Trust and security on the internet is an important area of debate today. As countries, consumers, and companies grow increasingly concerned about data use, the need for strong, effective data protection increases in kind.
Today, a primary way to protect data is to use cryptography to prevent unauthorized access. However, the rise of quantum computing threatens to destroy the cryptographic foundation of trust and security on the internet.
Quantum computing is a new type of computing that applies the properties of quantum mechanics to process information and solve problems not addressable by the classical computers of today. Quantum computers (QCs) excel at specific set of problems, some of which push the boundaries of math, science and technology. QCs also excel at solving problems such as prime factorization and discrete logarithms — two key subjects in modern cryptography. Since much of the world’s current cryptographic infrastructure relies on classical computers’ inability to solve these two problems efficiently, the advent of quantum computing presents a significant threat. A large, error-corrected QC will significantly weaken or break currently secure cryptographic protection.
Until recently, it was believed that the smallest machine capable of breaking even the lowest grade of current encryption would require approximately 20 million qubits (quantum bits). However, recent research suggests that smaller machines , even without full error correction , might pose a threat to important current cryptographic systems.
The Quantum Cyber Space Race
In 2016, China launched Micius, the world’s first quantum communications-enabled satellite. For some, that launch may have eerily echoed the launch of the Soviet Union’s Sputnik satellite in 1957, which caught the U.S. off-guard and spurred a decades-long contest to regain and maintain global technological and military supremacy.
The parallel wasn’t lost on the Chinese: Jian-Wei Pan, the lead researcher on the Micius project, hailed the start of “a worldwide quantum space race”.
Indeed, the race to develop quantum technologies is a marathon, and quantum computing is gearing up to be this century’s moonshot. Several countries are investing heavily in quantum projects, and they are joined by organizations and businesses such as IBM, Google, Microsoft, Alibaba, and Lockheed Martin. Because this new computing paradigm will enable a “quantum leap” in processing power. Whoever masters this technology will cement their supremacy across almost every asymmetric key technological domain.
Now imagine the power a country like China has in hands with its new quantum satellite, which is not just a satellite of course, but an entire system. With this movement, China became the first country using QCs for productive real life systems.
For the rest of the world, these machines are error-prone and do not yet have the computational power required to threaten encryption. Efforts to build larger and error-corrected devices are underway in research labs worldwide; and at leading tech companies such as IBM; and at startups like Rigetti Computing.
Vying for Superposition
In January 2019, IBM unveiled its latest quantum computer, with just 20 qubits. In 2020, IBM reached a new milestone hitting its highest quantum volume with 27 qbits. The IBM Q System One is impressive but far from revolutionary. Other American tech heavy-weights such as Google and Intel are funding similar research, but quantum supremacy still lies beyond the horizon.
In contrast, Chinese QCs are 10 billion times faster than the ones build by Google or IBM. The Chinese QC — Jiuzhang — was tested assigning a “Gaussian Boson Sampling” (GBS) task. The QC calculates the output of a complex circuit that uses light, and success of the test is measured in terms of photons detected. Jiuzhang QC detected a maximum of 76 photons, and an average of 43 across several tests. The QC run the test in 200 seconds, while a common super-computer could take 2.5 billion years to get into the same result. Now, it doesn’t mean China already has a completely full error-corrected QC, but it is closer than their competitors (also remember that a QC might be a threat even if it is not full error-corrected).
While U.S. signed the National Quantum Initiative Act, proving $1.2 billion in quantum research funding over five years, China’s efforts to promote quantum technologies are unmatched with a $10 billion national quantum lab operating since 2020.
So far, China is not only doing quantum computing, but also quantum networking, leaving the rest of the world far behind.
Cryptography and Quantum Computing
Not all of today’s cryptography is threatened by QC; the primary threat is to public-key (asymmetric) algorithms.
In asymmetric cryptography there are two keys, one public and one private. The keys are mathematical related numbers used to determine the output of a cryptographic algorithm. Someone using asymmetric cryptography to send sensitive data over the internet uses the recipient’s public key to encrypt the data, and the recipient uses its complementary private key to decrypt it. The public key may be widely distributed, while the private key is known only to its owner.
These asymmetric encryption algorithms, which today are considered extremely strong, may be breakable in an afternoon on an appropriately large QC. With this new quantum system online, and since existing world’s infrastructure is not upgraded, the areas most threatened are:
- Public key certificates, the backbone of the Internet Public Key Infrastructure (PKI) and many other internet communication protocols. PKI is what generates the green lock icon in the corner of your internet browser to tell you a website is genuine.
- Digital signatures such as those used to sign digital contracts or blockchain transactions.
- Secure software updates.
- Authentication technologies (some smart cards or mobile tokens).
- Telephone carriers’ device authentication protocols.
Everything from web traffic to e-commerce to blockchain relies on public-key cryptography, which allows users to encrypt data with a shared public key, but decrypt it with their own private key. The public and private keys are mathematically connected in a way that is easy to compute in one direction, but almost impossible to reverse for conventional computers. QCs can crack these codes with certain ease.
Another class of widely-used cryptographic algorithms — secrete-key or symmetric algorithms — is not nearly as vulnerable to attack by QCs, but can still be weakened to some extents. Symmetric algorithms may require moderately larger keys to support QCs threats, but the algorithms themselves will not need to be replaced.
Implications of a Quantum Breach
The fallout from a quantum breach by a QC capable of breaking encryption standards are significant. The electronic world touches all aspects of our lives, from banking to shopping, and all of those daily activities are secured by asymmetric encryption. Malicious actors in possession of a QC could steal money from unsuspecting consumers by impersonating banking or e-commerce websites. They can also impersonate users by decoding their passwords, steal corporate and government secretes, or hack encrypted files and databases to collect PII (Personally Identifiable Information).
This could have a critical impact on financial services, as the sector depends on cryptography to secure information, authenticate users and protect PII. Unfortunately, cryptography is not a perfect tool —just as an example, the financial system’s previous primary cryptographic algorithm, the Data Encryption Standard (DES), had to be retired after it was cracked by researchers in 1998. It happened once, it will happen again with QCs.
Quantum computing may also have cyber warfare applications: hostile actors with QCs hold corporate entities “hostage” or break into computer systems and steal or corrupt vast amounts of critical data. Governments are also considering quantum technology as a means of augmenting existing cyber-espionage capabilities. This likely explains heavy investment into quantum both by U.S. three-letter agencies and by foreign governments, including China.
Because the risks associated with quantum breach are so serious, and because of the unpredictable advance of the technology itself, agencies and standard bodies have begun to develop the first generation of QC-resistant (post-quantum) cryptographic infrastructure. The National Security Agency (NSA) and the National Institute for Standards and Technology (NIST) are speartheaning the effort to develop new post-quantum cryptography standards. New and emerging cryptographic algorithms such as multivariate cryptography, lattice-based cryptography, code-based cryptography, and hash-based signatures show great promise, although the process of evaluating these new systems is not yet complete.
The new standards are expected to be released sometime between 2022 and 2024. Given a very short gap between the development of new encryption standards and the emerging QCs in China, companies thought they have enough time to adopt the new standards, but world reached deadlines prematurely. This is the area of most concern to cybersecurity experts, because adoption rates for new cryptographic technologies have historically been low.
It is crucial for companies, governments and cryptographic service providers to begin evaluating the threat and updating back-end systems before quantum progress creates unacceptably high levels of risk. QCs represent real risk to cybersecurity, and these risks will escalate.
Because recovery from an unanticipated cryptographic failure can take years or even decades, work on moving to a post-quantum cryptographic infrastructure should be evaluated and built into the technology roadmap of every company, particularly financial services companies. Proactively planning for and executing these expenditures will reduce the cost and impact of this recently opened quantum breach.
One recommended proactive planning approach, called cryptographic agility, is to design, implement, deploy, and test mechanisms that enable the rapid replacement of cryptographic algorithms. At the very least, financial institutions should create plans to update and secure infrastructure with the new cryptographic standards when they are released, and should ask their infrastructure and secure application vendors for quantum readiness roadmaps.
This is the time when technology hegemony will begin to reconfigure, because of the uncertain timeframe of quantum computing for the rest of the world, the time to begin acting is now.