Time to Get Post-Quantum Ready

Quantum Computing | Time to Get Post-Quantum Ready
©Negro Elkha – stock.adobe.com

Quantum computing has been on the rise in recent years, going from a conceptual, futuristic technology to becoming a reality. The first quantum-based products are now becoming available to consumers, from computers to smartphones. While this new branch of computing could be a major milestone in the evolution of computers and allow for processing more information faster than before with many applications, it could also possibly endanger the security of our data and communications, as the current encryption algorithms used to secure our data could become unsecure.


What is Quantum Computing?

Traditional computer architecture is built around a binary system, where a bit or binary digit is used as the smallest unit of data, with two possible values (1 or 0).


With quantum computers, qubit is used instead as the basic unit of quantum information and, thanks to the unique properties of quantum mechanics, can represent a value of either 0, 1, or range of values between 0 and 1 simultaneously. The use of quantum mechanical phenomena like superposition, interference, and entanglement allows computing power that can solve problems exponentially faster than classical computers.


In the last few decades, quantum computers were still in a very experimental stage as the technology was complex and expensive. Thus, its use was limited to military and scientific applications, just like the very first computers that would occupy a whole room, if not the entire building floor.


However, its commercial use is now a real thing. For example, quantum derived technology used to generate true, unpredictable randomness has already been in use for several years, not only for the military, but also for online casinos for their gaming and gambling services where randomness is key (e.g., slot machines). Although still very exclusive/expensive, we can already find the first quantum laptop computers available at consumer electronic retailer shops, as well as the first smartphones equipped with quantum technology. This is used to reinforce the security of data and applications, using stronger encryption and protecting critical processes like authentication, payment, and unlocking, among others.


What Are the Most Powerful Computers?

Supercomputers are large, complex machines used to perform heavy computational tasks, like weather forecasting. As of today, supercomputers are still far superior in terms of computational power to the existing quantum computers, at least when it comes to performing any commercially useful task. 


Quantum computers can process multiple computations at the same time, which is ideal when working with complex problems requiring large amounts of data. Supercomputers, on the other hand, are designed to perform one single task at a time but can perform a wider range of tasks. One might not replace the other, but they can be complementary to each other.


With traditional computers, computational power has been increasing linearly (1:1) so far, following famous Moore’s law, a famous observation made by Gordon Moore almost 60 years ago, the number of transistors in a dense integrated circuit will double about every two years. But with quantum computers that increase is exponential to the number of qubits used. This could be a major milestone in the evolution of computers. 


Any modern mobile phone in our pocket has more than 100,000 times the computational power of the onboard computer system used by Apollo 11 to land a man in the moon 50 years ago. But today, Google recently announced that their quantum computer is 100 million times more powerful than any other classical computers they have available in their laboratory.


Is This a Real Threat Yet?

Today, quantum computers are still at an early development stage, but the threat to the security of communications is real, and so there have been efforts and investigations to find secure, resilient alternative methods to ensure these communications remain protected in the future when quantum computers are everywhere.


Using the Shor algorithm, quantum computers could theoretically reduce the calculation time from trillions of years down to only hours! This would render it possible to crack current encryption used to protect information in transit (e.g., VPN), but also at rest (BitLocker) in a timely manner.


But it is critical to protect your organization today, because even though your communications might be secured right now, a malicious actor could still collect the encrypted data in transit. One example of this is an eavesdropping attack, also known as “sniffing,” which is secretly listening to the communications between two parties to gather information, betting on the fact that it can be decrypted later, when computing computers have matured enough to break the encryption algorithms that were used to protect said data. This is known as the “harvest now, decrypt later” attack and is a real concern in the quantum cryptography community.


Typical Use Case

Right now, the main risk is “secure” communications that could theoretically be monitored by malicious actors, including states as well as state-sponsored hackers, who already have access to that technology.


Does this mean all our secure communications are already at risk? Yes and no. Quantum computers are very complex and expensive to implement, so they’re not in reach of any usual hackers. However, it is time to prepare for the inevitable and use technology to protect ourselves from it.


One of the most common issues in cryptography is called the “Alice and Bob problem,” and refers to the secure exchange of encryption keys. When two parties need to securely exchange information, they use encryption keys to encrypt and decrypt the information they send to each other, so that even if someone managed to eavesdrop on their communications, they would not be able to decrypt, read, nor tamper with that information. The problem relies on the fact that the keys used to protect said data are exchanged over the same unsecure channel (e.g., Internet) that they use to securely exchange data, so someone could potentially intercept these keys and be able to decrypt and eventually tamper with the information, also known as a Man-In-The-Middle

(MITM) attack.


Solutions and Alternatives

There are currently different industry approaches to deal with post-quantum cryptography and ensure that today and tomorrow’s communication will remain secure, no matter what. One is to use new, supposedly quantum-safe encryption algorithms, called Post-Quantum Cryptography (PQC) to encrypt all communications. Another approach is to using fiber optical and quantum mechanics to securely deliver encryption keys between two parties, called Quantum Key Delivery (QKD), allowing detection of any attempts from a malicious third-party to eavesdrop on the connection or tamper with the key in transit, thus preventing any possibility of a Man-In-The-Middle (MITM) attack. 


We don’t want to scare you by talking about quantum computing, but we want to impart that this change is here, and your organization needs to be ready. Even if you work in a regulated industry such as finance or healthcare, your organization could still be the target of a state-sponsored attack. The best practice is to get post-quantum ready. 


For now, we recommend reviewing your security posture and ensuring all your communications, especially over the Internet, are secured using the highest recommend level of encryption (AES 256-bit). The same goes for your data, especially data stored externally – make sure it is all encrypted with Advanced Encryption Standard (AES), which remains the only algorithm approved by the U.S. government for storing classified information. Additionally, start investigating what some vendors are already offering in terms of post-quantum security. Please reach out to the team at ISEC7 with any questions and we would be happy to help you assess options to best protect your data and infrastructure.



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group