Given that modern society is becoming increasingly digital, there is a growing demand for safe and secure communications. While cryptographic standards and digital certificate systems such as Public Key Infrastructure (PKI) offer the verification, authentication, and encryption necessary to protect digital communications, a threat that has emerged recently is the possibility of these secure communications systems being compromised by quantum computers.
The idea of quantum supremacy, where certain computational tasks can no longer be run on classical high-performance computing architectures, is still some way off. Nevertheless, the speed promised by quantum computing, and hybrid architectures that use quantum technology to accelerate certain functions of an algorithm running on a classical computer architecture, represent both an opportunity and a risk for society.
Researchers around the world are investigating how quantum computing algorithms can be used to solve extremely complex problems. Quantum computing promises enormous societal benefits, such as helping to tackle climate change, improving the efficiency of chemical processes and drug discovery, and all sorts of complex optimizations that cannot be run on classical computer systems. But as quantum computers develop, there is also growing concern that the technology will break existing cryptographic standards. In fact, they will become powerful enough to crack encryption keys extremely quickly.
“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the privacy and integrity of digital communications on the Internet and elsewhere,” warns the US National Institute of Standards and Technology (NIST) in a draft proposal for post-quantum encryption (PQC).
This would have a profound impact on internet security. “As large-scale, fault-tolerant quantum computers become a reality, encryption protocols that have protected sensitive information for years will become vulnerable to attack,” said John Cullen, strategic marketing manager for cyber security at Thales. “As the advent of quantum computing approaches, the future security of PKI hangs in the balance.”
As quantum computers develop, there is also growing concern that the technology will break existing cryptographic standards
Cullen believes that cybercriminals will eagerly exploit the weakness in PKI systems to gain unauthorized access to valuable data. “It is therefore imperative for organizations to take proactive measures to protect themselves – before quantum technology becomes mainstream,” he warns.
This is why standards bodies such as NIST and ETSI, the European Standardization Body for IT-enabled Systems, have become involved in quantum computing.
Jonathan Lane, a cybersecurity expert at PA Consulting, points out that the likes of NIST and ETSI are several years into programs to identify and select post-quantum algorithms (PQAs), and that industry and academia are innovating. “We are nearing agreement on a set of algorithms that are supposedly quantum secure; both the UK’s National Cyber Security Center (NCSC) and the US’s NSA (National Security Agency) support the enhanced public-key cryptography approach with PQA along with much larger keys,” he says.
Lane says the NCSC recommends that the majority of users follow normal cybersecurity best practices and wait for the development of NIST standards-compliant quantum secure cryptography (QSC) products.
Quantum cryptography for financial services
One sector closely watching the evolution of quantum computing is banking, particularly how it will affect the cryptographic standards it relies on for safe and secure payment processing.
In July, for example, HSBC announced it was working with BT, Toshiba and Amazon Web Services (AWS) on a trial of quantum-secure transfers of test data over fiber-optic cables between its global headquarters in Canary Wharf and a data center in Berkshire, 62 km away, using of quantum key distribution (QKD).
QKD uses light particles and the fundamental properties of quantum physics to deliver secret keys between parties. These keys can be used to encrypt and decrypt sensitive data and are safe from eavesdroppers or cyber attacks by quantum computers.
QKD will play a key role in protecting financial transactions, customer data and proprietary information across the financial sector. HSBC processed 4.5 billion payments last year, worth an estimated £3.5 billion. These electronic payments rely on encryption to protect customers and businesses from cyber attacks, which is one of the reasons why the bank has established a quantum strategy. This includes testing of QKD and PQC.
BT and Toshiba have been collaborating on a quantum-secure test network since October 2021. This network offers what BT describes as “a range of quantum-secure services including dedicated high-bandwidth end-to-end encrypted links”. It is delivered over Openreach’s private fiber network. Toshiba provides quantum key distribution hardware and key management software.
In April 2022, BT and Toshiba together with EY launched a trial version of a world-first commercial quantum-secured metro network based on this technology. The infrastructure connects EY clients across London, helping them secure the transfer of data and information between multiple physical locations over standard fiber optic links using quantum key distribution.
HSBC is the first bank on BT/Toshiba’s infrastructure. HSBC hopes its investigation into quantum secure communications will help it provide evidence around the benefits of quantum technology and drive the development of applications in financial cyber security. According to HSBC, its quantum researchers, cybercrime experts and finance specialists will be better able to analyze the potential threat posed by powerful quantum computers and devise strategies to protect sensitive information.
The IoT Dilemma
At the other end of the spectrum of application areas for cryptography are low-power Internet-connected devices. PA Consulting’s Lane notes that because internet of things (IoT) devices generate and exchange data, IoT applications require that data to be accurate and reliable. Because devices tend to be networked, exploiting them could open up attack vectors in broader systems, which could have a wide-ranging and global impact, he warns.
For example, in 2016, the largest ever botnet attack was launched against domain name system service provider Dyn using the Mirai malware. According to Lane, this malware looked for IoT devices running the Linux ARC operating system, attacked them with default credentials, and infected them. This allowed a large number of IoT devices to be used together in DDoS (distributed denial of service) attacks, resulting in significant parts of the internet going down.
Researchers are looking at how to improve IoT security, and post-quantum encryption is likely to be an area that will grow in importance. But Lane cautions that most of the improved QSC standards appear to require considerable computing power to handle complex algorithms and long keys.
“Many IoT sensors may not be able to run these,” he says. “Until NIST delivers its QSC standards, we don’t know if they will work within IoT constraints. If they don’t, there is a gap in the formal development of IoT QSC solutions.”
Lane believes that asymmetric cryptography may offer a way to implement a sustainable PQC algorithm with low resources. “Symmetric cryptography is currently favored by the IoT industry as a low-power mechanism, but the problem of secretly distributing the same keys to each party remains, and quantum improvements could raise power requirements,” he says.
Then there are symmetric key establishment mechanisms where innovation can help, as alternative approaches are considered.
These include quantum key distribution, where the properties of quantum mechanics are used to establish a key agreement, rather than using difficult mathematical problems that quantum computers will solve quickly. However, Lane says QKD requires specialist hardware and does not provide a way to easily enable authentication, and the NCSC does not support QKD for any government or military applications.
Secure Key Agreement (SKA) is another alternative approach. Lane says some companies are experimenting with computationally secure ways to digitally create symmetric keys across trusted endpoints. “This kind of low-power, software-based capability offers an interesting option for IoT,” he adds. Although independent verification of this type of capability is occurring, Lane says the approach is not on either NIST’s or ETSI’s radar.
Development of quantum technology is linked to IT security
Overall, IT security must evolve to combat the imminent threat of all-powerful quantum computers rendering existing cryptography obsolete. Thales Cullen warns that the future of a secure and connected world depends on the ability to defend against PKI attacks and protect trust in these security measures.
“The industry needs to explore new ways to strengthen policies, procedures and technology,” he says. “As the advent of quantum computing approaches, the future security of PKI hangs in the balance.”
The risk of quantum attacks on existing encryption protocols requires proactive measures from both organizations and governments.
