Real quantum computing could still be decades away, he noted: \u201cNo technical advantage can be sustained forever, if indeed it can be realized in the first place.\u201d The secret will get out. And a secret loose in the world will eventually be blunted, commoditized or rendered inoperative.<\/p>\n There\u2019s also another possibility, that the ability to keep matters secret may not, in the long run, be a question of quantum computing\u2019s ability to bust a mathematical lock through brute-force calculations. It\u2019s called homomorphic encryption. Stanford University\u2019s Craig Gentry first laid out the construction of the method in his Ph.D. dissertation, \u201cA Fully Homomorphic Encryption Scheme<\/a>,\u201d in 2009.25<\/sup>\u00a0Gentry was responding to an idea\u00a0first envisioned<\/a>\u00a0by Rivest, Adleman and Michael Dertouzos in 1978, soon after the introduction of RSA.26<\/sup>\u00a0Gentry\u2019s scheme allows the customers of, say, cloud computing providers to access their data in a way that the data and computational results can only be decrypted by a secret key held by the customer; the processor of the data sees only encrypted data. Gentry\u2019s conceptual breakthrough was particularly suited to the accelerating shift in data and data processing to cloud providers like Amazon Web Services, Microsoft Azure, Google Cloud, IBM and others. The term \u201chomomorphic\u201d refers to a similarity in form, without an actual relationship in terms of structure or function.<\/p>\n Homomorphic encryption is hardly a universal answer to cybersecurity in the age of quantum computing, but it may well be one of the answers, particularly in terms of\u00a0protecting data<\/a>.27<\/sup>\u00a0At the heart of homomorphic encryption is more math: Gentry and others use so-called lattice problems in crypto algorithms, which have long proved difficult to solve, thus providing a replacement for the public-key factorization problems that quantum computing makes so vulnerable. Gentry\u2019s initial scheme was focused on classical computing. But homomorphic encryption approaches were quickly developed for quantum computing \u2014 notably, so-called blind quantum computing, in which, as\u00a0one early paper<\/a>\u00a0said, both \u201cthe input, the computation, or the output are unreadable by the computer\u201d \u2014 that is, the QC.28<\/sup><\/p>\n This is quantum computing on defense, not offense. And so the pendulum swings.<\/p>\n <\/p>\n B\u00e9la Kosztin\u00a0<\/strong><\/span>is a Vice President, Research, at WorldQuant and has a PhD in applied mathematics from Keele University in Staffordshire, England.<\/em><\/p>\n","endnotes":" Thought Leadership articles are prepared by and are the property of WorldQuant, LLC, and are being made available for informational and educational purposes only. This article is not intended to relate to any specific investment strategy or product, nor does this article constitute investment advice or convey an offer to sell, or the solicitation of an offer to buy, any securities or other financial products. In addition, the information contained in any article is not intended to provide, and should not be relied upon for, investment, accounting, legal or tax advice. WorldQuant makes no warranties or representations, express or implied, regarding the accuracy or adequacy of any information, and you accept all risks in relying on such information. The views expressed herein are solely those of WorldQuant as of the date of this article and are subject to change without notice. No assurances can be given that any aims, assumptions, expectations and\/or goals described in this article will be realized or that the activities described in the article did or will continue at all or in the same manner as they were conducted during the period covered by this article. WorldQuant does not undertake to advise you of any changes in the views expressed herein. WorldQuant and its affiliates are involved in a wide range of securities trading and investment activities, and may have a significant financial interest in one or more securities or financial products discussed in the articles.<\/p>\n","ideas_panel":{"ideas_panel":{"heading":"Keep reading","subheading":"","articles":[{"ID":562,"post_author":"5","post_date":"2018-02-16 19:48:25","post_date_gmt":"2018-02-16 19:48:25","post_content":"","post_title":"Connecting the Dots The Beginnings<\/strong><\/h3>\n
A Wireless World<\/strong><\/h3>\n
Computer Cryptography<\/strong><\/h3>\n
Asymmetric Keys<\/strong><\/h3>\n
The Quantum Difference<\/strong><\/h3>\n
Unbreakable?<\/strong><\/h3>\n
\n
of Network Science","post_excerpt":"","post_status":"publish","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"connecting-the-dots-of-network-science","to_ping":"","pinged":"","post_modified":"2025-11-24 18:24:26","post_modified_gmt":"2025-11-24 18:24:26","post_content_filtered":"","post_parent":0,"guid":"https:\/\/wdqnt.wpengine.com\/?post_type=idea&p=562","menu_order":0,"post_type":"idea","post_mime_type":"","comment_count":"0","filter":"raw"},{"ID":507,"post_author":"5","post_date":"2019-03-15 17:21:05","post_date_gmt":"2019-03-15 17:21:05","post_content":"","post_title":"Beyond Black-Scholes:
A New Option for Options Pricing","post_excerpt":"","post_status":"publish","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"beyond-black-scholes-a-new-option-for-options-pricing","to_ping":"","pinged":"","post_modified":"2025-11-24 18:21:03","post_modified_gmt":"2025-11-24 18:21:03","post_content_filtered":"","post_parent":0,"guid":"https:\/\/wdqnt.wpengine.com\/?post_type=idea&p=507","menu_order":0,"post_type":"idea","post_mime_type":"","comment_count":"0","filter":"raw"},{"ID":617,"post_author":"5","post_date":"2019-09-10 16:27:43","post_date_gmt":"2019-09-10 16:27:43","post_content":"","post_title":"Unraveling Time Series with Machine Learning","post_excerpt":"","post_status":"publish","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"unraveling-time-series-with-machine-learning","to_ping":"","pinged":"","post_modified":"2022-04-25 01:07:26","post_modified_gmt":"2022-04-25 01:07:26","post_content_filtered":"","post_parent":0,"guid":"https:\/\/wdqnt.wpengine.com\/?post_type=idea&p=617","menu_order":0,"post_type":"idea","post_mime_type":"","comment_count":"0","filter":"raw"}],"see_more_link":""}},"pdf_file":false},"yoast_head":"\n