Update: Ramifications of quantum advances on security

Things are moving so fast in the quantum computer field that it's hard to gauge what is the current state of the art. The news that Microsoft has been making major advances in the field, for example, is more about the practicality of writing software for and providing production grade hardware components for what is at its core still very much an experimental technology. On the other hand, the recent news that Russian researchers have broken the 50 qubit threshold is of major significance to security professionals particularly.

As a result, this article is an attempt to shed some light on the current state of the art in quantum computing and to give some background and context so that someone with limited technical knowledge can understand the main issues.

Questions I’ll try and answer include:

1. What is quantum computing in simple terms?
2. Why can’t everybody build there own quantum computer?
3. Why is it particularly powerful in breaking encryption?
4. What is the significance of the 50 qubit threshold?
5. What are the ramifications for the next 3-5 years?
6. How does Haventec fit into this future?

What is quantum computing in simple terms?

Traditional computers use switches made of silicon that is either on or off (binary). Quantum computers use subatomic particles that can be in multiple states at once. An excellent way of explaining this phenomenon is to think of a switch as if it was a sphere. A qubit can be thought of like an imaginary sphere. Whereas a classical bit can be in two states - at either of the two poles of the sphere - a qubit can be any point on the sphere. This means a computer using these bits can store a huge amount more information using less energy than a classical computer. With quantum computers and position on the sphere can be used to as a value. Additionally, each sphere can have multiple values at the same time. To illustrate, a traditional 20-bit data string can have any value from 0 to 2^20 or 1,048,576. But remember that is 20 bits to represent just 1 value.  A 20 qubit computing device can handle 1,000,000 values at the same time!  As a layman to me it appears like quantum computers are not as flexible as traditional computers but once they get their teeth into a problem, they really get a move on. Which is great for big conundrum’s like molecular calculation but very dangerous when it comes to code breaking. We’ll go into this later but it is reported that a 28 qubit computer was used to break a public key using a factoring algorithm and achieved in 1 hour what it would take 78 million standard computer hours to accomplish. Thankfully 128-bit keys are used very little these days.

Note: DWave is a company that uses a simplified approach t quantum computer design that allows them to bost a very high qubit capacity but is not considered competitive with traditional quantum computer designs.

Why can’t everybody build there own quantum computer?

The physics around quantum computing are complex as is the computation. The big issue seems to be the unstable nature of qubits. From what I understand you need to get the qubits very cold to make them stable (ie run the computer at a fraction of a degree above absolute zero or -273.15 C) and still you need to do a lot of error checking even then to make sure you are getting reliable results. You can’t do this stuff with a homemade freezer and a server cluster in your garage. Only sizeable enterprise level or state level resources can play in this field… which has its pros and cons. Pro’s in that the technology is beyond your garden variety organised crime or black hat hacker group, but Con’s in that even these large organisations are just as likely to fall prey to hack attacks where the resources are still at least temporarily accessible by attackers.

Why is it particularly powerful in breaking encryption?

Today's most popular encryption relies on related keys known as asymmetric keys. Commonly this type of encryption is called public key encryption.

Symmetric keys (where the password is the same for both sending and receiving parties) are pretty safe from quantum attack in assessments so far but any type of asymmetric key system (where public/ private key PAIRS are used) that uses factorisation and large prime numbers are easy work for quantum computers.

The basic weakness is that if you know the public key of a key pair, quantum computers incredible power can use brute force to determine the private or secret key in a flash. This is very serious. For example, as I mentioned in the previous heading a quantum computer was used to break a public key in 1 hour what it would normally take 78 million standard computer hours to accomplish! When you read the article you will find that this achievement was accidental but it underscores the incredible power that is bearing down on us if we want to protect our privacy and our personal information.

The encryption that protects every client-server connection on the internet today is called TLS version 1.2 (usually you will see HTTP(s) in the URL if you are using TLS) and it uses factor based public keys. It is estimated that 120 qubit computers could break every HTTPS connection made today in 2 seconds or less.

Nothing you do, your passwords, your bank accounts, your emails, none of it, would be secure. A new version called TLS 1.3 is being rolled out to try and move to a quantum resistant non-standard factorisation dependant approach.

What is the significance of the 50 qubit threshold?

For some time the turning point for quantum computers to start to outperform supercomputers has been a 50 qubit quantum computer. This point is known as the point of “Quantum Supremacy” and was achieved recently by a Russian researcher and team from Harvard University. More particularly the advance means that an approach to encryption cracking called “Shor’s Algorithm” can be used to very efficiently break standard public key encryption in a way that is beyond standard or classical computers and even supercomputers. From here the acceleration of capability will be an order of magnitude.

What are the ramifications of Quantum Computing for the next 3-5 years?

So, in summary, there are few limiting factors on how dangerous Quantum computer will be in their use to attack encryption over the next 3-5 years.

1. The technology is VERY finicky to control so will be only usable in the short term by large organisations such as IBM or nation states and their agencies such as the NSA.
2. Using a very much research oriented technology for a concerted encryption breaking exercise in the short term is not a priority for any of the players at the moment.
3. As soon as a quantum computer show reliable progress in breaking a standard public key system with today's standard key length, agencies such as the NSA and their Russian and Chinese counterparts will start to throw significant resources into production-ising the technology for a critical eavesdropping advantage.
4. With the above in mind, there is a reason to believe that there are many initiatives TODAY in preparation for reliable encryption cracking. For example any secure communications in use today can be recorded then stored for decryption as soon as the technology arrives.
1. With this in mind, it would be prudent to not store critical data that will have long-term value outside of 2-4 years using anything but quantum resistant encryption such as symmetric keys or POST-quantum public key encryption.
2. Also, it would be prudent to design information systems to ensure that as few as possible quantum exploit holes exist in your system architecture. Lots of advances will be made in quantum resistant encryption over coming years and it will be good practise to ensure that it is easy to find and keep your encryption protocols updated.
5. Also be ready for some major advances to accelerate the technology in an unexpected way. For example, quantum stabilization at higher temperatures will allow thousands of more researchers to work with quantum computers. Even as I write this article researchers in Japan have radically increased the performance of quantum computers by cycling information in a continuous loop of qubits. Things will happen sooner rather than later. Note: within days of writing this a room temperature approach was devised. Amazing.
6. Another reality to consider is that the illegal use of quantum capability will become more of a possibility over time. The ability for a hacker to penetrate a quantum computer centre and use it for hacking activities is a very real possibility and should not be discounted.

An example of a pervasive quantum weakness is the Bitcoin blockchain. While the blockchain itself uses quantum resistant algorithms and a user's public key is not recorded as part of the blockchain, the fact is that a user's public key is disclosed to blockchain miners for use in verifying the signed transaction data. If an adversary was to record these interactions with miners of Bitcoin then they could come back with the help of a relatively little amount of time using a quantum computer to empty every wallet ever used on the Bitcoin blockchain where the owner has made a payment from their wallet and has left a balance of coins in their wallet. The only current remediation is to change your wallet key pair every time you want to pay someone. You have to do this by moving the unused coin to a completely new wallet. Scary stuff.

How does Haventec fit into this future?

As part of our hardening and intrusion testing regimen, Haventec has worked with some of the best cryptographic minds in the world including the designer of Androids cryptographic technologies and white hat hackers from some of the world's top intrusion testing firms. We can supply details under confidentiality agreements.

This advantage exposed us to some of the realities of the quantum world even way back when we first engineered Haventec’s core technology. For example, we are not dependant on any specific flavour of public key technology and can easily switch in POST quantum encryption as it becomes available. We also use a number of non-public key based encryption techniques such as advanced obfuscation, symmetric key encryption and single-use keys such as one time codes.

The simple fact that Haventec allows every enterprise to securely communicate with every one of their customers without storing or using a single password is an example of how forward-thinking the design is. Even though we currently do rely on TLS for our client-server connections, none of our communications contains any information that is usable after the current or next transaction.

Our client-side data security storage called Sanctum is also symmetric key based where the key is rotating with every use. All Haventec’s technologies are quantum resistant from the ground up.