Quantum Computing: Why the technology poses a security threat

While the term ‘quantum computing’ may sound futuristic, many experts argue the technology is not far away from being utilised on a global scale. Amongst myriad potential benefits, Julian Hall explores how it is set to dramatically impact upon the security sector.

The next generation of super computers will be faster, more efficient, revolutionary – and potentially, dangerous.

With the ability to make calculations in minutes that would take today’s most advanced computers thousands of years, quantum computers will be in a league of their own. Among the benefits they are anticipated to bring are improvements for solar panels, electric car batteries, financial and weather forecasts and even finding a cure for Alzheimer’s.

But it’s the application of quantum computers to encryption and security that is grabbing the headlines. Their ability to break down the vast majority of currently used cryptography, and therefore penetrate government, military and financial networks, is both impressive and scary at the same time.

What is Quantum Computing?

In a nutshell, quantum computing is a victory over uncertainty. Computers work on the basis of a binary understanding where ‘bits’ either represent a ‘0’ or a ‘1’ outcome – essentially a heads or tails scenario where the outcome is measured when the coin lands. Quantum computing allows the for the outcome to be measured while the coin is still spinning in the air – meaning the value is both heads and tails simultaneously.

The quibit, or quantum bit, allows for multiple values to be stored at once. To put this in some kind of context, there are, as Luther Martin from security solutions company Micro Focus observes, “between 10⁷⁸ to 10⁸² atoms in the visible universe, so a single register of just 265 qubits can simultaneously hold about as many values as there are atoms in the universe.”

What are the threats created by quantum computers?

The huge capacity of a quantum computer means a massive decryption capability. Luther references an algorithm running on a quantum computer “that reduces the security of a 3.072 bit RSA key down to only about 26 bits” – in other words easily cracked will a mobile phone. CEO and co-founder of banking technology supplier Neocova and Professor at Washington University, Sultan Meghji, likens the potential of quantum computing on encryption to “how the Allies broke Enigma in World War Two.”

Just how big a deal this is cannot be overstated.

“One of the fundamental building blocks for making digital technologies secure is cryptography,” notes Michele Mosca, a founder of and Professor at the Institute for Quantum Computing at the University of Waterloo, Canada.

“Cryptographic algorithms allow us to obtain trustworthy results while using systems that are not entirely trustworthy. For example, trusted endpoints can communicate through an untrusted telecommunications system and guarantee the confidentiality of their messages using encryption algorithms and guarantee the origin and integrity of the messages using digital signature algorithms.”

Quantum computers would break all of this.

Mosca identifies four specific risks from the fallout of this big data bang:

1. Confidential data, protected by these algorithms, that is stored can be decrypted and exploited later once quantum computers are available to adversaries.
2. If quantum-safe alternatives are not ready in time, it could also mean the systemic collapse of digital systems that deeply rely on these building blocks. This would impact essentially all critical infrastructures.
3. If migration to quantum-safe system is managed as a crisis, the rush will lead to flawed designs and implementations that will be vulnerable to conventional attacks. Inter-operability with other systems in the respective digital ecosystems is also likely to be compromised.
4. If lack of quantum readiness becomes apparent, people may lose faith in the security of digital systems, and the institutions responsible for the availability and security of these systems. Trust and confidence in our institutions is critical for the healthy functioning of society.

It’s pretty apocalyptic stuff and it sounds a bit like the hype over Y2K, but with actual peril.

Sultan Meghji thinks the Y2K analogy fits, but he’s less concerned about ‘general use’ computers (e.g. laptops, cloud sharing machines) that are “many years away from broad spectrum utility and availability” than with existing ‘specific use’ devices such as China’s Quantum Science Satellite, known as Mozi, launched in 2016 and, this year, paired with the world’s first portable ground station for sending and receiving secure quantum communications.

“It is that second category that poses the largest, most immediate potential threat to security. Devices like these could nullify all encryption currently used today, ranging from encryption that protects a consumer’s credit cards on the internet to that which guards a president of a country’s communications with his or her military leadership. “

With the recent UK government decision to ban Huawei from assembling its 5G network, following the US decision, China’s role in the global security ecosystem has again been in the spotlight. China is, however, seemingly unabashed in its ongoing aim to be the dominant global power and its use of tech to get there. While it eschews the idea that state and commerce are one and the same, for many observers China’s hoovering up of old data to be decrypted later, its ownership of data-rich companies such as TikTok (now the subject of US investor efforts to buy it from its Chinese owner) and its investment and boardroom presence in western tech start-ups all point to a consolidation and advancement of its world standing.

Sultan Meghji asks: “What happens if, in November this year, the Chinese bring on stream an industrialised-scale offensive quantum encryption hacking programme that can break every single piece of encryption out there and we just don’t know about it for years until the defensive systems come online? We are in the beginning of this grey window that will last for some number of years where there will be a disconnect between the offensive capability and the defensive capability of everyone else.”

The quantum-assisted chaos scenario that concerns Meghji the most is a covert attack on a bank and altering debt payments. “Financial services is the most full of risk right now and, after national military infrastructure, the biggest target.”

What can be done to protect against the Quantum threat?

There’s a general consensus among cyber experts and industry experts that battling quantum decryption doesn’t have to be rocket science even if it will be time consuming.

“In theory, it’s simple,” says Michele Mosca. “Replace the public-key algorithms we depend on with alternatives that are designed to resist quantum attacks. In practice, this is a massive and multi-faceted undertaking that takes 10-20 years to do properly. Much remains to be done, and more stakeholders will need to join the effort.”

As Mosca says, many of the steps toward migrating systems to quantum-safe cryptography, (both “post-quantum” cryptography and quantum cryptography) are already underway, and Luther Martin, writing in TechBeacon, thinks that many businesses will already be adopting them.

“Attacks that can run on quantum computers simply divide the number of bits of security that an AES [Advanced Encryption Standard] key provides by two,” says Martin. “A 256-bit AES key will provide 128 bits of security, etc. So if you are already using AES-256, you are already using an encryption algorithm that will provide an adequate level of security against quantum computers.”

Meanwhile, Honeywell (who claim to have built the most powerful quantum computer yet, though, unlike Google, have not claimed ‘quantum supremacy’ i.e. the ability to make calculations that no over classical computer can) believe that the solution is within the problem. “The beauty of quantum computing,” says Tony Uttley, President of Honeywell Quantum Solutions “is that quantum computers have the potential to be a tool that works in both directions. This means that there are opportunities for quantum computers to provide quantum randomness to become a part of the encryption process itself.”

---

Michele Mosca’s steps for CTOs, CSOs or any other relevant postholders:

• identify someone responsible for quantum readiness and make sure they have sufficient resources and executive level support.  

• Said person to make an initial assessment of quantum risk to their organisation and start plotting prioritised next steps. 

• Next steps include developing quantum-safe migration roadmaps and engaging in discussions with other interdependent organisations, e.g. procurement managers requesting information about quantum readiness from their suppliers and communicating expectations and requirements to their suppliers.

---

While Sultan Meghji also believes that shoring up many systems against the quantum threat can be simple enough, recalling the rollout of Transport Layer Security protocols 1.0 and 1.1 as being “fairly straightforward”, he also knows that despite the simplicity and being inexpensive “there will be laggards…there are still organisations out there using TLS 1.0  which you or I could hack with our smartphone.”

Investment is crucial for Meghji. “If I was responsible for research budgets for either of our two nations I would put 10 times whatever the number is of investment in cyber and 10 times whatever the investment is in quantum computing – and that’s on the low end.”