ID Quantique: We are already facing a Quantum threat, but if we prepare, we can mitigate the risk
What did it take to wake the world up to cybersecurity in the 21st Century? The warnings were there from the start: how long ago did you first hear a guest ‘technology expert’ on television warning the audience about choosing strong passwords? Since the dawn of the internet, there has been a steady trickle of online horror story headlines: credit card fraud, identity theft, online blackmail and cyberstalking. Over time, pieces of cybersecurity jargon have drifted into the everyday: ‘phishing’, ‘malware’, ‘ransomware’. Then came the Snowden revelations, Chelsea Manning, Cambridge Analytica and US election meddling. Using media coverage as a weather vane, cybersecurity suddenly had the public’s attention. As with so many threats, government action and public attention were applied retrospectively. The guilty parties - where they could be reliably identified or ‘persuaded’ to divulge their involvement - received slaps on the wrist in absentia or stern talking-tos from government figures woefully ill-equipped to give them.
How differently would things have been today if the world had taken the warnings from the cybersec community seriously, sooner? There’s a lot that alternative history fiction could mine from that question, but in the real world, that ship has long since crested the horizon and disappeared with a million credit card details, Ashley Madison logins and (possibly) more than one election. So why, since we’ve seen just how predatory nominally benign billion-dollar tech companies and government security services can be, are more people not talking about quantum security?
Non-specialist reports on the threats posed by quantum computers are reliably and frustratingly vague. Modern standards of encryption, we are told, could be cracked “in minutes” by a malevolent state actor. Or “in seconds”. Or “instantly”. So, which is it? How? And what are we supposed to do about it?
“When you encrypt and decrypt data on a classical computer, it takes some time - a very short amount of time, but it still takes time,” says Gregoire Ribordy, CEO and co-founder of ID Quantique, which provides quantum-safe solutions for companies safeguarding against future quantum threats. “The security comes from the fact that if you want to decrypt without the key – in other words, do a brute force attack - then it will take significantly more time.. What’s important is that if you make the key longer, then the time to decrypt without the key should increase exponentially. You could double the key length and still encrypt the file on your desktop computer, but because of the exponential behaviour, the impact that would have on the malicious actor or state would be exponential, meaning that a brute force attack would either be inefficient or even impossible
“What happens if a quantum computer becomes available to a state actor is that decryption time scales in the same way as the encryption. That means that making the key longer doesn’t help anymore, because there’s not an exponential increase in the decryption time. Let’s say it takes one second to encrypt on your computer and one minute to decrypt for a state actor with a quantum computer. Now, if you increase the key length so that it takes two seconds to encrypt on your computer, it will take two minutes to decrypt for the state actor - it will grow at the same pace.”
This change in scaling makes encrypted communication of today’s standards highly vulnerable to man-in-the-middle attacks. The speed at which nominally secure data might be intercepted and decrypted by an eavesdropper makes it tempting for state intelligence services or organised crime to cast vastly wider nets. What ID Quantique’s ‘quantum-safe’ communication offers isn’t a vastly more complex encryption method, but a way of verifying that, when you’re sending information between two points, no third party is listening in on the line.
“We have the physicist’s approach to quantum computing,” Ribordy says. “Which is to say: ‘OK, let’s use quantum physics to protect information’. In order to do that, we can use one of the properties of quantum physics, which is that observation means perturbation. If you can send information in the form of quantum objects and they are intercepted by an adversary, they will change, and this change can be detected between the emitter and the receiver. This reveals the presence of an eavesdropper on the communication line… You don’t prevent eavesdropping, but you reveal it after it happens. So actually, you don’t want to use this approach to send valuable information because you would know that you would lose it. So instead, you send a random sequence of bits, check whether it has been intercepted or not, and once you know that it has not been intercepted you can use this random sequence of bits as a resource for secure communication ie. as an encryption key. This key – which has been transferred with provable security – is then used to encrypt the data. That’s why ‘quantum cryptography’ is not actually a good name; we should be saying ‘quantum key distribution’.”
For many Western countries, the threat of information warfare is asymmetrical. The US in particular is dependent on vast quantities of data being sent from one side of the world to the other as quickly as possible - which, due to the load, is largely relayed through non-military satellites. But unlike other existential threats, quantum technology is plausibly dual-use: unlike, say, Uranium, there are many good reasons countries might begin pouring money into a quantum computing programme that could be outwardly civilian but secretly military.
“Quantum technologies come in both offensive and defensive flavours,” Ribordy says. “Quantum computing could be seen as an offensive technology in terms of its capability in code-breaking, whereas QKD is a defensive technology. China, for example, is pursuing both. China started with QKD and invested very heavily… Quantum technologies were identified as strategic technologies by the Chinese government. I think they probably started with QKD because they see themselves as potentially vulnerable to attacks by other actors and want to protect their own infrastructure. And more recently, about two years ago, they announced the decision to set up a quantum computing centre with a budget of $10 billion.
“The impact on other countries depends on how prepared other countries are. And that’s one of the things we’re trying to push at IDQ: ‘Let’s start preparing.’ And preparing doesn’t only mean quantum key distribution: it means first doing a quantum risk assessment, second making sure that systems can be upgraded to be quantum-safe, and third, starting to deploy something like quantum key distribution where it makes sense - maybe the key data links in your data center infrastructure, or something like that. It’s very important that organisations start doing these three steps, one-by-one.”
It would be tempting to see quantum computing, then, as just another arms race. But what differentiates it from past races for dominance in some field of new military technology is that the impacts of quantum computing will, in part, be retroactive. The weapon (a reliable, scalable quantum computer) may not exist today - but the ammunition is already being cached.
“What you have to understand is that quantum computing will have an impact in the future - but it already has an impact on security today,” Ribordy explains. “Because even though it may not exist yet, there could be areas where data is intercepted today and stored in an encrypted format, and then the adversary maybe ten years from now uses a quantum computer to decrypt that information. So, if the information is still valuable ten years from now, then we’re going to have a problem.
“One of the Snowden revelations was that the NSA and other agencies around the world working with the NSA have data collection points on the big optical fibre transatlantic cables that are used for most internet traffic. So that’s being done routinely. They’re basically copying everything that is being sent on these cables. Some they probably can decrypt and look at; some they cannot decrypt. And in that case, they probably classify it based on the metadata - who is the sender, who is the recipient, things like that - and decide to keep it or not for future decryption.”
The endpoint of Ribordy’s logic isn’t difficult to follow: that some breach of privacy will occur is a ‘when’ and not an ‘if’. The data, more or less securely encrypted for now, cannot be ‘unstolen’. All the actors sitting on these (for now) impregnable caches have to do now is wait for a quantum computer nimble enough to unpick their encryption. What happens then depends on what these decrypted files turn up and what the thieves motives might be.
“There are different scenarios,” Ribordy says, when I ask him to sketch some possible outcomes. “One scenario is that governments start taking this seriously and we avert the problem, or at least the worst-case scenarios. Then quantum computing becomes connected to just another leak of an old database. That would be the optimistic view. And then there’s the other approach, in which we don’t do anything or don’t do enough, and then there’s a big event and everybody realises the danger and we scramble to find a solution. But what’s important is that, if we start too late, this is really systemic. It could mean that blockchain stops working, that online banking goes down, that e-commerce becomes impossible. It really is systemic: if we don’t prepare early enough, we could go back technologically 30 years, having to shut down whole systems.
“Or you could have a worst-case scenario in which some large scale accident could be caused by an attack with quantum computing against critical infrastructure. That could lead to people dying. I hope it’s more like a database leak, or something like that, and not a nuclear plant being taken control of by hackers who deliberately cause an accident. Because it could be that serious.”
The bright side - such as it is - is that while quantum-safe technology isn’t yet a public concern, at higher levels governments are treating it as a strategic concern. Ribordy gives the example of South Korea’s SK Telecom, which has worked with ID Quantique to secure its 5G network against future quantum threats. The second example he gives is The European Commission and its plan for an umbrella protection for its member states.
“The European Commission actually gets it!” he says. “The European Commission has been criticized in so many areas - so when they do something right, they should actually get the credit for it. The Commission has been behind quantum technologies for probably around 30 years, in terms of supporting research in Europe. Last year they started what they call the Quantum Flagship, which is a €1 billion investment over ten years in quantum technologies. That’s important because it gives the research community the ability to pursue long-term goals in terms of advancing quantum technologies. The latest initiative they are preparing and planning a QKD network that would cover the whole of Europe. That’s more of a medium-term project, because as you can imagine it takes time to roll out a full network over a continent - but they understand the threat. They’re saying, ‘OK, we recognise this threat, and maybe not every member state can cope with this on its own.’ [So] it could be a role for the European Commission to roll out an infrastructure that can then be used by all the member states in different governments and departments in order to secure communication.”
With that much money being spent and spread across an entire continent, quantum security will, eventually, trickle down into the public discourse. Compared to the TV audiences of yesteryear, today’s decision-makers and public have seen firsthand how data can be stolen and manipulated for criminal and political gain. Bringing that scientific knowledge and public experience together will be key to ensuring that, with the advent of quantum, history doesn’t repeat itself.
For questions or feedback on this article, please contact Amit Das: firstname.lastname@example.org
To learn more visit: https://www.idquantique.com/