What is quantum computing and how will it affect your organisation?
During this time of digital transformation, new innovations are appearing at lightning speed. For years, we’ve seen improvements in computers with manufacturers aiming for everything to be faster and faster. Now, they’re deeply engaged in a race to make quantum computers widely available. These quantum computers will outstrip the performance of existing supercomputers, but also introduce threats to people and businesses.
So what will happen when the first quantum computers enter the market? What are the opportunities and threats?
1. First off, what is quantum computing?
In January 2019, IBM built the first commercial quantum computer. Based on the science of quantum physics, it communicated in a completely different way from existing computers. This new approach has enabled computers to not only become much faster, but, with improved technology, to enable things that were previously impossible.
Based on this new technique, Google achieved a breakthrough that was referenced in the renowned scientific journal Nature:
“The calculation is…a demonstration of what the special computer called Sycamore can do. The achievement has been compared by scientists to the Wright brothers’ first plane flight. Sycamore calculated a complex combination of sums in 3 minutes and 20 seconds. This calculation would take at least 10,000 years with a standard computer, Google claims.”
Today’s widely used computers work on the basis of bits and bytes – so 0 and 1s – also known as a binary method. When communicating, they’re limited to the binary combinations they can create using 0s and 1s.
Quantum computing is based on non-binary technology, which means the possibilities between 0 and 1 can be used. Suddenly, it’s not only black and white – it’s grey too. Something can be a 0 for 70% and a 1 for 30%, or any other ratio. This technological change has an enormous impact on the world as we know it today and on our current way of working.
It raises questions such as:
- Where do we communicate digitally in our processes, and how could we optimise this further?
- What is encrypted and how does quantum computing change this?
- How does quantum computing affect digital identities in our current and future software?
- What role will security by design play in relation to quantum computing?
2. What impact could quantum computing have on (cyber)security?
Quantum computing’s superpowers open up many possibilities, such as enabling complex analyses in the medical world. But there’s also cause for concern when it comes to security and, in particular, cybersecurity. This extra computing power could, for example, crack the current cryptography (which involves encryption and decryption) in our daily communications.
Encryption is when you take data and convert it into an inexplicable code. A complex mathematical formula converts data into securely encrypted messages to be then sent and/or stored. Both encryption and decryption (converting code back to readable data) are done using a digital key.
There are two main categories when it comes to the encryption and decryption of information: symmetrical and asymmetrical. Symmetric cryptography uses the same key for encryption and decryption. With asymmetric cryptography, you have a private key and a public key. The public key is shared, so other people can encrypt messages for the key’s owner. The private key is only stored by the owner and recipient, so only the recipient can decrypt the message.
Symmetric cryptography is considerably faster than the asymmetric approach. For this reason, it’s mainly used in everyday communication and to encrypt stored data.
Asymmetric cryptography is mainly used for the secure exchange of symmetric keys and for digitally verifying or signing messages, documents and certificates that link public keys to the identity of their owners. It’s also used for authentication and encryption, with the big advantage that you can encrypt something that only you can read (because only you have the private key). The latter is mainly seen when identity and communication have to be linked for security purposes – for example, secure communication between governments or between citizens and their government.
3. How might quantum computing be used in a cyberattack?
In terms of symmetric encryption, the easiest way to crack a code is to try all possible keys until one works. Conventional computers can do this, but it’s very difficult and time consuming. Quantum computing, however, speeds up the process. This issue is relatively easy to solve by using longer key lengths, so it takes even quantum computing a long time to crack the code. But what about old, encrypted data in storage? And what if encrypted data has already been leaked?
Cryptography for public keys presents an even bigger problem because of the way calculations are used. Currently, the algorithms RSA, Diffie-Hellman and elliptic curve are widely used. By using quantum computing, you can start with the public key and calculate the private key mathematically without trying all the possibilities.
If an RSA algorithm is used, for example, the private key can be calculated by decomposing a number that’s the product of two prime numbers – for example, 15 is the product of 3 multiplied by 5. Until now, public key encryption using very long key pairs was unbreakable. But sufficiently sophisticated quantum computers could crack even 4,096-bit key pairs in just a few hours.
4. How can I protect my organisation’s security from quantum computing?
Fortunately, researchers have been working on public-key algorithms that could withstand quantum computers’ attempts to break code, while also maintaining trust in certificate authorities, digital signatures and encrypted messages.
In particular, the US National Institute of Standards and Technology has already evaluated 69 potential new methods for what it calls post-quantum cryptography. And has recently shortlisted seven options.
“NIST expects to have a draft standard in 2024 (if not earlier), which will then be implemented for digital certificates and holders (such as smart cards) and added to web browsers, apps and systems” NIST
Another alternative to public key cryptography for key exchange is the distribution of quantum keys. Here, quantum methods are used by the sender and receiver to create a symmetric key. These methods do, however, require special hardware.
5. Why is now the right time to invest in protection?
Strong cryptography is vital for cybersecurity on both an individual and societal level. It provides the basis for secure transmission and data storage, and for verifying trusted connections between people and systems. This is especially important now lots of people are working from home and are sharing information and communicating online.
Quantum computers are currently only used in experiments by large tech companies and are economically and technically impossible to use on a larger scale. Today’s asymmetric algorithms, such as RSA, are still the standard for encrypting data, ensuring strong authentication and signing messages and software. And they continue to provide critical security for communications and transactions. Quantum computers aren’t expected to become available for several years, but it’s crucial you prepare for their arrival with a security strategy that incorporates a thorough risk analysis.
This risk analysis should show where secure communication, digital identities and encryption are used in your current processes. You can then prepare to take organisational, technical and individual measures that are quantum proof in the future. Your digital security strategy should, for example, clearly document which form of cryptography is used by your systems and how you could migrate to new quantum-proof algorithms.
Your strategy should also include a management system in which certificates, identities and associated keys are registered, validated, managed and revoked according to the current standard at that time.
So how could quantum computing affect your organisation? And do your current security measures have a degree of quantum agility?
Jordan van den Akker, Business Security Consultant at AET Europe