How tomorrow’s quantum computing raises cybersecurity risks today
As new computing emerges, researchers prepare for quantum-safe cryptography to protect sensitive data
Just as they are on the cutting edge of quantum computing, IBM researchers are developing quantum-safe cybersecurity.
Building a fully functional quantum computer has, for many years, been one of our most thrilling scientific and engineering pursuits.
This new approach, based on quantum physics, promises enormous leaps in computing ability and could spur world-changing breakthroughs, from creating safer medications to helping us develop more efficient manufacturing material and even fighting climate change. Some studies predict a USD 65-billion quantum industry by 2030, up from USD 507 million in 2019.
But the quest for quantum also has a less discussed impact. Cybersecurity researchers areconcerned that the advanced algorithms could easily break through most modern cryptography.
“For all the dramatic advances offered by quantum computing, it could create a huge threat to the security of our data,” Terry Halvorsen, IBM’s IBM’s general manager for client and solutions development in the Federal and Public market. “It offers the powerful potential to break certain types of cryptography that safeguards many critical communications.”
The threat so far is hypothetical because no one has built a crypto-breaking quantum computer—yet. But that will change, and it’s a growing concern to cybersecurity professionals, who need a clear understanding of all the threats that exist for the data and systems they operate, now and in the future. “In cybersecurity, you always need to look for what’s coming down the pike because the bad guys are,” Halvorsen said. “If you’re not being attacked today, you’re going to be attacked tomorrow.”
The trick is in practicing patience. Encrypted data that is stolen today, which is nearly uncrackable by current methods, can be held until the quantum technology is available to de-encrypt it. “Even if this happens in a few years, it’s a short time frame when you’re considering things like sophisticated military capabilities, such as a missile or aircraft system,”Halvorsen said.
A new approach breeds vulnerability
While building a quantum computer may require a PhD, understanding the risks shouldn’t.
The emerging security threat emanates from the differences in the computing approach between what we use today and the promise of quantum mechanics, a branch of physics that explores how the physical world works at a fundamental level. At the quantum level, particles can take on more than one state at the same time, and they can have their states correlated even when separated by a large distance. Quantum computing harnesses these quantum phenomena to process information in a profoundly new way.
All computing systems are built on a fundamental ability to store and manipulate information and a computer chip does this using bits, tiny switches that are either off (represented by a 0) or on (a 1). In nature, however, things aren’t always this binary, and that’s where the quantum computing advantage comes in. Instead of bits, quantum computers use qubits. They’re both on and off at the same time or somewhere on a spectrum between the two. It’s a state called superposition, not unlike the moment a coin is spinning through the air before it lands in your hand.
Quantum computers perform calculations based on the probability of an object’s state before it is measured, which means they have the potential to process exponentially more data compared to classical computers. The complex mathematics behind these unsettled states of entanglement can be plugged into special algorithms to make short work of complex problems.
It’s this ability to drastically speed up certain kinds of computations that presents a challenge to so much contemporary cryptography.
Zeroing in on vulnerabilities
Today’s classical computers use two primary classes of algorithms for encryption: symmetric and asymmetric.
In symmetric encryption, the same key is used to encrypt and decrypt a given piece of data. Symmetric algorithms typically are used for bulk encryption tasks, such as enciphering major databases, file systems and object storage. In asymmetric encryption, data is encrypted using one key (usually referred to as the public key) and decrypted with another (the private key). The private and public key are different, but mathematically related. Asymmetric algorithms are slower symmetric encryption but solve the problem of key distribution.
Currently, the most widely used asymmetric algorithms are based on difficult mathematical problems, such as factoring large numbers, which can take hundreds of years on today’s most powerful computers. However, research conducted by Peter Shor at MIT more than 20 years ago demonstrated the same problem could theoretically be solved in days or hours on a large-scale quantum computer. Similarly, quantum computers may be able to quickly break asymmetric encryption solutions that base their security on integer factorization or discrete logarithms.
That is a concern for everyone from financial services firms to government agencies. Digital signatures used to protect electronic mortgage records may need to be secure for 30 years. Computer systems that rely on digital signatures for code updates and patch validation may be in the field for decades. Digital passports and identity cards can be valuable for many years.
This means that we need to be applying schemes today that will ensure data security for decades into the future. Today, the public key cryptographic schemes we use to protect the keys used for encrypting data and for authenticating things such as transactions, code, and data will be vulnerable to future quantum computers and therefore need to be changed.
The race for quantum-safe cryptography
Fortunately, several cryptographic approaches offer promise. These schemes, include quantum safe cryptography that run on today’s classical computer architectures but can protect against future quantum attacks.
IBM is already leading research on developing practical cryptographic solutions.
A group of IBM researchers in Zurich are focused on developing practical cryptographic solutions that are resistant to the threats posed by quantum computers — one scheme pioneered by IBM cryptographer Vadim Lyubashevsky and academic partners is called “CRYSTALS (Cryptographic Suite for Algebraic Lattices). This open-source technology focuses on lattice-based cryptography which conceal data inside complex and abstract mathematical structures called lattices. These could form the tip of the spear of a quantum defense.
“Even if somebody steals your data today, they’re still not going to be able to decrypt it when a quantum capability comes on the line, because we’ve wrapped it in an additional layer of protection,” Halvorsen said.
Other potential quantum defenses include the use of hash trees, multivariate equations, and super-singular isogeny elliptic curves, are also being developed by IBM researchers. Quantum key distribution is also available. It uses special hardware components and quantum mechanics that enables two parties to produce a shared random secret key, which is subsequently used in classical cryptographic protocols.
Several of these quantum safe cryptography schemes, including CRYSTALS, are currently being evaluated by the US National Institute of Technology (NIST) as part of a competition to develop standards. What started out as 69 candidates by November 2017 has now been cut down to seven finalists and eight alternates with the intent that one or more finalists will be chosen and standardized by early 2022 with finalized standards released in 2024. – but this doesn’t mean you should wait as it could take many years to migrate current cryptography to quantum safe
Not that enterprises need to wait to build up their crypto agility. In fact, because it takes time to migrate and secure data, sooner really is better. It’s part of why IBM began implementing quantum-safe cryptography across IBM Cloud last fall.
Others are also actively weighing the implications, including the World Economic Forum, which has called for the creation of a quantum security coalition.
Excited as researchers are about the potential of quantum for the greater good, they also realize they must be prepared to detect and deflect quantum-era cyberattacks before they cause harm. “Quantum science is now being harnessed to build applications that will change our world for the better,” Halverson said. “At the same time, we must build a new security foundation that will secure our digital infrastructure and protect us from those who mean to do us harm.”
While quantum cybersecurity should be an area of focus for all governments, the imminent need is to advance research ahead the moment quantum computing becomes available to a larger group of users.
“The U.S. government and its allies are sponsoring research on this and they need to continue doing that as research dollars become available,” added Halvorsen.
In recent days, IBM CEO, Arvind Krishna authored a series of recommendations on a platform with steps for the U.S. to retain and grow its technology and innovation leadership the globe. Specifically on quantum research, Krishna called on Congress to “provide researchers, educators, and students with access to the world’s most advanced quantum computing systems at our National Labs to encourage greater participation in quantum information sciences, thereby facilitating a larger and more diverse range of research into these evolving technologies.”
The road ahead of quantum cybersecurity is long. And just as with the creation of quantum computers themselves the biggest challenges in the history of technological progress need to start being solved today.