MIT Technology Review Report: defending against quantum hackers is imminent
Recently, the technology magazine MIT Technology Review and the Technological Innovation Institute (TII) in Abu Dhabi co-authored "Starting Today, Facing Tomorrow's Quantum Hackers".
The report notes that with the global pursuit of quantum computing superiority, now is the time to study and prepare for the impact of the post-quantum era. Google and IBM, along with startups like Rigetti, IonQ and Xanadu, are building viable quantum computing systems. Obviously, when quantum computers related to encryption are put into use, some form of secure encryption will be broken, resulting in both security and secrecy being lost. Businesses must make their data and network security systems resilient to quantum-based attacks, and for those unsure how to approach post-quantum encryption, a hybrid solution is available.
Since 2016, the National Institute of Standards and Technology (NIST) has been working with cryptographers around the world to develop standardized post-quantum algorithms, subject to rigorous testing standards, and will make its final selection public in 2022. Researchers at TII's Cryptography Research Center have developed a post-quantum cryptographic library that provides multiple schemes for public key encryption, key encapsulation, and digital signatures. As the race between quantum physicists, cryptographers reaches a tipping point, companies increasingly need to adopt post-quantum algorithms to make their operations cryptographically agile, and are now aggressively planning to address this looming Threats are critical.
The report is based on interviews with cryptography experts, mathematicians, physicists and senior executives of quantum computing companies around the world to assess how quantum computers, when fully developed, will threaten today's cybersecurity systems , and what businesses and organizations can and should do to address these issues.
The main conclusions of the report are:
1. Businesses and organizations need to defend against quantum-based attacks. While encryption-related quantum computers may still be years away, businesses and organizations can no longer wait and see how the field of quantum computing evolves. Cyber threat actors can obtain sensitive data now and decrypt it later. That means protection measures need to kick in today. Taking a proactive rather than reactive approach to this threat becomes critical given the high stakes.
2. Hybrid transitions can be a good starting point. Businesses and organizations unsure of how to approach post-quantum encryption can opt for a hybrid solution, layering post-quantum algorithms onto classical algorithms. Such attempts allow them to see how the new cryptographic framework fits into their overall process. A word of caution: While a hybrid approach is a prudent early measure, businesses and organizations should not rely on it as a permanent safety net. They need to have a clear plan to transition from hybrid to post-quantum cryptography.
3. This requires contributions from experts in various fields. Quantum computing involves the contributions of various experts - physicists, cryptographers, computer scientists, etc. Businesses and organizations need to strengthen their quantum expertise, either by hiring in-house talent or partnering with consultants. In the long run, companies and organizations need to figure out how to benefit from the value of quantum computing while protecting their systems from its effects. Expert advice can help them navigate this path and safely and securely advance their value proposition.
Promoting quantum development
Quantum computers can store and process large amounts of data, allowing them to tackle problems in a reasonable amount of time that classical computers cannot. The difference between a classical computer and a quantum computer is the way they process or transmit data. Classical computers use binary bits (0 or 1) and can only represent one of these two values at a time. However, quantum computers use quantum bits, which can represent many possible states of 1 and 0 at the same time. As more and more qubits are entangled, the system's ability to perform computations grows exponentially, rather than in a linear fashion like a classical computer. So, harnessing the power of quantum mechanics, quantum computing promises to surpass even what today's fastest supercomputers can do.
Governments and private companies around the world are recognizing the potential of quantum computing. According to the Boston Consulting Group's 2021 report estimates, "quantum computing could create $450 billion to $850 billion in value over the next 15 to 30 years." According to a May 2021 report by the Canadian Institute for Advanced Study, as of January 2021, 17 countries have "some form of national initiative or strategy to support research and development in quantum technologies"; by the end of 2021, including Hitachi, Fujitsu and Toshiba Twenty-five Japanese companies, including Quantum Revolution, have joined forces to form a new strategic alliance called the Quantum Revolution Strategic Industry Alliance (Q-STAR). According to a statement from Fujitsu on behalf of the consortium, its mission is to position Japan as "a country oriented towards innovation in quantum technology."
Quantum technology research and development policies of various countries
In addition to governments, companies around the world have also been investing in research into quantum technologies. On the private sector side, U.S. and Japanese technology companies — Google, IBM, Microsoft, Honeywell, Hitachi, Fujitsu and Toshiba — are all investing in this high-stakes race. While quantum technology is still in its infancy, the past few years have seen significant developments.
In November 2021, IBM announced that it had created a 127-qubit quantum processor, more than double the size of those made by researchers at Google and the University of Science and Technology of China, and was billed as the world's largest superconducting quantum processor. device. A few months before IBM's announcement, the University of Science and Technology of China said its 66-qubit Zu Chongzhi processor had already surpassed Google's 54-qubit processor. Quantum computers can solve problems that classical computers cannot. Canada-based Xanadu is developing a photonics-based quantum computer; while US-based IonQ aims to commercialize a trapped quantum-based machine.
Venture capitalists have invested $1.02 billion in quantum computing companies in 2021 (as of September), according to Pitchbook data, more than the sum of money flowing into the industry in the previous three years. In February 2022, Canada's D-Wave Systems added itself to a list of quantum computer developers seeking to list in New York; this follows IonQ, which became the first pure quantum computing startup to go public in October 2021 action.
Quantum Computing Equity Investment
Getting ready for the quantum age
As technology accelerates and investment capital pours in, the arrival of full quantum computing capabilities is not a matter of if but when. Quantum technologies have the potential to drive advancements in fields ranging from materials science to pharmaceutical research, and companies are looking to take advantage of them. For example, IonQ and Hyundai announced in early 2022 that they had formed a partnership focused on using quantum computing to study lithium compounds and battery chemistry.
While businesses are eager to take advantage of the new opportunities presented by quantum computers, the emergence of powerful quantum computers is also worrying because hackers can use them to break down the world's best digital defenses.
To understand this, imagine that you can crack a safe if you know the correct combination of locks; you have to systematically try one combination after another. Hackers use computers to find all the combinations faster, so they can more easily compromise the system.
It is possible that within a dozen years, hackers could use the processing power of quantum computers to break the encryption systems that protect various network-based communications and protocols today. Fortunately, today's public cybersecurity defenses have extremely strong locks that even today's most powerful supercomputers can't figure out how to crack them. Today's quantum computers are not very powerful yet, but they are rapidly getting there.
The path to encrypted quantum computers
Quantum computers that are powerful enough to pose a threat to public-key cryptosystems are called cryptographically correlated quantum computers (CRQCs). CRQC requires millions of qubits to work.
Such a computer does not currently exist. With the exception of IBM's 127-qubit quantum computer, most quantum computers today are at the Noisy Intermediate Scale Quantum (NISQ) level of 50 to 100 qubits. They are very sensitive to the environment and prone to disturbances, which makes them unreliable.
Professor Pan Jianwei of the University of Science and Technology of China pointed out that the road to CRQC will be gradual. Two of Pan Jianwei's team's quantum computers, Zu Chongzhi and Jiuzhang, have achieved quantum supremacy, a point reached when quantum computers can significantly outperform the best classical computers in processing specific calculations.
"The final and most challenging stage is to build a programmable universal quantum computer, which could have a big impact on cracking classical encryption systems, searching large data sets, and artificial intelligence," said Pan Jianwei. This impact is a concern for cybersecurity teams, although how long the world can achieve such a CRQC is debatable. "Given the current state of quantum computing, we hope to achieve the last goal through 15 to 20 years of hard work," said Pan Jianwei.
"There's a lot of progress and a lot of funding, so it's hard to predict the pace of progress," said Grégoire Ribordy, co-founder and CEO of Geneva-based ID Quantique, a subsidiary of South Korean wireless carrier SK Telecom , providing commercial quantum encryption solutions for data protection.
Both the public and private sectors are working hard to build a quantum computer that can deliver the promised value. Against this backdrop, experts say we now need to transition to post-quantum encryption. Tony Uttley, president and chief operating officer of Quantinuum, the quantum computing company formed by the merger of Honeywell Quantum Solutions and Cambridge Quantum, said: "The time to do something to protect assets was yesterday, if you haven't done something yet , the next best time is today.”
The quantum threat of public key cryptography
Cryptography works by using a set of keys combined with encryption and decryption algorithms to send information securely. The original message is scrambled with an encryption algorithm, then locked with a secret key and sent. When the message reaches the recipient, it is decoded (unlocked) by using a secret key and a decryption algorithm. In symmetric encryption, the digital key used for encryption and decryption is the same; in asymmetric encryption, the public key is used for encryption, which is why this method is also called public key encryption, but the information is Decrypted with private key.
Public key cryptography allows strong authentication. Encryption, key exchange, and digital signatures are made possible, and it forms the basis of many Internet security standards today. The standardized algorithms that make up the encryption keys in public key cryptography today are widely used and efficient. Usually based on the assumption that private keys are secure because they come from mathematical algorithms that are difficult or impossible to reverse. An example is the popular RSA algorithm, which is based on multiplying two large prime numbers to produce an integer multiplication result. But doing this the other way around is difficult. This means that, given a large number, it is difficult to know into which two primes it will be decomposed.
Industry insiders worry that hackers may be able to decipher the "key" to public-key encryption algorithms. In fact, in 1994, mathematician Peter Shor (then at Bell Labs and now a professor at MIT) discovered an algorithm that effectively weakened RSA. The only condition is that it will need to run on CRQC.
How does public key encryption work?
While CRQC has yet to be implemented, cryptography experts warn that today's public key methods are fragile. Given the pace of progress and investment in quantum computing, it's only a matter of time before defenses are breached.
Financial transactions, military strategy, proprietary information, healthcare systems, online shopping, social media applications, and more, are affected when this happens. For security systems that use public key cryptography to protect sensitive information, not preparing for the arrival of CRQC is like playing with fire. "Given this impact, it's important not to be based on an optimistic assumption that fully capable quantum computers will arrive later, but to prepare by building some margin of safety," Ribordy said.
Another concern is that threat actors may already be collecting data for later decryption. Government agencies have stored classified information for decades and are vulnerable to this.
Developing post-quantum algorithms
To achieve hacker-proof (or at least hacker-resistant) security that doesn't crash when attacked by CRQC, the industry is experimenting with physics and math-based approaches. Quantum cryptography uses quantum mechanics to securely transmit data, and quantum key distribution (QKD) facilitates this approach. The mathematics-based security process, known as quantum-resistant cryptography, or post-quantum cryptography (PQC), relies on a robust set of mathematical algorithms that can withstand attacks from quantum computing.
Much of the attention in post-quantum cryptography has been on algorithms that are being screened and standardized by the US National Security Agency, the National Institute of Standards and Technology (NIST). In 2016, NIST launched an open call for post-quantum algorithm work. Over the past few years, NIST has narrowed the initial 69 submitted algorithms to 15, and has conducted further scrutiny of the remaining algorithms. In the first half of 2022, NIST expects to release the first set of standardized algorithms that will enter a fourth round of further research. "We've also said that we're going to have a new call for more public key signatures; because we want diversity in our portfolio," said NIST mathematician Dustin Moody, who is leading the NIST Post-Quantum Cryptography Project .
While NIST's post-quantum cryptography project has made headlines in recent years, it's not the only work focused on post-quantum cryptography. Companies and public institutions around the world are creating libraries of standardized algorithms that can defend against the threats posed by advanced quantum computers.
In December 2021, the largest U.S. cryptocurrency exchange announced the launch of an open-source cryptographic library that includes tools for developers to help make transactions more secure. In March 2021, Abu Dhabi-based TII also unveiled the UAE’s first cryptographic library, which contains a series of algorithms, and is also developing a framework that government entities and businesses can use to protect confidential data and information. . "Our talent pool includes mathematicians, software developers, and cryptographers who design and develop these algorithms in-house," said Najwa Aaraj, principal investigator at TII's Cryptography Research Center. Customers come with their specific post-quantum cryptographic needs. Go to the center, recommend TII to understand the customer's technical assets, and then recommend specific algorithms from the TII database.
South Korean telecommunications company LG+ has been focusing on the development of post-quantum cryptographic algorithms, and the Chinese Cryptographic Society held its own post-quantum algorithm competition in 2020. Experts in Europe have also expressed concern about the U.S. lead in post-quantum cryptography and urged the continent to focus its efforts on the field.
As the NIST project draws to a close, their next step will be to standardize an initial set of post-quantum algorithms. "Ensure that a secure cryptosystem can be used because an algorithm that has been evaluated and reviewed is used. As long as it is implemented according to the standard, the security of the algorithm can be trusted."
Post-quantum algorithm metrics
What factors are needed for a good post-quantum algorithm? Dustin Moody, director of the post-quantum cryptography program at the National Institute of Standards and Technology, has the following requirements for robust post-quantum algorithms.
1. Security. The ability of an algorithm to constitute a fully functional quantum computer against hacking is a fundamental requirement.
2. Performance. The efficiency of an algorithm determines the ease of adoption. Key size is an important consideration for efficiency, as the bandwidth required to complete data transfers increases with key size. Today's algorithms are as low as 100+ bytes, and NIST's post-quantum final proposal will be 10 times that size.
3. Speed. The key size also determines the speed of data transfer, which is an important factor in the decision to adopt. The larger the key size, the slower the data transfer. As users prioritize speed, they may settle for faster but less secure options, which will be a problem.
4. Shareability. Post-quantum algorithms need to be freely shared, but if solutions are subject to intellectual property and patent laws, companies are unlikely to adopt them.
5. Cost. The costs associated with adopting post-quantum algorithms may not frighten big companies, but they raise questions of fairness. Not all businesses and government organizations can afford the investment needed to keep data secure. Low-cost solutions are ideal for reducing this barrier to adoption.
Potential threats and challenges
Challenges related to post-quantum cryptography can be divided into two categories: challenges directly related to the development of the algorithms themselves, and challenges related to the obstacles of post-quantum cryptography.
First, it's hard to really measure the strength of a post-quantum algorithm without developing a fully functional quantum computer. This means that, using a computer to test robustness, simulation is the best way. In fact, to solve this problem, the development of post-quantum algorithms will be iterative and continuous. Moody predicts that NIST is expected to continue with the algorithms reviewed in the first round and continue to standardize with more research afterward.
Next comes the question of adoption. While the public key cryptography standard proposed by NIST has remained popular, a similar process with post-quantum algorithms is far from assured. "The biggest challenge will be communication, making people aware of threats and solutions, and encouraging the adoption of standardized algorithms." Moving to post-quantum cryptosystems will be resource-intensive in terms of input and cost, Moody said. New algorithms may slow down transactions, and without compromising speed, the network and supporting infrastructure may have to grow in parallel to accommodate greater demands on resources. "We need to be clear that even though there will be costs and it won't be easy, this is a transition that companies need to make early," Moody said.
NIST plans to issue adoption guidelines as part of its efforts to address these challenges. Candidates from around the world have participated in NIST's open call for post-quantum algorithms, but not all countries will adopt NIST-standardized algorithms. Several countries — South Korea, China and the United Arab Emirates are among them — are following their own path to build libraries of post-quantum algorithms, said Jung Hee Cheon, a professor of mathematics at Seoul National University in South Korea and director of the Seoul Center for Industrial and Mathematical Data Analysis Research. "I think the market or the business can have a choice, which will allow the best algorithm to win," he predicted.
Furthermore, adopting post-quantum algorithms will be a challenge because the benefits are not immediately apparent. This is a problem related to all cybersecurity: when the system is running securely, everything is fine; but when something breaks, everyone complains. Despite the lack of visibility, Cheon believes adoption is critical. "If quantum computers are adopted after they've been built, the cost will go up dramatically," he warned.
What is a hybrid transition?
To better transition to post-quantum cryptography, industry and governments are focusing on a hybrid approach: combining post-quantum algorithms with those already in use today. The logic is that if one layer of security is compromised, the protection of another layer can still be relied on. There will be a stage where companies can adopt a hybrid approach, as long as they ensure a clear path that can maintain compatibility while transitioning to the post-quantum era.
Najwa Aaraj, Principal Investigator at TII's Cryptography Research Center, said, "We will need a lot of groundwork to prepare for the post-quantum environment. First, businesses need to ensure cryptographic agility so that they can more easily adopt new post-quantum algorithms. "Most systems today don't have code modularity, meaning that code cannot simply be layered or switched," Aaraj said, in which case the transition to post-quantum cryptography would require more groundwork. “These systems must have a refactoring of the code base and libraries so that we can replace classical encryption schemes with hybrid schemes. Businesses and governments planning to rely on hybrid modes as a way to achieve post-quantum cryptography also need a clear exit strategy to enable Get out of this pattern yourself."
What can the government do?
Governments have realized that the main actions to strengthen cybersecurity defenses against advanced quantum computers follow two paths: (1) paving the way for quantum computing legislation; and (2) preparing their networks for backward quantum encryption.
Aaraj worries that many governments around the world are ill-prepared for what is to come and expose their critical infrastructure through data stored now that can later be decrypted, or attacked. The root of the problem lies in the lack of a comprehensive understanding of what assets they even own. Aaraj said: “There is a lack of information management in many places, so there is no inventory of information and crypto assets. Without a thorough assessment of the current inventory, it will be a challenge to understand which systems need more upgrades during the transition. "As such, outlining fragile assets is an important early step in the transition to post-quantum cryptography. Recognizing this problem, the White House issued a national security memorandum in January 2022 requiring agencies to inventory their encryption systems within 180 days and report those that do not follow post-quantum algorithms.
While the private sector has undertaken its own quantum computing projects, governments must also support the development of quantum computing. In addition to investing in research, governments can encourage legislation. Establishing laws would help governments clearly demonstrate their commitment to the field and provide a much-needed framework to measure progress towards specific goals.
Much of the federal government’s quantum-related activity stems from the National Quantum Initiative Act of 2018, which allocated $1.25 billion over five years to increase the speed of quantum research and development. The U.S. Quantum Coordination Office (NQCO), a product of the Act, coordinates quantum information science activities across the U.S. federal government, industry, and academia. The National Defense Authorization Act (NDAA) of 2021, which authorizes threat assessments to national security systems, also promotes quantum research and provides threat-related funding.
Meanwhile, the European Union, already known for its data security and privacy law, the General Data and Protection Regulation, should update its laws to include the threat posed by quantum computing, experts said. As with the weakest link theory, ensuring that cybersecurity systems in all countries develop on a similar path will be key to cybersecurity defenses around the world. Governments should actively share resources and perspectives. Agreements in recent years have shown that this is happening: In 2019, Japan and the United States signed an agreement to collaborate on quantum science and technology research.
Meanwhile, quite a few governments are building their own programs to develop post-quantum algorithms. Governments can encourage adoption of such algorithms through incentives, raise awareness of the threats posed by future quantum computers, encourage the transition to post-quantum cryptography, and build trust by leading the transition to standardized post-quantum algorithms.
Conclusion
The development of quantum computing could seriously disrupt public key cryptography. Devices today need to be protected from potential quantum hackers. When it is developed entirely in its own interests, active security requires a concerted public and private sector effort to develop a rigorous plan for the adoption of post-quantum cryptography, as well as standardized algorithms for this technological system.
Adoption of post-quantum algorithms may not be achieved overnight, but it needs to be implemented as soon as possible, not too late. Hackers are compromising data security through the means by which they are gaining access to sensitive data, and businesses, organizations, and governments need to prepare today to ensure system security:
(1) Modularization
(2) Encryption friendly
(3) Ready to integrate with post-quantum cryptography
As businesses become familiar with the layout of the quantum age, it may be a good idea to transition to a hybrid model. But companies also need a clear plan for when and how to complete the transition to post-quantum cryptography. As Aaraj puts it: "Today's businesses need to protect themselves from the threats of tomorrow's technology."
Link:
https://mittrinsights.s3.amazonaws.com/MIT-TII-Quantum.pdf
