Fighting fire with fire – quantum computing will disrupt cybersecurity for good
The National Cyber Security Centre (NCSC) has issued advice to UK businesses to prepare for a step-change in cybersecurity technology brought about by more widespread access to quantum computers. In the words of the NCSC, quantum computers are not just more powerful than supercomputers – they represent a new paradigm in computing. They solve problems simultaneously rather than in a linear fashion, which the key component that sets them apart from conventional computers and supercomputers.
The other key consideration when it comes to quantum computers is that they are significantly outpacing Moore’s Law in terms of development – doubling their capabilities every 6-8 months rather than two years. This is according to quantum visionary Hartmut Neven who stated that quantum computers are improving at a “doubly exponential” rate to their digital counterparts. The impact of this incredible pace is that quantum computational advantage is not as far away as some think it is. In fact, for a narrow class of problems, quantum computational advantage has already been demonstrated by Google’s quantum computer, Sycamore, and two quantum computers developed in China, Jiuzhang and Zuchongzhi. In one demonstration, the 66 Qubit Zuchongzhi quantum computer completed a task that would normally take over 8 hours in little over an hour. While this is exciting for a great many reasons, like all major disruption and progress, it does not come without challenges. The most obvious being the repercussions this will have in terms of cybersecurity.
The quantum leap
Taking a step back to address the broader cybersecurity challenges facing businesses today, we are in the midst of a digital arms race. Private and public sectors organisations are constantly trying to keep pace with the technologies cybercriminals use to attack them. Cybercriminal organisations are serious, organised, well-funded organisations – before you even mention the fact that cyber is a strategic defence priority for governments across the world given its effectiveness as a tool of asymmetrical warfare. The ‘quantum leap’ the technology industry is about to take has to be viewed in this context.
Furthermore, the public cloud means that quantum computers will be democratised. Yes, there will always be those companies that lead the way, but the ability to carry out quantum workloads in the cloud removes the barrier to entry of buying a rapidly depreciating quantum computer and building a non-conventional data centre to host it. Again, we must emphasise that this is a really good thing as it means many more industries and communities will benefit from the innovation quantum computing will enable. However, better access to quantum capabilities leaves the door ajar for malicious actors.
The addition of quantum to this digital arms race is understandably a cause for alarm in the cybersecurity industry, hence the NCSC’s note of caution. Simply put, quantum computing will be capable of decrypting the vast majority of digital encryption techniques currently used to protect data. Take Public key cryptography (PKC), for example, the technology that enables secure communication at scale across networks. The mathematical problems which PKC uses to protect networks and devices will be easy for a Cryptographically Relevant Quantum Computer (CRQC) to solve – ultimately rendering the most widespread existing cybersecurity defences powerless.
This type of quantum computer is still years away from being developed and being made available for general-purpose activity. So, while cybercriminals don’t yet have this technology, one day they will. And given the pace of change in quantum computing, that day will likely be sooner rather than later.
Quantum defence
To protect businesses from an era of decrypted data, cybersecurity teams need to fight fire with fire – or in this case Quantum Key Distribution (QKD). QKD make uses of quantum properties of underlying physical systems, therefore it is a provably secure system based on the laws of physics. It employs new hardware devices that exchange secret keys over a quantum channel, and since it’s over a quantum channel, the laws of quantum mechanics ensures that no adversary could eavesdrop or tamper with the secret key without alerting the original parties.
Whilst QKD provides complete security, it necessitates new optical infrastructure as light is used to transmit secret keys. This requires considerable investment in infrastructure including adding quantum repeaters for long distance QKD.
Another alternative to a hardware-based approach is to use new software-based algorithms known as QSC (Quantum Safe Cryptography) or Post Quantum Cryptography (PQC). These cryptographic algorithms can run on standard encryption and decryption devices. There are many classes of such algorithms, which are understood to protect against conventional or quantum-based attacks. However, it’s not entirely possible to envision the power of future quantum computers.
Random numbers play a significant role in lotteries, scientific simulations, cybersecurity and cryptography. With widespread use of cloud computing and multi-access edge computing, confidential and private data is exposed to the Internet. Securing data is increasingly complex due to relentless cyber-attacks, more high performance computing, and the advent of quantum computing. The ability to provide fast and stable access to random number services underpins information security today. Conventional computers today can only generate pseudo-random numbers whereas Quantum Random Number Generators (QNRG) can provide truly random numbers closing all the loopholes with classical random numbers.
We’ve probably all used a card reader or two-factor authentication service, which provides a ‘random’ number to login to a digital account. While these techniques are currently considered best practice, the numbers generated are only pseudo-random and not protected against a quantum computer. The good news is that QRNGs will create genuine randomness by measuring fully non-deterministic quantum processes. This means that even an experienced and determined cryptographer with a quantum computer cannot predict the ‘random’ numbers being generated by an application.
Despite the potential challenges posed to existing encryption techniques, quantum computing should be viewed as an opportunity as well as a threat by cybersecurity teams. Industries such as defence, healthcare, and financial services, where data security is an ongoing priority, will be among the first industries to deploy quantum-based encryption techniques and communications. Among quantum technologies, namely quantum computing, quantum sensing and metrology, quantum communications and security, it is quantum security that is currently being commercially deployed with QKD devices and QRNG protocols. The South Korean government is currently piloting a QKD based infrastructure across the country. Scientists in China have trialled QKD for users across the country over via an integrated quantum communication network – with plans to extend the network to countries such as Russia, Italy, Austria. and Canada – laying the foundations of quantum internet.
It is exciting to see proofs of concept and trials being conducted with quantum computers already as governments and industries get to grips with the potential benefits they can bring. Longer-term, as the capabilities of quantum computers increase, and as more quantum technologies mature, countries and companies will need to rethink their existing infrastructure altogether.
Rory Daniels
Rory joined techUK in June 2023 after three years in the Civil Service on its Fast Stream leadership development programme.
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.
Elis Thomas
Elis joined techUK in December 2023 as a Programme Manager for Tech and Innovation, focusing on AI, Semiconductors and Digital ID.