As modern society is becoming increasingly digital, there is a growing demand for secure communications. While cryptographic standards and digital certificate systems, such as public key infrastructure (PKI), provide the verification, authentication and encryption necessary to protect digital communications, one threat that has emerged in recent times is the possibility that these secure communications systems are compromised by quantum computers.
The idea of quantum supremacy, according to which certain computational tasks can no longer be executed on classical high-performance computing architectures, is still some way off. However, the speed promised by quantum computing and hybrid architectures that use quantum technology to speed up certain functions in an algorithm running on a classical computing architecture represents both an opportunity and a risk to society.
Researchers around the world are exploring how quantum computing algorithms can be used to solve extremely complex problems. Quantum computing promises enormous societal benefits, such as helping to address climate change, improving efficiency in chemical processes and drug discovery, and all kinds of complex optimizations that can’t be executed on classical computing systems. But as quantum computers evolve, there is also growing concern that the technology will break existing cryptographic standards. In fact, they will be powerful enough to crack encryption keys extremely quickly.
“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. “This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere,” warns the US National Institute of Standards and Technology (NIST) in a draft proposal for post-quantum cryptography (PQC).
This would have a profound impact on Internet security. “Once large-scale, fault-tolerant quantum computers become a reality, encryption protocols that have protected sensitive information for years will become vulnerable to attacks,” says John Cullen, director of strategic marketing for cybersecurity. from Thales. “As the arrival of quantum computing approaches, the future security of PKI is at stake.”
Cullen believes that cybercriminals will eagerly exploit weaknesses in PKI systems to gain unauthorized access to valuable data. “Therefore, it is imperative that organizations take proactive steps to protect themselves, before quantum technology becomes widespread,” she warns.
This is why standards bodies such as NIST and ETSI, the European standards body for IT-based systems, have become involved in quantum computing.
Jonathan Lane, a cybersecurity expert at PA Consulting, notes that companies like NIST and ETSI have been in programs to identify and select post-quantum algorithms (PQA) for several years, and industry and academia are innovating. “We are getting closer to some agreement on a set of algorithms that are likely to be quantum; both the UK NCSC [National Cyber Security Centre] and the US NSA [National Security Agency] “We support the enhanced public key cryptography approach using PQA along with much larger keys,” he says.
Lane says the NCSC recommends that most users follow normal cybersecurity best practices and wait for the development of quantum secure cryptography (QSC) products that meet NIST standards.
Quantum cryptography for financial services
One sector that is closely watching the development of quantum computing is banking, specifically how it will affect the cryptographic standards it relies on for secure payment processing.
In July, for example, HSBC announced that it was working with BT, Toshiba and Amazon Web Services (AWS) on a trial of quantum-safe transmission of test data over fiber optic cables between its global headquarters in Canary Wharf and a central of data in Berkshire. 62 km away, using quantum key distribution (QKD).
QKD uses light particles and the fundamental properties of quantum physics to deliver secret keys between parties. These keys can be used to encrypt and decrypt sensitive data and are safe from eavesdroppers or quantum computer cyberattacks.
QKD will play a key role in protecting financial transactions, customer data and proprietary information across the financial sector. HSBC processed 4.5 billion payments last year, worth an estimated £3.5 trillion. These electronic payments rely on encryption to protect customers and businesses from cyberattacks, which is one of the reasons why the bank has established a quantum strategy. This includes QKD and PQC assays.
BT and Toshiba have been collaborating on a trial quantum secure network since October 2021. This network offers what BT describes as “a range of quantum secure services including dedicated high-bandwidth end-to-end encrypted links.” It is delivered over Openreach’s private fiber networks. Toshiba provides quantum key distribution hardware and key management software.
In April 2022, BT and Toshiba, together with EY, launched a trial of the world’s first commercial quantum secure metropolitan network based on this technology. The infrastructure connects EY clients across London, helping them secure the transmission of data and information between multiple physical locations over standard fiber optic links using quantum key distribution.
HSBC is the first bank on the BT/Toshiba infrastructure. HSBC hopes its research into secure quantum communications will help provide evidence on the benefits of quantum technology and drive the development of applications in financial cybersecurity. According to HSBC, its quantum scientists, cybercrime experts and financial specialists will be better able to analyze the potential threat posed by powerful quantum computers and devise strategies to safeguard sensitive information.
The IoT dilemma
At the other end of the spectrum of cryptography application areas are low-power Internet-connected devices. PA Consulting’s Lane notes that since Internet of Things (IoT) devices generate and exchange data, IoT applications require this data to be accurate and reliable. Since devices tend to be networked, their exploitation can open up attack vectors into broader systems, which could have widespread and global impact, he warns.
For example, in 2016, the largest botnet attack ever was launched against domain name system service provider Dyn using the Mirai malware. According to Lane, this malware sought out IoT devices running the Linux ARC operating system, attacked them with default login information, and infected them. This allowed a large number of IoT devices to be used together in distributed denial of service (DDoS) attacks, bringing down significant parts of the Internet.
Researchers are looking at how to improve IoT security, and post-quantum cryptography is likely to be an area that gains importance. But Lane cautions that most improved QSC standards appear to require considerable computing power to handle complex algorithms and long keys.
“Many IoT sensors may not be able to run them,” he says. “Until NIST delivers its QSC standards, we won’t know if they will work within the limitations of IoT. “If they don’t, then there is a gap in the formal development of QSC IoT solutions.”
Lane believes that asymmetric cryptography may offer a way to implement a viable low-resource PQC algorithm. “The IoT industry currently favors symmetric cryptography as a low-power mechanism, but the problem of secretly distributing the same keys to each party remains, and quantum improvements may increase power requirements,” he says.
Then there are symmetrical key-setting mechanisms where innovation can help, as alternative approaches are considered.
These include quantum key distribution, where quantum mechanical properties are used to establish a key agreement, rather than using difficult mathematical problems that quantum computers will quickly solve. However, Lane says that QKD requires specialized hardware and does not provide a way to easily enable authentication, and the NCSC does not endorse QKD for any government or military applications.
Secure Key Agreement (SKA) is another alternative approach. Lane says some companies are experimenting with computationally secure ways to digitally create symmetric keys on trusted endpoints. “This type of low-power software-based capability offers an interesting alternative to IoT,” he adds. Although independent verification of this type of capability is underway, Lane says the focus is not on NIST or ETSI’s radar.
The evolution of quantum technology is linked to computer security
Overall, IT security must evolve to combat the looming threat of all-powerful quantum computers rendering existing cryptography obsolete. Thales’ Cullen warns that the future of a secure and connected world depends on the ability to defend against PKI attacks and safeguard the trust placed in these security measures.
“The industry must explore new ways to strengthen policies, procedures and technology,” he says. “As the arrival of quantum computing approaches, the future security of PKI is at stake.”
The risk of quantum attacks on existing encryption protocols requires proactive action from both organizations and governments.