Quantum cyber security

We're about to enter a whole new world... in the same way we do when we go over a waterfall...
26 April 2023

Quantum computing. Elegant, awe-inspiring… potential James Bond plot in the making, but we’ll deal… Quantum of Knowledge, anyone?

To fully understand quantum cyber security, we need to get a couple of things straight in our minds.

Firstly, cyber security as it has applied to classical computing will probably be more or less useless in the age of fully-functioning quantum computing.

Why? Because cyber security in the classical computing age depended on a certain levelness of playing field, which quantum computing is expected – at least by those who are prepared to contemplate the worst, just in case it happens – to blow that level playing field to smithereens.

A long and more complicated explanation of why it will probably do that would tell you about the nature of quantum computing depending not on “bits” as a data storage unit, as in classical computing, but on qubits, which, thanks to the quantum physics principles of quantum superposition and quantum entangling, will allow quantum computers to perform a non-literal gazillion computations per second, cracking the equivalent of any data safe built on classical computing principles in a happy, almost sardonic handful of heartbeats.

For our purposes, it’s a little unfortunate that we need to go a little beyond “quantum computers will have classical cyber security cracked before you can say ‘Please don’t hurt me,’” but rather than dwell on the principles of quantum physics that explain why this will happen, we need to delve a little into how it will happen.

Only by knowing how classical computing systems can be cracked by quantum computers will we get an inkling as to how what’s known as post-quantum cryptography – the basis of what we currently understand about the cyber security that will apply in a world of quantum computing – is expected (or rather, forecast) to work.

The full extent of quantum cyber security is likely to extend far beyond these basics, to the same extent that classical cyber security extends significantly beyond the cracking of the public-key security systems used by most organizations to encrypt the secrets that hold the classical computing world together.

The main threats.

Let’s break some of this down.

The particular cyber security threats that are introduced by quantum computers include:

  1. The so-called “Harvest now, decrypt later” model of hacking.

This is a nefarious process where bad actors gather encrypted data now, because the gathering is comparatively easy, while the decryption is where most of the world’s cyber security money has gone.

Imagine the cave of untold wealth and riches in the story of Ali Baba and the Forty Thieves. Bad actors will keep adding to their store of treasures, but (in a suitably quantum fashion), the treasures are made of lead until the right words are spoken – the “Open sesame!” that turns them all into their precious, sparkling selves.

Quantum computing is the “Open sesame!” that allows all the gathered data treasures to be decrypted – and then the world has a cyber security nightmare on its hands.

  1. The defeat of asymmetric cyber security.

This is the threat we’ve mentioned – cyber security in classical computing depends on a number of asymmetric public-key algorithms, like RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC) algorithms. Everything from banks and financial markets to the security underpinning the internet itself goes “blip” if these algorithms are compromised.

It’s extremely unlikely that any of those algorithms can withstand the development of million-qubit quantum computers (which are currently forecast by the likes of IBM to be a reality by 2030). So… that focuses the mind.

  1. The big blockchain crunch.

Blockchain has not exactly shown itself especially resilient to attack even under the classical computing model in recent years, with some major data breaches and cyber-heists rocking the security of what was once thought to be, for instance, the “future of money.”

But that’s relatively small potatoes compared to what happens when we reach the point of a million-qubit quantum computer. Blockchains are already especially vulnerable to breaches in the public-key security of individual users. Quantum computing could relatively easily figure out private keys from available public-key data, and a recent study from Deloitte showed that around a quarter of all Bitcoin, and over 60% of all Ether (the Bitcoin-equivalent from Ethereum) exists in places where the public-key of users is available somewhere on the blockchain.

Bye bye, cryptocurrency – you were fun while you lasted…

These then are the main threats arising from the relatively imminently-forecast development of a million-qubit quantum computer (anywhere from 2027-2030 on leading current estimates).

The million-qubit question.

Why a million-qubit version? Because, like many things in the quantum universe, qubits are notoriously unstable, and you need around a million-qubit version to reliably do all the things that people are currently scared they’ll do, while fighting an ongoing battle against the noisy environment in which they exist.

So – how do we create and deploy effective quantum cyber security?

Potentially scarily, just a handful of heartbeats away from the million-qubit threshold, no-one’s entirely sure.

There are plenty of researchers and plenty of companies that are developing approaches that could work against a million-qubit quantum computer, but the truth is that until one exists and the exact nature and level of its public-key-crushing capabilities exists, there’s a degree of fighting phantoms involved in the quantum cyber security business.

Themes and variations.

Most of the more serious contenders on which it’s thought post-quantum cryptography (safe secret-keepers in the world of quantum computers) could be built involve different variants on some of the existing public-key cryptographic algorithms that currently keep the world’s secrets safe.

In particular, keep an eye on NTRU lattice-based cryptography – funding and research is busily being poured into that potential version of post-quantum cryptography by the European Commission, and at the moment, it’s standing up better to testing than, for instance, the likes of multivariate cryptography.

Code-based cryptography is also gathering interest in Europe, in particular something called the McEliece signature. Whether that signature will have long-term usefulness in the post-quantum world remains to be seen, because almost every time researchers try to make it more stable and robust, it actually gets weaker because of the introduction of stronger structure.

We know. This is the world of quantum logic – it pays to leave your presuppositions behind.

There are also options that tweak existing cryptographic procedures to meet the needs of the million-qubit quantum cyber security threat.

Supersingular elliptic curve isogeny cryptography is a heck of a name for a version of the elliptic curve Diffie-Hellman key which is widely used in classical computing cyber security. As such, it could prove to be a relatively safe, relatively easy upgrade – at least compared with a paradigm shift to a whole new form of as-yet-insufficiently-tested cryptography.

And then there are symmetric keys – which would in a sense wipe out the big threat of asymmetric security breaches, by the very nature of being symmetric. Again, symmetric keys are at least expected to be resistant to the safe-cracking potential of the million-qubit quantum computer, so they’ve been seriously suggested as a more or less like-for-like replacement that would involve millennium bug levels of hassle, but then might shift the entire battleground when it comes to post-quantum cryptographic algorithm-breaking.

The cyber security arms race.

It’s fair to say that work on quantum cyber security is likely to intensify with every year that passes en route to the notional threshold point in 2030 – two years from now, contenders to deliver that quantum cyber security may be much more clearly defined and delineated.

For now, quantum cyber security is worth taking seriously, if not perhaps as hysterically as the worst-case scenario threats would immediately suggest.