Over the past few years, we’ve seen a seemingly endless stream of tech and mainstream media headlines on the topic of quantum technology developments, primarily focusing on quantum computers, their capabilities, and the threat they pose to cyber-security infrastructure as we know it.
However, quantum technologies constitute a big part of the solution, with exciting promise to protect our most sensitive data.
On the threat side: the security challenge of quantum computers
Quantum computers will soon be able to simultaneously process exponentially larger numbers of calculations than today’s computers are capable of, enabling them to solve previously intractable problems. This can have many positive ramifications, for example for medical or other research, but it also challenges the status quo of our security infrastructure.
Current strategies for sharing encryption keys rely on the difficulty in factoring a large multiplication back into its prime constituents, a problem that is beyond the reach of classic computers in a reasonable time frame. Once quantum computers mature, they will be able to crack this mathematical challenge quickly, making public key infrastructure (the process of sharing keys), insecure.
Symmetric encryption itself is expected to remain safe, as long as the keys are long enough and fully random – the tough problem will be how to securely exchange those keys.
While quantum computers are still in their infancy, organizations such as NIST estimate that mature quantum computers will be able to crack our public key infrastructure within 15 years, while others predict even sooner.
This may seem far out, but it is in fact a race for time: upgrading infrastructure takes years; a lot of sensitive data needs to be kept secure for several years – and in some cases, decades – making it vulnerable to harvesting attacks today, whereby it is captured and stored for later decryption as quantum computers become available. Any organization handling personal or financial information with long shelf life needs to get ready as soon as possible.
Now, for the plus side
Quantum technology also delivers capabilities that can be used to enhance data security from today’s attacks, as well as from future quantum computers – this is typically known as quantum cybersecurity. Even without the threat of quantum computers, poor quality or insufficient quantity of random numbers are a security risk. Generating high-quality random at high rates has proven a surprisingly hard problem to crack. Fortunately, quantum technology provides an elegant and powerful solution.
Quantum physics is fundamentally random, and this inherent randomness has been harnessed into commercial quantum random generators that produce fully random numbers at high rates and cost effectively, effectively putting this issue to rest. These devices are starting to be integrated into security infrastructure for the cloud in finance and beyond – a trend that is expected to increase over the coming years. As a bonus, the use of longer, higher quality keys was identified by the NSA as being one of the strategies to protect data from the threat of quantum computers, so using a high quality quantum random number generator enables security-aware companies to get a head start in that direction.
At a more advanced level, quantum key distribution uses quantum communication to share a key between two parties without relying on more vulnerable Public Key techniques. It therefore solves the thorny key exchange problem we mentioned before. Its security is based on a fundamental characteristic of quantum mechanics: the process of measuring a quantum system disturbs the system.
An attacker trying to intercept the key exchange will inevitably leave detectable traces, allowing that information to be discarded. It has been proven to be safe, independently of the processing power of the attackers, and is therefore not vulnerable to quantum computers. This is a developing technology with challenges to overcome, but companies are beginning to roll out commercial implementations, and development under way will move beyond point-to-point capability and even emancipate it from the current constraints of fiber optic connections to free space and ultimately mobile devices. Certainly worth watching.
So, what will the future look like?
In addition to these technology-driven solutions, a search is also under way for algorithms believed to be secure from both classical and quantum computing attacks. These quantum-resistant algorithms will have challenges: they can’t serve as a replacement for current solutions, requiring significant changes in current protocols, and will remain vulnerable to new quantum algorithms as they emerge, contrary to Quantum Key Distribution (QKD). It will also take many years to reach standardization around any new algorithms. However, they will provide flexibility, and an important element to an overall quantum safe security approach.
In the race to protect our data from the power of quantum computers, it is likely that hybrid solutions will emerge. Keys will be stronger; with what we call “full entropy” or true randomness. Crucial links will be protected using a global, flexible QKD network, invulnerable to quantum computers. Finally, for shorter, less exposed links, improved algorithms may provide some enhanced protection, regularly updated against growing threats.
While the quantum computer threat is certainly a major challenge, other elements are coming in place to address it, and reap the benefits of that technology while remaining secure.