Quantum Computing for Cybersecurity Professionals

Part 5: Vast State, Narrow Door

(Updated: July 2026)

This is Part 5 of Quantum Computing for Cybersecurity Professionals, an 11-part series that builds quantum computing from the ground up for security and IT professionals who know classical crypto but have no physics background. No lies-to-children, no hype, every claim checkable with arithmetic. Read the full series online or download the free ebook.

Sometime this quarter, a vendor will tell you that their 300-qubit processor “occupies more states than there are atoms in the observable universe.” The sentence is true. $$2^{300}$$ is around $$10^{90}$$, and the atom count comes up roughly ten orders of magnitude short. It is also the setup for the most durable con in quantum journalism, because the sentence that follows is always some variant of “so it can try every answer at once,” and that sentence is false in a way you can now prove.

Part 4 left three of your four classical beliefs dead on the bench and one, Belief 4, untouched and nervous. This article scales the amplitude picture from one qubit to many, and the scaling settles everything left open. You will meet the vastness honestly, because it is real and it is the reason this field exists. You will meet the door it all has to fit through, which is the qubit information limit: what $$n$$ qubits hold, and the far smaller amount they will ever tell you. The obvious hack for widening the door will fail in four lines of arithmetic, taking Belief 4 with it, and then the myth this series was founded to kill finally holds still long enough for an autopsy.

Two qubits, four numbers

The generalization from Part 3 is mechanical. One qubit carried two amplitudes, one per possible value. Two qubits carry four amplitudes, one per possible two-bit string: an ordered list $$(a_{00}, a_{01}, a_{10}, a_{11})$$, real numbers, positive or negative, squares summing to one. The Born rule reads the same way it always has. Measure both qubits and you receive one two-bit string; the probability of string $$xy$$ is $$a_{xy}^2$$, and afterward the register sits in the definite state for the string you got.

Three qubits: eight amplitudes. Ten: 1,024. The rule is one amplitude per bit-string, so $$n$$ qubits are described by $$2^n$$ signed numbers, and the growth does what exponentials do. At fifty qubits the description runs to about $$10^{15}$$ amplitudes, roughly ten petabytes just to write down. At three hundred, the description has more entries than the universe has atoms. Every word of the vendor’s sentence checks out, and none of the arithmetic so far says anything about what you can get back out. That is the door’s job.

The narrow door on qubit information

Here is the rule, and it is the same Born rule wearing bigger shoes. Measuring an $$n$$-qubit register returns exactly one $$n$$-bit string, chosen at the odds the squared amplitudes dictate, and the register’s state is spent in the asking: whatever lived in the balance and signs of $$2^n$$ numbers is gone, replaced by the definite state of the string you received. Run the numbers on the vendor’s processor. The state going in: $$2^{300}$$ amplitudes. The payout coming out: 300 bits, about 38 bytes, and no second withdrawal. The door is n bits wide.

The general theorem behind this has a name and a surprising date. Alexander Holevo proved in 1973 that $$n$$ qubits can never be made to yield more than $$n$$ classical bits, no matter how cleverly you encode and no matter how exotically you measure. That is two decades before anyone said the word “qubit,” a bound on quantum computing published before quantum computing was proposed. There is exactly one loophole, and it is not the one hype needs: if sender and receiver already share an entangled pair, one qubit can carry two classical bits, a trick called superdense coding. It buys a factor of two and consumes a pair it had to distribute in advance. Two, not $$2^n$$. I consider Holevo’s theorem the most security-relevant physics result that nobody in security has heard of, because it is the ceiling on every “quantum computers read databases instantly” claim you will ever be sold.

Both facts belong together, because the pairing is the whole picture. The state is vast to describe and narrow to query: astronomical internal workings behind a single destructive $$n$$-bit interface. Your profession ships a product with exactly that shape. An HSM holds key material you can never export, only invoke through a narrow API, and $$n$$ qubits are nature’s HSM, with a stingier API than anything FIPS 140-3 ever certified: one call, $$n$$ bits, and the state clears on read.

WHERE THIS BREAKS: Nature’s HSM, and where the analogy stops.

Two honest differences. An HSM’s keys are ordinary definite bits, and a sufficiently funded attacker with lab equipment and patience can, in principle, extract them, because they are physically there to find. Amplitudes are not there in that sense. Part 4 closed the hidden-value reading, and no attack, however invasive, reads out the amplitudes of a single unknown state; “invasive” is just another word for measuring, and measuring is the one call you get. Second, an HSM’s internal state persists across a million queries. A qubit register grants exactly one, then holds only the aftermath. The analogy earns its keep on the shape, vast-inside and narrow-outside, and should be retired beyond that.

The copy loophole

Every security person reading the last section had the same thought within a paragraph: fine, one measurement per state, so copy the state first. Clone the register a thousand times, measure the copies against different questions, and reconstruct the amplitudes, signs included, by statistics. If copying works, Holevo’s door swings wide open.

Copying does not work, and you have owned the proof since Part 2. Operations act on amplitudes by linearity, and linearity dictates what a copier does to a superposition with no room for negotiation. The arithmetic box below runs it: build the best copying machine physics allows, one that duplicates definite inputs perfectly, and feed it the fair-coin state. Out comes something that behaves nothing like two copies. Measure the output pair and the two qubits agree with certainty, 00 or 11 and never anything else, while genuine independent copies would disagree half the time. The machine did produce a strange and useful object, and naming it is the next part’s job. What it did not produce is a copy.

This is the no-cloning theorem, put on formal footing by Wootters and Zurek in 1982, with Dieks arriving at it independently the same year: an unknown quantum state cannot be copied, full stop, by any machine, ever. It is a two-line consequence of linearity, which means it is exactly as negotiable as arithmetic. And with it, the last clause of the last classical belief goes down. Part 2‘s receipt is now fully spent:

Belief 4, dead. Reading disturbs (Part 3), and copying is impossible outright (today). Nothing about classical information’s silence carries over. The bit that never noticed has been replaced by a state that cannot help noticing.

THE ARITHMETIC: The copier that entangles instead.

Two qubits, four amplitudes, ordered $$(a_{00}, a_{01}, a_{10}, a_{11})$$. The copier’s spec on definite inputs: write qubit one’s value onto a blank qubit two. So “0, blank” maps to “00”: $$(1,0,0,0) \rightarrow (1,0,0,0)$$, and “1, blank” maps to “11”: $$(0,0,1,0) \rightarrow (0,0,0,1)$$. Both required, both reasonable, and on definite inputs this machine copies flawlessly.

Now feed it the fair-coin qubit plus a blank: the state $$(1/\sqrt{2},\ 0,\ 1/\sqrt{2},\ 0)$$. Linearity processes each component and adds:$\frac{1}{\sqrt{2}}(1,0,0,0) + \frac{1}{\sqrt{2}}(0,0,0,1) = \left(\frac{1}{\sqrt{2}},\ 0,\ 0,\ \frac{1}{\sqrt{2}}\right)$

Compare that with what two genuine copies of the fair coin would be: each qubit independently 50/50, all four strings equally likely, the state $$(1/2, 1/2, 1/2, 1/2)$$. The machine’s actual output puts probability $$1/2$$ on 00, $$1/2$$ on 11, and exactly zero on 01 and 10. Measure real clones a thousand times and they disagree about half the time. Measure this machine’s output a thousand times and the two qubits never disagree once. Not copies. Something else, with a perfect correlation the copies would lack, and a name waiting in Part 6.

MYTH AUTOPSY: “It tries every answer at once.”

The myth this series exists to retire gets its full hearing, both halves. The honest half first: put $$n$$ qubits each through Part 4’s device and the register is left in an equal superposition over all $$2^n$$ bit-strings, and a function evaluated on that register acts across every amplitude in one pass. The exponential workspace is real. Nobody serious disputes it, and Part 7 will use it.

The fraudulent half is the next word: “…and then you read the answers.” You do not. One measurement, $$n$$ bits, one Born-random string, state destroyed, and Holevo guarantees no cleverness improves the exchange rate. No copies for a second look either; the box above just closed that door. Total up naive quantum parallelism and the yield is one uniformly random input-output pair, which a classical computer produces by evaluating the function once on one random input. You built a dilution refrigerator to reimplement random.choice.

The maze version of the myth fails the same audit. The picture promises a machine that explores every corridor and reports the good one; unaided by anything, it reports a random corridor. What turns the workspace into an advantage is the one mechanism this series has shown you, interference, aimed by problem structure so the wrong corridors cancel before anyone looks. That choreography is Part 7’s subject, and the myth’s replacement is already on your shelf.

Say instead: it computes with the amplitudes of every possibility, then uses interference so that mostly the right answer’s amplitude survives measurement.

What the vastness is actually for

The two-front honesty this series owes you: after an article spent capping the hype, the denial deserves its turn against the wall. The $$2^n$$ workspace is physically real and computationally decisive, and the cleanest proof is the mirror image of everything above. If describing fifty qubits takes ten petabytes, then simulating fifty qubits classically takes ten petabytes, and every added qubit doubles the bill. That wall is where classical simulation of quantum systems goes to die, and it is the founding observation of this entire field: Richard Feynman’s 1982 argument was precisely that classical machines pay exponentially to imitate quantum physics, so the honest move is to compute with quantum physics directly.

So the vastness is the machine’s workspace, where amplitudes flow, meet, and cancel by the millions in patterns no classical memory could afford to track. What it will never be is retrievable storage, because the door stays $$n$$ bits wide and the contents cannot be copied out. Every real quantum algorithm lives in the gap between those two facts, compressing an exponential computation through a linear door by making interference do the compression. A workspace, never a warehouse.

ATTACKER’S-EYE VIEW: There is no dd for qubits.

Run the exfiltration math, and be precise about what physics forbids. An attacker who seizes a quantum register can carry it off, store it, transform it, and choose when to measure it; possession is not prohibited. What they cannot do is keep the original while manufacturing perfect duplicates to test against many incompatible questions. A stolen classical drive is a perfect, silent, infinitely replayable copy. A stolen quantum register grants one destructive read and no replay. That single difference deletes the mechanism behind an entire attack class: harvest now, decrypt later works because classical ciphertext can be copied and shelved for the decade it takes the decryption capability to arrive, and a quantum state cannot be copied to the shelf at all. Today’s quantum memories are also short-lived and lossy, which is engineering rather than theorem, but it compounds the point.

The defender inherits the same physics as a burden. An unknown quantum state cannot be forensically imaged into a perfect independent copy while the original sits untouched, so every compliance instinct built on “capture first, examine later” meets a system where capture spends the evidence. Auditing quantum systems will lean on controlled measurements, protocol transcripts, and repeated preparations rather than a bit-for-bit image. File that now; it matures into real operational questions the day quantum links and quantum memories enter your estate.

And the door disciplines the attacker’s crown jewel. Shor’s algorithm must squeeze an exponential workspace through those same $$n$$ bits, which is why it works only on problems whose answer is one compact global pattern, a period, that interference can concentrate into the single string the door lets out. The narrow door is why your symmetric keys get to live and your RSA keys do not.

What to remember

$$n$$ qubits are described by $$2^n$$ signed amplitudes, one per bit-string, and the Born rule now pays out strings instead of bits. One measurement returns $$n$$ classical bits and spends the state, and Holevo proved in 1973 that no encoding or measurement scheme ever beats that exchange rate. Copying is not an escape: linearity forces any copier fed a superposition to produce perfectly correlated non-copies instead, which kills Belief 4’s last clause and finishes Part 2’s receipt. Naive parallelism therefore yields one random sample, no better than classical guessing, and quantum advantage lives entirely in interference aimed by problem structure. The vastness is real, decisive, and unreachable: workspace beyond any classical memory, storage for nothing.

Next, in Part 6, “Correlations Without a Mechanism”: the failed copier left us holding two qubits that agree with certainty and never once disagree, no matter how far apart you carry them. Einstein spent his last decades objecting to what that state implies. We will define it honestly, see what it can and cannot do, and put the “entangled qubits communicate” myth where the others went.

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.