Sachin Bhatt, our new regular cybersecurity contributor, gives a refresher on how quantum computing and quantum cryptography work and highlights what these technologies might mean for cybersecurity in the future.
Quantum computing sounds like the stuff of science fiction, in much the same way that a pocket-sized mobile computer - able to connect to anyone across the globe, download high-definition media content and organise nearly every aspect of modern-day life - would have sounded to most people towards the end of the later nineties or very early noughties.
In fact, quantum computing is within our grasp. We are now possibly at a tipping point, on the brink of entering a world where quantum computing is readily available – and the UK wants to get in there first. Committed to being a leader in the field, the UK government is aiming for the UK to become the world’s first quantum-ready economy. This pledge has been backed by millions of pounds of investment, which was announced back in September 2020 when the government confirmed that the UK’s first commercially available quantum computer would be established in Oxfordshire.
It is hoped that quantum computing will revolutionise the way businesses operate and solve complex problems at a rate unfathomable even with the best computing technology currently on offer. The power of quantum computing is set to accelerate many industries and fields of research including pharmaceuticals and healthcare. The stage has been set for the next phase of evolution in society and across industries, much in the same way that current computers have revolutionised every aspect of our working and personal lives.
At the same time, dire warnings on how current security practices will crumble with the advent and mass availability of quantum machines has been touted. But what exactly is quantum computing and, more importantly, what are the implication to security?
How are quantum computers different?
Traditional computers are binary. Every piece of technology currently in use - from viewing social media, your favourite apps, to writing emails - are essentially a combination of 0s and 1s resulting in what you see and experience on screen. Whilst this works well at a machine level, it lacks the ability to model the non-binary complexities of nature. In the natural world, and especially so on a sub-atomic (quantum) scale, things start to behave strangely.
In the quantum world, there tends to be many states, instead of the two in traditional binary computers. As an analogy, consider a ball resting on a roulette wheel: it’s either on red or black – 0 or 1 in the binary world. However, when the roulette wheel is spinning, the ball is passing over both red and black at any given time. It is therefore in a state of uncertainty and can be in either or both states at any one moment. Known as ‘superposition’, this is the ability to be in multiple states.
Quantum computing exploits the ability to be in multiple states in order to solve very complex problems. In the most simplistic way, this allows quantum computers to explore avenues and calculate multiple strategies (states) simultaneously, whereas a normal computer would carry out one calculation at a time until reaching the desired result.
Quantum computers and encryption
Whilst the great power advantage of quantum computing is likely to have many potential benefits in advancing society, like with all technologies (the internet being a prime example), there is equally a risk to security and privacy. Security facilitates the privacy and encryption of communications and data is the most critical tool we have in ensuring confidentiality and integrity of everything from emails, banking, messaging platforms and more.
Electronic communications and data are encrypted in one of two ways: symmetrically and asymmetrically. The former refers to a single key made of up of complex mathematical ciphers used to both encrypt and decrypt data. The latter uses a mathematical form to link two keys: one which is public to allow trusted people (of systems) to encrypt, and the other private which only you can use to decrypt the sensitive information.
Even with advances in current computing, a supercomputer would take thousands of years to crack a good strong password or cipher, and possibly millions of years to crack really strong passwords. Comparatively, a quantum computer would be able to crack similar passwords or cipher in a matter of minutes or seconds.
Public-key cryptography, used for messaging and secure HTTPS websites, uses popular encryption algorithms such as RSA, Diffie-Hellman and Elliptic curve cryptography. Quantum computing threatens to crack these algorithms relatively easily as it has the potential to try all possible permutations of an encryption key (a number with 617 digits in it!) almost simultaneously.
This has massive implications for the trust that we place on information obtained in any type of secure exchange. Furthermore, not only would we not be able to trust the integrity of the data, but malicious actors would be able to manipulate data sent and received. This calls into question whether or not we could then trust the identity of either sender or receiver.
Threats to security
Security practices will need to adapt to fend off future threats. Certain implementation methods of encryption, such as Lattice-based and multivariate cryptography, are considered to be quantum proof. Many of the technology and service providers will need to think ahead to retain consumer confidence in the future. The Big Tech companies are already involved in the design and development of quantum computing to further their commercial interests and protect their market advantage. This has led to a race for quantum supremacy, with IBM having already launched a version of their cloud-based quantum computer online for public use. Through this, users can sign up to learn the basics of quantum circuits and how to compose quantum code to run on real quantum computing hardware.
The future however is not the biggest threat we face to our rights of privacy - it is in fact the threat from past exposures. No secret has been made of the fact that certain governments, regimes and other entities have been bulk collecting and storing encrypted communications for a number of years. Their hope is, with the advent of viable quantum computing power, current methods of encryption will be much easier to crack and thereby will give these agencies and organisations the access to secrets and strategies they previously did not have.
Whilst there might be some legitimate reasons for doing so, such as solving some of the most extreme criminal cases, for the majority of us the advent of quantum computing may call into question whether our personal encrypted communications will stay private or not. Cyber criminals, for example, are known to have been harvesting bulk encrypted data sets from compromises and data exfiltration. Whilst the data sets might not be in human readable form currently, quantum computing power will allow them to open a Pandora’s box and exploit personal details going forward.
How does quantum cryptography work?
Quantum computing may go on to crack data we currently protect with today’s secure encryption implementations, but quantum cryptography may make it impossible to crack new quantum encrypted information.
The strangeness of the quantum world means two unrelated particles, physically separated, can affect one another and by measuring the property of a quantum particle it changes its nature (state). Very simply put, quantum cryptography works by using particles of light (photons) to send and receive data. The two parties either end of the communication can then compare a sample measurement of these particles to establish which quantum key distribution (QKD) to use and whether or not it is safe.
Alice and Bob are characters widely referred to in order to explain this. Alice can send a private secretive message to Bob by firing polarized photons in Bob’s direction on an unsecured line, made possible due to differing random states of quantum particles. If someone wants to intercept the communication, then they must ‘read’ the photon particle. As we now know, taking any measurement of a particle alters its state, thus introducing a change in the QKD and notifying Alice and Bob of the communication being compromised. This makes quantum cryptography a far more secure and robust solution compared with current methods.
Geopolitically, the race for quantum computing resources and quantum cryptography is already underway. Nations are investing to develop and deploy quantum capabilities to provide economic, strategic and national security advantages. The UK government has put into effect the National Security and Investment (NSI) Act 2022 which gives the power to scrutinise businesses and intervene in business transactions where there is risk or need to protect national security.
It has become a legal requirement for businesses to inform the UK government of any acquisitions relating to a range of sensitive industries, quantum computing being one of them. This stance demonstrates the serious national security and economic advantage being placed on the future of the technology. It would be all too easy to dismiss quantum computing as an issue to set aside for a future date. But without at least starting to consider the ramifications, many businesses and individuals may be on the backfoot, playing catch up for what is so quickly coming over the technological horizon.
Sachin Bhatt is an experienced cyber security expert, former CISO and Head of Incident Management who works at Schillings to protect individuals and global businesses from complex cyber threats including strategic cyber security risks, and specialises in providing incident preparedness, post incident advice, and helping clients build strong security practices and resilience. He previously served as an incident management lead in CERT-UK and the UK’s National Cyber Security Centre complemented by over a decade long career in Government.