For years there has been persistent chatter that quantum computing is coming, and organizations should be prepared for its arrival. But what exactly is quantum computing and why should organizations be concerned about its impact on cybersecurity? This article explains what quantum computing is, when it is expected to arrive, and what is its anticipated impact on cybersecurity.
What is Quantum Computing?
Since the beginning, traditional computers have operated in the binary realm, using bits that represent ones and zeros to calculate and process data. Current computers are limited in their ability because they can only deal with one set of inputs and one calculation at a time. Enter qubits, which are volatile and changeable by nature and responsible for powering quantum computers.
Thanks to the principle of quantum superposition, qubits can store the values of one and zero at the same time. This gives quantum computers the ability to simultaneously solve multiple calculations, each with multiple inputs. Quantum superposition gives a group of qubits the ability to explore different paths through calculations. When programmed correctly, paths leading to incorrect answers are ignored while the correct answer(s) are left highlighted. Thus, quantum computers are expected to be a valuable tool to business because they perform fewer calculations to find solutions, which saves time and money. Their power has the potential to be transformative and disruptive to business because of their power to solve puzzling business questions and tackle other issues like optimizing financial portfolios, training artificial intelligence, and designing efficient logistics networks. It is also anticipated that quantum computers will transform cybersecurity.
When Will Quantum Computing Come?
In their recent report “The Next Tech Revolution: Quantum Computing” McKinsey & Company makes note that quantum computing is currently in its infancy. But it is expected that industries like finance may begin to realize gains from quantum computing by 2025. It is expected that other industries will follow along as it becomes more accessible through the cloud or available on its own.
Digging deeper into McKinsey & Company’s projections for quantum computing’s arrival, it is more realistic to expect a longer time frame of at least 10 years before it reaches mass adoption. It is estimated that there could be 2,000 to 5,000 quantum computers throughout the world by 2030. However, it could be 2035 before these tools are in place to tackle business issues because of the numerous pieces of hardware and software required. The finance industry is the industry most expected to benefit from the introduction of quantum computing.
How It’s Expected to Impact Cybersecurity
While it is expected that quantum computing will transform industries, especially finance, it will also transform cybersecurity. Even though quantum computing is not expected to go mainstream before 2030 or later, now is the time for businesses to begin preparing for its arrival. Why? It is anticipated that eventually quantum computers will be capable of factoring prime numbers used with asymmetric encryption algorithms, which form the basis of current data security systems, meaning it is time for businesses to reassess their cryptography systems.
Traditional encryption relies on the manipulation of large prime numbers. It is difficult for present-day computers to crack these numbers. However, since quantum computing will be able to parse such complex data much quicker, a new generation of quantum-resistant encryption algorithms is needed to avoid potential catastrophic security breaches across the business world.
Today, there are no quantum computers that can manage the massive number of qubits needed to perform the factoring required to crack current security. But in 10 to 20 years from now, this is likely to change, which would put businesses, including the finance industry, at increased risks. Therefore, scientists, policy makers, and cybersecurity experts are setting their sights on developing post-quantum cryptography (PQC) to address these expected issues.
NIST Shortlists the Round 3 Candidates for Post-Quantum Encryption
The National Institute of Standards and Technology (NIST) is taking quantum computing’s threat to cybersecurity very seriously. Since 2015, NIST has been seeking new encryption algorithms to replace those that a quantum computer could potentially break.
In 2016, NIST began its open request for proposals and algorithm submissions. The organization released its criteria for the encryption and guidelines for public submissions of candidate algorithms. Initially, 69 viable candidates were submitted from across the globe. By conducting cryptanalysis, NIST was able to break some of the algorithms received and examine how the code could execute and operate within current machines. In 2020, NIST announced their round 3 shortlist of 7 finalists and 8 alternate candidates. It is expected that NIST will soon (at the time of writing) announce their first set of quantum-resistant encryption algorithms that have been chosen for standardization.
How to Become Post-Quantum-Prepared and Standardized
So how does a business become post-quantum-prepared? Firstly, do not wait until NIST issues its standard. The time to become post-quantum-prepared is now. Begin by determining what data is most likely to be sought out by cybercriminals..
Keeping the amount of important/vulnerable data in mind, a strategy should be developed to address the business’s priorities for using quantum resistant encryption. Next, develop your priorities for quantum-resistant encryption while making a plan to upgrade your infrastructure for the next several years.
Ensure that the:
- PQC candidates will provide an elevated level of post quantum robustness.
- Chosen algorithm will assure legal compliance and assertion.
Typical investments in the banking sector have an investment horizon of 10 years. During this period where PQC is likely to appear, changes in algorithms and standards - based on gained additional knowledge and evolved standards as well as triggered by zero-day leaks - impose an agile cryptographic architecture which can embrace modifications in shortest time periods and with minimal effort.
Cryptomathic’s Crypto Service Gateway (CSG) provides a crypto-agile platform, which enables rapid replacement of algorithms and policies in an automated way. With Cryptomathic’s crypto-agile solutions, banks will be able to run a hybrid strategy to enable a seamless 2-step migration to PQC:
- Planning: prioritizing the application migrations while retaining the use of current algorithms compliant with banking regulations will assure that the institutions will provide proven security and legal assertion for the time being.
- Migration: when the time is right, the migration to algorithms from NISTs PQC candidate pool will bring the highest security in the long term, in line with technical advances in quantum technology. When using Cryptomathic CSG, the switch-over from current cryptographic algorithms to PQC can be as simple as a few mouse clicks.
References and Further Reading
- Selected Articles on Quantum Cryptography (2017-today), by Dawn M. Turner, Rob Stubs, Terry Anton and more
- Selected Articles on Crypto-Agility (2017-today), by Dawn M. Turner, Jasmine Henry, Rob Stubs, Terry Anton and more
- The next tech revolution: quantum computing (2020), by McKinsey & Company
- Post-Quantum Cryptography (retrieved 15.01.2022), by the NIST Information Technology Laboratory - Computer Security Resource Center
- Final Version of NIST Cloud Computing Definition Published by the National Institute of Standards and Technology, October 2011.
- NISTIR: Report on Post-Quantum Cryptography by the National Institute of Standards and Technology, April 2016.
- Cryptomathic Answers Compliance-Driven Call for Crypto-Agility by Cryptomathic, May 2018.