Quantum Security: Safeguarding the Quantum Future
Quantum computing holds the promise of discovery and innovation across a wide range of industries such as finance, drug discovery, and materials science, among many others.
For decades, scientists have established the core concepts and theory behind quantum computing—which uses quantum mechanical particles, or qubits, to represent the units of information, comparable (although different) to the binary bits in today’s computing. Recently, quantum computers have achieved key milestones such as solving - in mere minutes - certain problems that might take supercomputers thousands—if not millions—of years to compute.
The potential seems breathtaking, and while the jury is still out on when quantum computers with practical utility will emerge, there is growing consensus on the importance of quantum computing on cryptography and cybersecurity.
The so-called “Q-Day”, when quantum computers could crack some of the most common encryption protocols protecting our digital information, is coming. While experts differ on the particulars, many expect it to arrive sometime around the end of the current decade, with a World Economic Forum report, for example, indicating an eight- to ten-year horizon. In other words, our timeline to respond to this developing quantum threat is shrinking rapidly.
Understanding the Quantum Threats of Today and Tomorrow
Today’s cryptography is vulnerable to quantum attacks. Modern digital security applications employ and heavily rely upon systems of encryption dating back to the 1970s. Techniques like RSA (Rivest-Sharmir-Adleman) and ECC (Elliptical Curve Cryptography) encryption rely on the inherent difficulty of solving certain mathematical problems—the factoring of two very large prime numbers, in the case of RSA, and solving the discrete logarithm problem for points on elliptic curves, in the case of ECC. ECC exploits the difficulty computers have with retracing steps in a mathematical ‘one-way’ problem, making it easy to verify an entity has followed the steps correctly, but difficult to figure out what the steps were.
These and other current encryption protocols support the security of digital data systems worldwide. Their use is so widespread because the kinds of classical computing power required to solve these problems are, in all practical terms, beyond what can be achieved today. But that will soon change.
The arrival of reliable quantum computers will be a game-changer. In fact, scientists have already identified some of the quantum tools that could one day be used to break our current security systems: Shor’s algorithm, for example, could break RSA, and Grover’s algorithm may be able to decrypt symmetric key encryption such as AES (Advanced Encryption Standard).
While we could still be years away from breaking encryption protocols with quantum computers, there are crucial reasons for governments and businesses to take action sooner rather than later. Chief among them is the current threat of “harvest-now-decrypt-later” (HNDL) attacks. Simply, HNDL attacks occur when malicious actors attempt to steal massive amounts of secure information today with the goal of decrypting the protected data in the future once quantum computers become available.
Governments and companies are beginning to feel the importance of urgently addressing the quantum problem, with some estimating that most, if not all of our online systems that we use daily will need to be upgraded or replaced over the next 20 years. from secure email and virtual private networks (VPNs) to online authorization, public key-based digital signatures, secure web browsing, and blockchain transactions, all will need protection.
Development and Adoption of Post-Quantum Cryptography
One of the safeguards against this growing threat is the global transition to quantum-safe encryption named post-quantum cryptography (PQC) standards—classical encryption protocols designed to withstand quantum attacks.
On this front, organizations are making strides: Government bodies like the European Telecommunications Standards Institute (ETSI) and the US National Institute of Standards and Technology (NIST) are now developing and publishing candidate quantum-resistant protocols for public scrutiny, while technology companies are teaming up in groups such as the Post-Quantum Cryptography Alliance to address the problem.
Since 2016, NIST has been soliciting and evaluating potential PQC standards, and in 2022 published four of these for open review. In 2023, NIST collected feedback on the four algorithms and is expecting to release three of these for widespread use, Canada included, in 2024.
Nation states are calling for quantum-readiness, especially concerning critical infrastructure industries such as healthcare and telecommunications. As one of its three missions, Canada’s National Quantum Strategy focuses on the privacy and security of Canadians through a national secure quantum communications network and PQC initiative. In 2022, the U.S. government signed into law the Quantum Computing Cybersecurity Preparedness Act, which requires that U.S. federal agencies create strategies for migration to PQC. Meanwhile, technology giants like IBM and Microsoft are stating that the time is now for businesses and leaders in the cybersecurity space to plan their roadmaps to quantum-safe digital security.
Becoming Quantum-Ready: The Three Methods
Migrating to post-quantum cryptography:
Although not mandatory for all organizations, once NIST and related bodies have thoroughly vetted the coming PQC standards, organizations will need to transition to them. Ideally, organizations will focus on becoming crypto-agile so they can adapt to and apply new cryptographic protocols without requiring significant changes to information security infrastructure. Being crypto-agile, regardless of quantum computing, is an essential skill that organizations must learn as technology advances. To start the transition, organizations will begin with a detailed catalogue of the methods and objectives associated with their use of public key cryptography, their security assessments, the development of a key management strategy, as well as their collaboration with industry partners. It is crucial for companies to understand the technical obstacles of achieving crypto-agility and recognize the benefits of becoming more aware and knowledgeable about their own cybersecurity capabilities and vulnerabilities.
Businesses are not on their own in this transition. Along with government-level groups like NIST and Canada’s Quantum Advisory Council, private companies are now looking to support enterprise migration. PQC has already been deployed in iMessage and by Google, while the British Columbia-based quantum security company BTQ offers custom and cloud-based solutions and specialized hardware to help businesses along the road to secure, post-quantum cryptography.
Implementing True Quantum Random Number Generation (QRNG) into Existing Encryption:
Cryptographic algorithms incorporate randomness into the processes of generating keys and initializing vectors in symmetric-key cryptography. This means the randomness quality is part of the information security system and can dictate the security level of the encryption algorithms used. That said, the randomness produced by a math equation is less random than randomness mined from the spin of a particle at the quantum level. In fact, the industry standard of randomness in encryption algorithms today is generated from math and isn’t truly random.
This lack of true randomness (referred to as pseudo-randomness) could be a problem for security systems as the increased processing power of future quantum computers (or even more powerful classical computers) may be able to predict the outputs of classical pseudo-random number generated keys, thus compromising security.
But quantum technology could actually help in defending against the quantum threat. Randomness is an inherent property of quantum mechanics, so true quantum random number generation (either to strengthen existing encryption or to create the cryptographic keys entirely) could actually overcome this future issue.
Companies such as Samsung and the Montreal-based Quantum eMotion has quantum random number generation technology that uses the quantum phenomenon of electron tunnelling to derive true randomness for use in generating truly random encryption keys.
Experimenting with Zero Trust Communication and Quantum Key Distribution (QKD):
As the name suggests, Zero Trust Communication (ZTC) challenges the traditional cryptography model which holds that entities within a network can be trusted and that security should focus on protection from intruders. ZTC assumes that threats can come from internal sources, that trust is never assumed, and continuous verification is required from all who access a system.
As a proactive approach to security, implementing ZTC protocols could help future-proof information security systems from emerging quantum threats. Just as with random number generation, ZTC can be supported by an early-stage quantum-based solution: quantum key distribution (QKD).
QKD is a cryptographic technique that takes advantage of quantum mechanical properties such as superposition or entanglement to allow two parties to generate a shared secret key with a high level of inherent security. Very simply, a key can be encoded in entangled particles and shared between two parties in a way that would be impossible to steal, as observing the key would alter the quantum states. This would scramble the keys and reveal the presence of an intruder. Some QKD, like BB84, do not require entanglement at all.
Cryptographers are developing QKD in proof-of-concept trials to eventually enhance security in the post-quantum era. Burnaby, B.C.-based Photonic Inc. is building silicon-based quantum technologies with optically-linked particles to support quantum networking and protocols such as QKD and QEYSsat, the Quantum EncrYption and Science Satellite developed by researchers at the University of Waterloo.
Preparing for The Emerging Quantum Security Threat
The quantum threat to cybersecurity is looming, but with that challenge comes an opportunity to reconsider security solutions that have been in place for almost half a century, to drive advancement in research and industry, to explore new technologies, and to devise more resilient cryptography.
While the approach of a Q-Day is a contentious topic amongst cybersecurity professionals, most agree that it calls for collaboration between regulators, researchers, and industries across the board to help lead us into our quantum future by investigating the potential adoption of Post Quantum Cryptography, Quantum Random Number Generator, and Quantum Key Distribution.