CONVENTIONAL COMPUTERS OPERATE using traditional electronic signals, forced into two states known as bits, and represented as 0 or 1. Computers string these bits together to make numbers. Those numbers can be huge, and the manipulation of these numbers to accomplish a goal generally happens very quickly. Right now, an upper performance limit exists for even the most powerful supercomputers.
This performance limitation is, in some ways, foundational to internet security today. It means it is computationally infeasible to crack current cryptographic algorithms that are used to protect data and transactions. This helps to protect the cyber security and integrity of a wide array of material, such as highly classified government data and electronically signed commercial documents. But the computational and mathematical assumptions on which much of today’s cryptographic security is based are crawling closer and closer to being disrupted by quantum computing.
Governments and private entities are investing billions to tap into this “game-changing” computing power, which is based on physical quantum phenomena. Quantum computers can easily manage complex, data-heavy tasks like facilitating the development of life-saving drugs, simulating intricate financial markets, or predicting the weather more accurately. In addition to unleashing these positive applications, quantum computers can introduce disruption into the security infrastructure of the internet because they are not constrained by the computational limitations of traditional computers. As a result, they pose a threat to public key encryption, which underwrites the security and integrity of much of today’s digital interactions.
“Quantum computing promises great potential. Right now, so many individuals and organizations rely on public key cryptographic algorithms to secure sensitive data and communications, we all need to consider the impact affecting the security and privacy of communications and computations with the emergence of quantum technologies,” says Deborah Golden, the U.S. Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory and a principal with Deloitte & Touche LLP. “Organizations should start taking steps to understand how they leverage cryptography across their operations and what encrypted data and services may be subsequently vulnerable as quantum computing develops. Quantum cybersecurity can pave more robust and compelling opportunities for the security of critical and sensitive data.”
Evaluating the quantum threat
Quantum computing’s threat to some public key cryptography algorithms comes from its potential to break down large numbers into their prime factors with incredible speed. Instead of relying on simple binary bits, they depend on physical quantum phenomena, such as superposition—which means that a particle can be in multiple states at once until it’s measured. Quantum scientists use these properties to create quantum bits, or qubits, which can represent many numbers at the same time, rather than calculating them one at a time as conventional machines do.
Still, actually getting quantum computers to make these calculations is difficult, according to Colin Soutar, a managing director in Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. They need many qubits to perform calculations and to support the error corrections that improve the reliability of this tricky technology. Those qubits are difficult to create and entangle.
Technology develops quickly, though, and on multiple fronts. While scientists work on increasing the qubit count, mathematicians are finding new algorithms that have already reduced the necessary number of qubits by orders of magnitude. Estimates of how long it could take for quantum to threaten today’s cryptographic algorithms vary.
“Regardless of how long it takes to commercialize quantum computing, organizations should start taking stock of their cryptographic reliance, and implement governance steps that will allow them to quickly swap out software and hardware components that are quantum resilient,” says Soutar,
Developing post-quantum cryptography
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST)is stepping in to prepare for this post-quantum future. NIST, which develops frameworks and guidelines for cybersecurity and privacy (among many other technical and manufacturing disciplines), is hunting for new, quantum-proof encryption algorithms that can secure new secrets and re-encrypt old ones. It solicited approaches to the problem in 2017, initially receiving 69 submissions.
By July 2020, it had whittled down the submissions to a shortlist of 15, seven of which are prime candidates for general purpose post-quantum cryptography, and eight of which either need more development or look suitable for specific applications. The organization is now reviewing these algorithms and plans to release draft standards by the end of 2024.
In the meantime, until a quantum-resistant cryptography standard is ready, companies with an eye on future security face a difficult task: The volume of information that will need to be secured is vast. When quantum computing does become a practical threat, it won’t just threaten freshly minted data. It could also affect data that organizations are creating today, and data that they have encrypted in the past—if public-private key pairs used during the process were recorded.
Matthew Scholl, chief of the computer security division in the Information Technology Laboratory at NIST, also urges organizations to begin planning for quantum’s impact on encryption while NIST continues working with the international cryptographic community to finish the needed encryption standards. “There will be time for commercial products to implement these new standards and for organizations to integrate them into their infrastructures,” he says, but being ready for that transition will be key. “We have learned from previous encryption and from other important legacy upgrades that these changes can be complex and resource intensive.”
Assessing the risk
Before organizations can assess the risk of quantum computing to their operations, they ought to analyze the processes that it supports, in a discipline that Soutar calls crypto-governance.
“Crypto-governance means getting a real sense of what data an organization has, how it is encrypted, how it is transmitted, what cryptographic methods are used, where the keys are stored, and how the keys are exchanged,” he says.
NIST is helping to create frameworks for crypto-governance and organizational agility beyond its standardization work. At the end of June this year, shortly after its third post-quantum cryptography standardization conference, it released a report detailing post-quantum implementation tasks that companies must tackle as they prepare their migration to quantum-resistant cryptography.
At a high level, these tasks involve rooting out quantum-vulnerable cryptographic libraries, applications, computing platforms, communication protocols, and hardware and software modules. These modules include any application using Transport Layer Security (TLS), which is a common public key cryptography implementation supporting internet communications. It also includes operating systems that include quantum-vulnerable cryptography. “Much of this work will be done by large technology providers but knowing if and where you might have hard coded, purpose built, or custom code that implements these protocols will be part of that awareness,” says Scholl.
After identifying these assets, companies must map out what they are used for and options for dealing with them. These options could include switching off the quantum-vulnerable functions or potentially replacing them with quantum-resistant ones when the time is right.
Quantum opportunities in cybersecurity
As they mature, quantum computers will undoubtedly support a wide range of computational capabilities, such as large data modeling, and large number factorization. While the factorization properties can pose the threat discussed above to public key cryptography, it is conceivable that the data modeling could also help to detect anomalous events that are indicative of an imminent cybersecurity threat. Such positive cybersecurity applications of quantum computing remain nascent, as do broader quantum technology use cases that are being contemplated, such as quantum key distribution and quantum random number generation. Nonetheless, it is worth keeping an eye on these technological possibilities, as the fundamental research being conducted may lead to unanticipated benefits.
“Even as quantum computing disrupts cryptography, there are crypto-agile approaches that security leaders can take today to rapidly adapt in response to quantum threats,” says Golden. “And quantum computing may have a very positive impact on other aspects of cybersecurity. Quantum computing has the advantage of being able to fight fire with fire; it will be a ground-breaking technology for cybersecurity. With open knowledge and technology transfers through collaboration in public and private sectors, quantum computing has the potential to identify and deflect quantum computing-based attacks before they can infect systems and may lead to more impactful predictive strategies to prevent threats.”
This article was produced by WIRED Brand Lab on behalf of Deloitte.
Source: With Quantum Computing’s Rise, Cybersecurity Takes Center Stage | WIRED