Navigating the Quantum Risk Landscape

Photo by NASA on Unsplash

How Post-Quantum Cryptography is Shaping the Future of Financial Security

Data, the 21st century’s new market

The exponential growth of technology comes with an unavoidable increase in data generation. This surge has given rise to a new economic sector: the data market, which deals in a novel type of commodity — information. Businesses can gain valuable insights into consumer behavior, preferences, and trends by collecting and analyzing data. Such insights enable them to make informed decisions and create targeted advertising strategies. By leveraging the power of data analysis, companies can unlock new opportunities for growth and stay ahead of the curve in today’s competitive markets. In recent years, the data market has seen exponential growth, largely due to the surge of social media platforms and the widespread use of connected devices. The connection of commonplace objects like vehicles, appliances, or watches to the internet has further accelerated the growth of this market.

The rise of this data-driven era presents a significant challenge: ensuring the safety and privacy of sensitive data. With the increase of data’s value and relative abundancy, more and more individuals and organizations seek to compromise the security of modern cryptographic systems, often for nefarious purposes such as stealing sensitive information or committing financial fraud. In attempts to break encryption, attackers resort to brute force attacks, side-channel attacks, and exploiting weaknesses in the underlying algorithms or hardware. The threat of such attacks is one of the key reasons why strong encryption and other security measures are essential in today’s digital landscape.

Encryption and its shortfalls

Encryption is crucial for protecting sensitive data and ensuring it remains confidential. The strength of the encryption and the safety of protected data depends on the randomness and complexity of the key or keys used. In data encryption, keys transform plaintext (unencrypted) data into ciphertext (encrypted) data and vice versa. Depending on the nature of the encryption, one key may serve for encryption and decryption of information, or there may be two separate keys for each process, as is the case when using the world wide web.

Two of the main downfalls of modern encryption are key mismanagement and vulnerabilities in software or infrastructure.

Weak or compromised keys can and have led to data breaches, allowing attackers to access sensitive information. In 2017, a credit reporting agency suffered a considerable data breach that exposed the personal data of over 143 million customers. The breach was attributed to a vulnerability in the web framework, which the attackers exploited, as well as the use of weak encryption algorithms for some of the data.

In 2018, a separate company was fined £500,000 by the UK Information Commissioner’s Office for failing to protect users’ data, which was collected data from the company’s users without their consent. It was ultimately determined that the company failed to take adequate measures to protect users’ data and had allowed the app to access large amounts of user data without proper safeguards.

It is estimated that various entities have paid over 3 billion euros for data breaches throughout history. In recent years, there has been a significant rise in data protection laws worldwide, reflecting the growing importance of customer data privacy and security. Examples of data protection laws include the California Consumer Privacy Act (CCPA), which went into effect in January 2020 and established the right of California residents to know what personal data businesses collect about them, the Brazilian General Data Protection Law, which came into effect in September 2020 and established rules for the collection, use, and processing of personal data in Brazil, and the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018 and established strict requirements for data protection and privacy.

Ensuring data protection and security is no longer just a matter of best practices for financial institutions but is increasingly becoming a legal requirement. Compliance with data protection regulations is essential to avoid fines and reputational damage. By implementing strong data protection measures, financial institutions can comply with regulations, build trust with customers, and protect their valuable assets.

The Quantum Security Frontier: QKD and Post-Quantum Crypto

However, the rise of quantum computers presents a new challenge to this effort. Quantum computers are expected to surpass classical computers in breaking encryption keys because they perform certain mathematical operations exponentially faster than classical computers. This newfound computational power would enable quantum computers to quickly crack encryption algorithms that would take classical computers years or even centuries to solve. The US’s National Institute of Standards and Technology (NIST) estimates that quantum computers will, in the near future, be able to break some of the strongest encryption methods used today, posing a significant threat to the security of financial institutions and other entities that handle sensitive data. The decryption algorithms required to break these keys have already been designed. We are simply awaiting the development of the necessary computers to execute them. One such algorithm, for instance, is Shor’s algorithm, a quantum algorithm for integer factorization that is significantly faster than any known classical algorithm.

Researchers are exploring quantum encryption to mitigate the threat posed by quantum computers. This research follows two avenues: the secure distribution of secure keys between parties and the resistance of these keys to quantum attacks.

Quantum Key Distributions (QKD) proposes using the principles of quantum mechanics to transmit cryptographic keys that are considerably more secure against quantum computers. Through its quantum nature, any attempt to intercept or eavesdrop on a data transmission would cause a disturbance that can be detected, allowing for the immediate detection of a breach. QKD would enable organizations to protect themselves against these emerging threats by utilizing the attacker’s tool, effectively leveling the playing field. QKD has already been successfully tested in various scenarios, including financial transactions and government communications. As quantum computing continues to advance, QKD is seen as a promising solution to protect sensitive data in the future.

Post-quantum encryption, on the other hand, is a type of encryption that is designed to be resistant to attacks by quantum computers. This makes post-quantum encryption algorithms a viable solution for long-term data protection. NIST is currently working on developing and standardizing post-quantum cryptography (PQC) algorithms that can resist attacks from quantum computers, ensuring the long-term security of sensitive information.

Adopting these new standards should enable institutions to safeguard their systems and information from potential quantum attacks proactively. This would preserve the confidentiality, integrity, and availability of their data and prevent data breaches, which can have severe financial and reputational consequences. Moreover, early implementation of these standards ensures compliance with future regulations that mandate using PQC algorithms and protecting existing data. As quantum computers can decrypt any encrypted data that is not post-quantum encrypted, malicious agents who have already obtained encrypted data but cannot decrypt it now will be able to do so in the future. While this may not concern most individuals, it is a critical issue for governments and financial institutions that hold sensitive data and must keep it confidential and secure.

Quantum-Resistant Cryptographic Algorithms

The advent of quantum computing has rendered traditional cryptographic algorithms increasingly susceptible to breaches. Consequently, in order to address this concern, scholars have endeavored to develop a variety of Quantum-Resistant Cryptographic Algorithms intended to withstand attacks executed by quantum computers.

One prominent quantum-resistant algorithm is the Hash-based Signature Algorithm (HBS). The origins of hash-based signature schemes can be traced back to the late 1970s, and since their inception, they have undergone significant enhancements. Contemporary iterations of HBS make use of Merkle trees, which constitute a hierarchical data structure encompassing “leaf” and “branch” nodes. In this arrangement, each leaf node is allocated a cryptographic hash of a data block, while each non-leaf node is assigned a cryptographic hash derived from the concatenated hashes of its child nodes. Employing this method, it becomes feasible to generate digital signatures that possess resistance against quantum computer-based attacks.

Another quantum-resistant algorithm of note is the Lattice-based Cryptography Algorithm (LCA), which draws upon the mathematical concept of lattices — a mathematical framework employed within the realms of algebraic geometry and number theory. By leveraging these foundations, the LCA algorithm is deemed to be resilient against quantum computer attacks due to the inherent difficulty in efficiently solving well-studied computational lattice problems. This renders LCA a promising choice for securing communication in the post-quantum era. LCA finds utility in encryption, hashing, key exchange, and digital signatures. While numerous LCA schemes have been devised, esteemed global organizations like the Post Quantum Cryptography Study Group, sponsored by the European Commission, advocate for the utilization of the Stehle-Steinfeld variation of NTRU as the most optimal option in terms of quantum resilience.

The Code-based Cryptography Algorithm (CCA) represents yet another quantum-resistant algorithm. CCA draws upon the principle of error-correcting codes (ECC), which function to detect and rectify errors that may occur during data transmission. By capitalizing on the properties of error-correcting codes, the CCA algorithm generates a secure key that can effectively withstand attacks by quantum computers. ECC codes can be broadly classified into two main categories: block codes and convolutional codes. Block codes operate on fixed-size blocks of bits or symbols, while convolutional codes function on bit or symbol streams of arbitrary lengths. Block codes can be decoded efficiently within a polynomial timeframe, whereas convolutional codes are typically decoded using the Viterbi algorithm, with the complexity increasing as the code’s constraint length grows. It is worth noting that convolutional codes can be terminated to form a block code, albeit with arbitrary block sizes.

Lastly, the Multivariate Cryptography Algorithm (MCA) represents another quantum-resistant algorithm grounded in the principles of algebraic geometry. MCA leverages the attributes of multivariate polynomials to produce a secure key that is resilient against quantum computer attacks. These algorithms are derived from the Unbalanced Oil & Vinegar scheme, which is a modified iteration of the Oil & Vinegar scheme. Given that no known algorithm provides a significant advantage to quantum computers when solving multivariate systems of equations, MCA algorithms are regarded as formidable contenders for post-quantum cryptography.

The Ripple Effect

It should be noted that there will be broader implications beyond an increase in security when post-quantum cryptography and QKD are implemented as a standard. QKD could significantly impact the internet data market as it can make data more secure and difficult to obtain without authorization, which means that data protected by QKD will be more difficult to obtain and sell without a trace. This may challenge internet service providers and companies that rely on accessing and analyzing user data.

These changes may also increase the cost and complexity of network infrastructure and the speed and efficiency of data transmission. Many players in the communication networking market are actively researching these technologies and their future applications in their networks. One company has notably developed and deployed a commercial QKD system in Japan to secure communication between the Tokyo Stock Exchange and its clearinghouse. This implementation ensures the security of the financial transactions processed by the exchange, providing an extra layer of protection against potential cyber-attacks.

New laws and regulations to govern the use and distribution of quantum-secured data will likely soon be discussed across the globe as the day in which quantum computers will be able to break modern encryption approaches. These laws and regulations will need to address issues such as verifying the security of quantum networks and the data they transmit, enforcing compliance with security standards, and handling breaches and other security incidents.

About the Author: María Gragera Garcés is deeply passionate about quantum information and quantum networking. Her focus lies in implementing quantum algorithms and protocols using Python, C, C++, and Julia, as well as utilizing discrete event simulators such as NetSquid and SeQUeNCe. She has contributed to the development of quantum error correction simulation libraries and has written articles in the field of quantum information. Maria has had valuable experiences working with renowned experts, including Cisco’s R&D Quantum Networking team, where she played a role in the development of quantum protocol simulations with potential implications for the future of the internet.

For additional information on quantum computing and associated topics, see:

• A History of Quantum Computing
• Quantum Computing Basics
• Quantum Technology
• Quantum Processing Units (QPUs)
• Quantum Artificial Intelligence
• Quantum Machine Learning
• Hybrid Quantum-Classical Algorithms
• Quantum Computing in Finance
• Quantum Optimization and Simulation in Finance
• Quantum Portfolio Optimization
• Quantum Computing in Healthcare
• Quantum Computing in Agriculture
• Quantum Generative Adversarial Networks
• Quantum Computing in Drug Development
• Quantum Cryptography
• Quantum Sensing
• Quantum Information Science
• Portfolio Optimization in Investment Management

For additional resources, visit www.quantumai.dev/resources

We encourage you to do your own research.

The information provided is intended solely for educational use and should not be considered professional advice. While we have taken every precaution to ensure that this article’s content is current and accurate, errors can occur.

The information in this article represents the views and opinions of the authors and does not necessarily represent the views or opinions of QuAIL Technologies Inc. If you have any questions or concerns, please visit quantumai.dev/contact.