Quantum risks to cybersecurity

Quantum-era cybersecurity will wield the power to detect and deflect quantum-era cyberattacks before they cause any harm. Nevertheless, it could become a double-edged sword, as quantum computing may also create new exposures, such as the ability to quickly solve the difficult math problems that are the basis of some forms of encryption. While quantum-safe cryptography standards are still being finalised, businesses and other organisations can already start preparing for a change.

Here comes quantum computing

Quantum mechanics is a branch of physics that explores how the physical world works at a fundamental level. At the quantum level, particles can take on more than one state at the same time, and they can have their states correlated even when separated by a large distance. Quantum computing harnesses these quantum phenomena to process information in a profoundly new way. In fact, the worldwide market for quantum computing is predicted to be more than USD 10 billion by 2024.

Today’s classical computers use two primary classes of algorithms for encryption: symmetric and asymmetric. In symmetric encryption, the same key is used to encrypt and decrypt a given piece of data. In asymmetric encryption, data is encrypted using one key (usually referred to as the public key) and is decrypted using another key (usually referred to as the private key). Although the private key and public key are different, they are mathematically related. The widely employed Rivest, Shamir, Adleman (RSA) algorithm is an example of an asymmetric algorithm. Even though it is slower than symmetric encryption, asymmetric algorithms solve the problem of key distribution, which is an important issue in encryption.

The advent of quantum computing will lead to changes to encryption methods. Currently, the most widely used asymmetric algorithms are based on difficult mathematical problems, such as factoring large numbers, which can take thousands of years on today’s most powerful supercomputers.

However, research conducted by Peter Shor at MIT more than 20 years ago demonstrated the same problem could theoretically be solved in days or hours on a large-scale quantum computer. Future quantum computers may be able to break asymmetric encryption solutions that base their security on integer factorisation or discrete logarithms.

Although symmetric algorithms are not affected by Shor’s algorithm, the power of quantum computing necessitates a multiplication in key sizes. For example, large quantum computers running Grover’s algorithm, which uses quantum concepts to search databases very quickly, could provide a quadratic improvement in brute-force attacks on symmetric encryption algorithms, such as the Advanced Encryption Standard (AES).

To help withstand brute-force attacks, key sizes should be doubled to support the same level of protection. For AES, this means using 256-bit keys to maintain today’s 128-bit security strength.

Even though large-scale quantum computers are not yet commercially available, initiating quantum cybersecurity solutions now has significant advantages. For example, a malicious entity can capture secure communications of interest today. Then, when large-scale quantum computers will be available, that vast computing power could be used to break the encryption and learn about those communications.

Wielding the power of quantum cybersecurity

Eclipsing its potential risks, quantum cybersecurity can provide more robust and compelling opportunities to safeguard critical and personal data than currently possible. It is particularly useful in machine learning and quantum random number generation.

Machine learning already has numerous applications in cybersecurity, including:

• Behaviour anomaly detection: recognising anomalous activities, such as access from a new device, new location or at a new time;
• Classification: categorising entities such as data, users, threat actors, or malware;
• Prediction: anticipating events such as a network or database threat.

Quantum computing may speed up machine learning, enhancing its efficacy for cybersecurity. For example, quantum-enhanced machine learning could expedite the classification of massive amounts of data.

Moreover, random number generation is essential in cryptography. The two main categories of classical random number generation are pseudo random number generators (PRNGs) and true random number generators (TRNGs).

Quantum Random Number Generators (QRNGs) can be thought of as a special case of TRNGs in which the data is the result of events. But unlike traditional TRNGs, QRNGs promise truly random numbers by exploiting the inherent randomness in quantum physics. A true random number generator provides the highest level of security because the number generated is impossible to guess.

Getting started

In the cybersecurity world, much has been conjectured about quantum computers’ eventual ability to breach current cryptography. Before that day arrives, forward-thinking enterprises are implementing cybersecurity solutions that protect against both classical and quantum-based computing attacks ensuring their transition to the quantum era to be a smooth one.

To prepare for the coming post-quantum cryptography era, enterprise leaders can now take four steps:

1. Identify, retrain or recruit for the necessary cybersecurity skills, either directly or through your organisation’s ecosystem. These experts should become your organisation’s cybersecurity champions. They can collaborate with standards bodies, deduce the implications of various potential quantum cybersecurity approaches, and create your company’s security transition plan.
2. Begin identifying where post-quantum security methods should be adopted throughout your organisation by assessing your potential quantum-era security exposure:
   • Symmetric encryption algorithms. Where symmetric algorithms remain appropriate in your company in the quantum era, you are advised to double the key-sizes currently being used to help ensure an appropriate future level of security strength.
   • Asymmetric encryption algorithms. Identify where asymmetric algorithms are in use today and plan to switch to post-quantum alternatives.
   • Hashing algorithms. Assess the output sizes currently being used and plan to use larger output sizes.
3. Keep up-to-date with advances in quantum safe standards, such as those being reviewed by NIST and emerging security solutions, such as lattice-based approaches, code-based cryptography, multivariate cryptography, and hash-based cryptography, among others.
4. Work with encryption solution providers to deploy quantum-safe alternatives as they become available.

This editorial was first published in the Fraud Prevention and Online Authentication Report 2019/2020. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Michael Osborne

Michael Osborne currently leads the security and privacy activities at the IBM Research centre in Rüschlikon Switzerland and has a global role as Lead for IBM Q Security and Encryption. His current focus includes leading IBM Research division’s Quantum Safe Cryptography efforts to develop and standardise quantum resistant technology and transferring this technology to IBM’s products and services.

About IBM Research

At IBM Research, we invent things that matter to the world. Today, we are pioneering the most promising and disruptive technologies that will transform industries and society, including the future of AI, blockchain, and quantum computing. We are driven to discover. With more than 3,000 researchers in 12 labs located across six continents, IBM Research is one of the world’s largest and most influential corporate research labs.