Quantum security: will we make it in time?
Thu 14 Jun 2018
Quantum computing is one of those concepts that promises so much but seems to be just beyond our grasp. Researchers have made great progress in their attempts to manipulate the basics of quantum computing in recent years, and yet so much is still not understood about exactly how it works.
The only thing that is certain is that once we have fully harnessed its power, computing and security as we know it will never be the same again. At the core of quantum computing is a step-change from bits, which operate in a binary sense (you either have a 0 or a 1), to qubits, which can be both 0 and 1 at the same time.
It’s this ability to carry out calculations in parallel that gives quantum computing so much potential. Its touted uses revolve around solving problems in less time than conventional computers.
That alone doesn’t sound too impressive. Computers have been getting faster at a rapid and consistent rate (as per the well-known Moore’s Law) for years now. However, the difference in speed between traditional and quantum computing is mind-boggling. Problems that would take conventional computers millennia to complete could be solved in seconds by a quantum computer.
This means it could do things like model vast swathes of nature, including DNA, which could help to ultimately solve and cure diseases like cancer. Solving massive mathematical challenges in seconds means that, put to the right use, quantum computers have the power to tackle problems that could completely change the face of science, medicine and computing.
The quantum security problem
There is a downside, however. Solving very time-consuming mathematical problems is the cornerstone of our existing cryptographic security systems that keep the internet and our data secure.
Problems that we originally thought would take the lifetime of the universe to solve could take just a few seconds
These systems work on the simple principle of integer factorisation. Multiplying two numbers together is an easy task, but taking that product and figuring out which two numbers it came from is significantly harder. Multiplying two large prime numbers together, and using the resultant product as a public key, has kept the internet and transactions relatively secure for years.
But that’s precisely the type of problem that quantum computers would be so adept at solving. Which means that if we reached the point where we had workable quantum computers before we had similarly powerful new security systems, nothing digital would be secure.
Jaya Baloo, CISO of Dutch telco KPN Telecom, elaborated on the problems quantum technology represent for security at the recent Infosecurity Europe conference in London. “Problems that we originally thought would take the lifetime of the universe to solve, because that’s what our crypto is based on, could take just a few seconds,” Baloo said.
Looking at the impact on current cryptographic algorithms, she continued: “We think we are still OK with AES-256, we probably just need to have larger key sizes. We think we’ll be OK with SHA-256 and SHA-3, we’ll just need larger output. But RSA is no longer secure.”
That’s a controversial statement. Others are more optimistic on the security front. Speaking at a House of Commons Science and Technology Select Committee, Professor Sir Peter Knight, Emeritus Professor of Quantum Optics at Imperial College London, argued that quantum computing hasn’t quite caught up with existing security techniques.
“The biggest single thing I would point to is that we basically have to assume that the encryption we use to secure the internet will fail within the decade,” he told the committee. “RSA and public key crypto will be dead within a decade because of the advances in quantum computing.
“All the things we do, using HTTPS for secure engagement, trading, commerce, entertainment, securing our own identity, have to be rolled out with a replacement within the decade. That’s why every single part of government is engaged in this because we know it takes a fair amount of time to replace public key cryptography, maybe a decade.”
And it’s not just government that’s engaged. Almost all of the big tech firms have their fingers in the quantum pie to some extent. Google is working on its Bristlecone processor, Intel on Tangle Lake, its 49-Qubit processor, Microsoft on what it argues is ‘the only scalable quantum solution’, and IBM on the Q Network.
IBM’s project, in particular, earned praise from Baloo. “[All the big companies] are busy with different quantum computing architectures, but what you see is that IBM is actually building a community. Where Google has a very specific focus on its hardware, IBM has given you the first public, cloud-based quantum computer, that you can all right now go and get an account on.”
Making security international
And given the risks and rewards on offer, it’s fairly clear that that collaborative approach is necessary here perhaps more than anywhere else. Knight and his colleague, Professor David Delpy, Chair of the Strategic Advisory Board on the National Quantum Technologies Programme, both argued at the recent committee that the UK is leading the way with this technology, mostly because of its well-structured and collaborative approach to the research.
Hurd compares ‘the consequences of mastering quantum computing’ to the advent of the atom bomb
The European Telecommunications Standards Institute (ETSI), a European Standards Organisation, has a working group on quantum cryptography. That group is chaired by Andrew Shields, who’s part of the UK’s quantum national program. As well as that, the National Physical Laboratory and the NCSC are on board with the national programme. It’s this joined-up approach that Knight and Delpy believe is crucial to achieving a secure quantum world.
They’re not the only ones. Texan Republican representative Will Hurd has argued in Wired that it is imperative for western states to work together to get ready for the apparently inevitable quantum onslaught from its enemies. In the piece, Hurd compares ‘the consequences of mastering quantum computing’ to the advent of the atom bomb.
Analysts agree too. According to Forrester Research, the single most important factor in keeping businesses and organisations secure in the UK and Europe is communication and cooperation. Forrester senior analyst Paul McKay argues that “sharing cyber threat intelligence between the UK and the EU improves the quality of the data coming through to CISOs, and any degradation of that communication will make it harder for them to protect their organizations.”
The experts suggest two different approaches going forward. Baloo believes that the place to start is with increased key length to buy some time and then to start looking at applying quantum key distribution. Professor Knight says that the UK is making good progress in this sense – it is leading research in two areas: quantum-safe encryption, which is classical, and in quantum cryptography. This is essentially the same approach that Baloo advocates, and with cooperation, we may well make it in time.
What’s certain is, if we don’t, we may find ourselves facing the very sharp side of a double-edged sword.