What is "quantum-safe cryptography"?

It is a way to keep information secure amid the advent of new quantum computers, which will be powerful enough to crack the systems we currently use to protect the privacy and authenticity of important data.

What are quantum computers?

They are devices that harness the phenomena of quantum mechanics – which are particularly evident in the behavior of atoms, electrons, photons, and other small particles – to process information in a profoundly different way than present-day computers. Conventional computers process binary “bits” of information – ones and zeros – while quantum computers process bits that can be in a quantum “superposition” of states: not just one or zero, but essentially superposition of one and zero simultaneously, performing many calculations in parallel. Controlling such quantum bits, or qubits, can lead to an incredible – in some cases exponential – increase in computing efficiency and power.

How do quantum computers threaten information security?

Currently, much of our private information – banking and medical records, military secrets, and so on – is protected by cryptography based on the “hardness” of certain mathematical problems. Our connected devices are also protected from malware and various impersonation attacks by similar cryptographic tools. Most online communications are protected via mathematical problems too difficult for even today’s most powerful computers to crack. We know that such problems (in particular, integer factorization, and finding discrete logarithms), however, will be easily cracked by quantum computers running specialized algorithms.

Do quantum computers exist yet?

Prototypes are under development, though none is yet powerful enough to crack present-day encryption. Progress is rapid, however, with viable quantum technologies now emerging from the laboratory and into the marketplace.

What kind of private information could be compromised?

Without quantum-safe encryption, everything that has been transmitted – or will ever be transmitted – over a network is vulnerable to eavesdropping and public disclosure. Banking passwords, stock market transactions, medical histories, military secrets: all could be susceptible to hackers using a quantum computer. What’s more, hackers impersonating legitimate organizations could install malicious software (malware) our computers, smartphones, or other devices without our knowledge – a form of stealth attack on our data. Quantum-safe encryption can not only protect data, but assure its authenticity and integrity.

Is there a threat now?

Yes, and for some there might not be enough time to fix vulnerabilities. Although full-scale quantum computers remain some years away, it also takes years to update current I.T. infrastructure to be ready for the quantum threat. If we wait to update our cryptography infrastructure until quantum computing is a reality, it’s already too late. Without laying the foundations for quantum-safe cryptography now, we won’t be ready for the future threat. If the number of years it takes to upgrade our cryptographic systems exceeds the number of years it takes for a full-scale quantum computer to be developed, the authenticity, integrity and confidentiality of information will be vulnerable. Furthermore, in order to protect against the compromise of confidential information that was communicated “x” years in the past, the changeover to quantum-safe techniques must happen at least “x” years before quantum computers are available.

Who is at risk?

Anyone who has done online shopping or banking is potentially at risk. So too are individuals who connect their electronic devices, such as smartphones and computers, to the internet, because they run the risk of having malware surreptitiously installed on their devices. But the greatest risk of quantum attack faces large financial and governmental organizations, which routinely transmit and store millions of dollars and countless private files. If such organizations are compromised, so too are the millions of people whose data they are obligated to protect.

What should be done now?

An ounce of prevention, so to speak. Because full-scale quantum computers are still some years away, organizations need not deploy quantum-safe cryptography overnight. What is urgent, however, is the need for organizations to assess the vulnerability of their existing I.T. infrastructure, understand the time and resources required to make it quantum-safe, and take the first steps in transitioning to a quantum-safe regime. For example, if it takes an organization, say, 15 years to re-tool its infrastructure, but a quantum computer is built within 14 years, then the organization has a problem. The wait-and-see approach to addressing quantum threats will not work. Preparedness is key.

How does cryptography become quantum-safe?

Quantum information research poses a unique dichotomy. On one hand, it leads to the development of computers that, along with many potential benefits, are powerful enough to break present-day cryptography; on the other hand, it makes possible an entirely new type of cryptography – quantum cryptography – that is impervious to quantum attacks. Quantum cryptography capitalizes on quantum phenomena to protect private information in ways that even a quantum computer can’t crack.

How does quantum cryptography work?

The laws of quantum mechanics guarantee that “observing” quantum data disturbs it, which means that any eavesdropping on a quantum transmission can be detected. This is the key behind the most prevalent form of quantum cryptography, called quantum key distribution. In typical present-day online cryptography, communications are protected by a “key” that is based on very difficult mathematical problems. Because quantum computers will be able to solve these problems, a different kind of key is needed to ensure security. In quantum key distribution, the key used for encoding is known to be secure, thanks to the laws of quantum mechanics. If any snooping is detected on a key, it is discarded in favour of a key that bears no fingerprint of eavesdropping. The security of the cryptography is vouchsafed by the very laws of nature.

Is quantum cryptography the only defence against quantum threats?

No, other forms of “post-quantum” cryptography, which are not themselves based on quantum techniques, are viable defences against quantum attack. These are conventional ciphers not known to be vulnerable to quantum or conventional attacks, but they require continual re-assessment to ensure they provide the necessary security. In some cases, these may be the best options to protect an organization’s data. The best strategy should be determined based on a careful examination of a given organization’s current cryptographic systems and its security needs for the future.

How does an organization begin implementing quantum-secure cryptography?

The first step is a consultation with evolutionQ. Contact us to find out more. To learn more about preparing for the quantum age, take a look at the Quantum-Safe Whitepaper.