Compliance & Risks
How Quantum Computers Can Impact Security
While it might be too early to completely overhaul security protocols to prepare for quantum computing — not to mention that there is currently no post-quantum cryptographic standard existing at the moment — it would be a good idea for organisations to start planning for the future.
If you’ve been following technology trends over the past few years, you’ve no doubt heard of the term “quantum computing,” which many call the next frontier for computing technologies. The promise of a computer that, on paper, has the potential to surpass the capabilities of even today’s fastest supercomputers has many players in the tech industry excited, leading to many new startups focusing their efforts on the quantum computing field.
But how feasible is quantum computing in its current state? How much of it is hype rather than reality? And what does the development of quantum technology mean for the security industry? To answer these questions, let’s step back a bit and take a brief look at what a quantum computer is all about.
Separating bits from qubits
Traditional computers, including the one you’re most likely using to read this article, are created from millions (or even billions) of miniature transistors on a silicon chip. These computers store and process data using binary digits or “bits” that present a logical state that can have exactly one value — either 0 and 1. This means every piece of data can be reproduced to the exact same result — it’s just a matter of flipping transistors on and off. Instead of bits, quantum computers rely on what’s called quantum bits or “qubits,” which is the basic unit used for quantum information.
There exists in quantum mechanics certain properties that have no real equivalent in the non-quantum world, such as superposition, which is basically when a quantum system that exists in more than one state (think Schrodinger’s cat). In the case of an electron, it is possible for it to be spinning up or spinning down — a characteristic we cannot actually determine until we measure the electron; meaning it is in both states at once, or in superposition.
Unlike a traditional computer, which has to analyse 1 and 0s sequentially, the property of superposition allows a qubit to represent 1 and 0s at the same time, resulting in the analysis and computation of data to be accomplished at a significantly faster pace. A good analogy for this would be a person trying to open a combination lock. A traditional computer would be akin to someone who has the ability to test one position after another — in other words how it is actually done. While this could be accomplished eventually, it would take the person a long time to unlock the combination lock. A quantum computer, on the other hand, can be compared to a person who can miraculously test all potential positions at the same time, and therefore is able to open the lock in a short amount of time.
One important thing to understand about quantum computers is that they are not designed to replace traditional computers in every aspect of our lives. A quantum computer’s strength lies in its ability to perform complex simulations and process nonlinear systems such as weather and climate patterns, bionic machine designs, or finding prime numbers.
On the other hand, your classic supercomputer will still have the upper hand when it comes to providing concrete results and solving linear problems. In other words, quantum computers are not a silver bullet that will push us into the next evolution of computing; the most likely scenario is that we will still be using classic computers and quantum computers side-by-side in one form or another.
Quantum computing and its impact on security
So, what does quantum computing have to do with security? In its current state, not much yet: today’s quantum computers are essentially test beds for tech companies and researchers to try out algorithms and software in order to determine which ones are effective. There is still a lot of work that needs to be done before vendors can offer quantum computing access to the general public. And when that day arrives, it is almost certain that quantum computers will be hosted by vendors and housed in specialised data centres with extremely tight security protocols.
The most likely scenario is that quantum computers will be a tool used by nation state threat actors instead of your regular run-of-the-mill underground cybercriminal. It’s also probable that algorithms will become valuable resources that could potentially be targeted for espionage or sabotage.
Looking at more immediate security implications, perhaps quantum computing’s most significant impact would be its effect on cryptography. Unlike classic computers, which rely on pseudorandom random generators for cryptography (they are unable to generate truly random numbers on their own); quantum computers, by their very nature, have real random number generators, which makes them great for encryption. Unfortunately, a quantum computer’s strength can also make it a dangerous tool in the hands of malicious elements.
Today’s computers can, in theory, break cryptographic keys — however it would take a tremendous amount of time and resources to do so. On the other hand, referring back to the combination lock analogy, quantum computers can go through different cryptographic combinations simultaneously, making current encryption methods — such as the Advanced Encryption Standard (AES) — trivial to break.
One of the systems that could potentially be heavily affected by quantum computing technology is public key infrastructure, a set of standards, protocols, and technologies (including digital certificates and code signing) that ensure the integrity of data being passed along on the internet and the cloud. The strength of public key infrastructure is in its cryptographic processes, which allow secure communication even over insecure networks. While these processes are nearly impossible to break using our current computing technologies, quantum computers can shorten the span of time needed to break public key cryptography from years to hours.
A potential solution to this problem could be to just make longer keys. Nevertheless, this method has its own set of challenges in terms of latency: longer keys will need more resources for receiving and decrypting data, and might not even fit inside the tiny embedded chips which are used in many modern electronics. In this scenario, a user who wants to retrieve a payload with a size of just few bytes might need to download an encrypted package several sizes larger — for example, a 4MB package containing a 200-byte file.
While this might not seem like a big deal, it could potentially have major consequences in real life use, especially when it comes to real-time data transfer for certain technologies such as vehicles, aeroplanes, surgical robots, and any machine that needs fast and constant communication (for example, with a very long key, a turbine in an aeroplane might need 10 seconds to decrypt commands coming from the pilot instead of the near instantaneous time it takes with shorter keys).
Fortunately, researchers and government organisations have already started to develop public-key algorithms that could survive in a post-quantum world. The US National Institute of Standards and Technology (NIST) identified cryptographic issues in 2015 and started a post-quantum cryptography drive in 2017 with several potential new cryptographic methods being researched (the goal is to have a draft standard by 2022-2024).
Preparing for the post-quantum future
Quantum computing has grown tremendously in the past five years alone. While it might seem like we are far from actual viability in terms of commercial and public use, it could possibly happen within the next decade or so.
Many current systems and technologies have long life cycles — for example, it’s not uncommon to see root certificates with a lifecycle of 25 years. Since it’s possible that quantum computers are going to be commercially available within approximately 10 years, this means that older certificates without the proper protocols in place to protect from quantum-based attacks would be highly vulnerable. This could be compared to the Y2K issue, where organisations could already see it coming, but not everyone started to prepare on time (although Y2K turned out to be largely trivial in nature).
While it might be too early to completely overhaul security protocols to prepare for quantum computing — not to mention that there is currently no post-quantum cryptographic standard existing at the moment — it would be a good idea for organisations to start planning for the future. This means observing and monitoring the progress of the quantum computer market, quantum computing technologies in general, and the standards that will govern post-quantum cryptography. It is also important to decide whether to migrate current systems, or replace them altogether — both of which would take plenty of time and resources.
Building a system safe from potential attacks that use quantum technology could take years. Therefore, as we enter a world where quantum computing is a viable option, it is best to have a long-term outlook for what the future holds and be prepared ahead of time.