It is no wonder that the quantum computing investments in the United States, China, and elsewhere are ramping. Now that the technology is moving from research to practice, governments are banking on having technology’s most powerful weapon first—one that can crack encryption and render a nation’s economy defenseless.
While it does smack of science fiction, the last decade has shown that innovation moves faster than the world’s underlying infrastructure might be able to keep pace with, at least in terms of security.
Five years ago, it was questionable whether quantum computing would be anything more than an experimental technology with a thin user base. Now, with multiple vendors upping qubit and supported application counts and making it cloud-accessible for development, the promise—and threat—of quantum systems is rising to the fore.
The rapid innovations in quantum systems, including the arrival of these on cloud platforms, means faster access to quantum machines than anyone could have expected even five years ago. While the threat is not imminent—meaning, it is anywhere between five and twelve years away—the entire industry needs to take heed and begin to prepare for what NIST calls the era of post-quantum cryptography, or, the unfortunate point when none of our standard cryptographic approaches to security work any longer.
Consider, for instance, that with the current state of security, every bank in the world will need to update all the systems they use to interact with their customers, those that issue credit cards and point of sale terminals, and of course all the infrastructure in each building where tellers sign on. This also applies to interbank transfers and far more than can be reasonably listed. The point is that this is not a five-year project, it’s a decade of work minimum.
The banking example is just one that involves a complete overhaul of systems and security. Consider too that by that time, cars, homes, manufacturing systems, and far more will all be far smarter than they are secure.
Imagine a computer solving the mathematical problems that today’s fastest supercomputers can’t begin to unlock, in less than a blink of an eye. Imagine a technology that can enable an observer to see through walls, or see into the darkest depths of the world’s oceans. Imagine a technology that can build essentially unhackable global networks, while rendering an antagonist’s most secret data instantly transparent. All these are characteristics of quantum computers and quantum technology, which will define the future of global information technology for decades, possibly centuries, to come. It represents a revolution as profound as any in modern history, and it’s one on which we stand at the brink, with all its promise—and its perils. – Arthur Herman, “Winning the Race in Quantum Computing,” American Affairs, Summer 2018
“The industry’s basic science problems around quantum computing are being solved. We can build, control and connect qubits and do something useful with them already. When cloud vendors start saying they have a quantum computer and algorithms can be run as a cloud service, that should be the first real wake-up call,” says Scott Totzke, CEO and co-founder of cryptographic security company, ISARA Corporation.
Totzke, whose career spans security positions at BlackBerry and Huawei, says that the threat potential is far bigger than the dreaded (but not realized) Y2K blitz in tech but with far wider-reaching impacts since far more of our daily lives are rooted in systems that use encryption that can, in the not-too distant future, be broken by quantum machines.
IBM’s quantum computer is only at the 50 qubit mark and Totzke says this becomes a real threat when these systems are more at the 4,000-5,000 qubit level. D-Wave’s annealing is not as much of a threat to cryptographic systems because it does not tackle the Shor’s algorithm problem in the same way gate model quantum computers do. While a fault tolerant post-4,000 qubit count is still far off, he returns us to the point about early preparation and what is at stake.
“We cannot ignore the swift evolution of quantum computing. It might be five years, it might be many more before these systems can break cryptographic security but infrastructure will have to be updated at its very core level in terms of how it authenticates and transacts digitally.”
“The danger lies in the sheer enormity of critical information that is now protected by such asymmetric encryption, including bank and credit card information, email communications, military networks and weapons systems, self-driving cars, the power grid, artificial intelligence (AI), and more. While asymmetric encryption is effective at thwarting today’s hackers armed with classical computers, quantum computers will be able to hack into these systems and disrupt their operation and/or steal protected data,” according to a Hudson Research report.
While cloud access at this point does not mean wide access for attacks, it is a signal to all quarters of the tech industry to start thinking about this now.
“It’s important not to get too excited about the security risks with quantum computing in the cloud, which is early days, but it really does say that this is a real field of evolution in computation and it is moving into practical commercial context. The tendency is for the technology curve in terms of innovation and growth is to accelerate in this case the number of qubits and the complexity of problems being solved,” Totzke says.
We know what companies will need to do to prepare their systems for a breakdown in how we’ve done security for many years, but how are teams like Totzke’s developing algorithms that can firm up security systems for such an encryption-breaking future? It would seem a quantum computer might be needed to combat a quantum security breaker.
Today we have two standards: RSA, which was developed in the 1970s and and elliptic curve cryptography. Both of these share a similar mathematical construct that can be exploited via Shor’s algorithm. The research work for Totzke and team as well as the security community at large is to continue finding ways to negotiate security keys that maintain security but are also optimized for the very short wait times we are now used to. For example, how would online commerce change if users had to wait two hours for encryption?
For its part, ISARA has developed a new method of creating a compound or hybrid digital certificate that contains both classical public key and signature, and quantum-safe counterparts together. A good analogy for this technology would be a dual jurisdiction passport, that contains the identity of a single individual certified as authentic by two countries. The key to such a construct is ensuring that this crypto-agile digital certificate would in fact be accepted as legitimate when obtaining authorization to enter either country, with no extra effort or training required by either the passport holder or the border control officers.
The company says a crypto-agile certificate allows for backward compatibility between systems that only recognize classical algorithms and those that are upgraded to recognize quantum-safe algorithms. In this case an updated system can communicate with a legacy one using crypto-agile certificates, as the legacy system will only process the classical cryptographic primitives and ignore the quantum-safe equivalents without any modification. This makes migration of these dependent systems in phases not only possible but practical as the complexity of staged migrations is greatly reduced since backwards compatibility is maintained.
This is one approach of many strategies that are being firmed up with integration of tech standards bodies to ensure a consistent approach. For now, objects in mirror are closer than they appear but with lead times on overhauling systems bordering on the 10+ year mark, it’s never too early to start investigating. If passage of the Quantum Computing Initiative in the U.S. is any sign, we can expect to see companion developments in quantum systems as offensive measures and the enhanced security methods to protect systems on the defensive side.
With the arrival of 4,000+ qubit systems it is not unreasonable to assume there will be regulations in place governing what institutions, or perhaps even countries, can have quantum computing programs. That is, if cryptography cannot advance fast enough to intervene and disseminate its fixes to systems worldwide.