For years, there has been persistent chatter that quantum computing is coming and that organizations should be prepared for its arrival. But what exactly is quantum computing, and why should organizations be concerned about its impact on cybersecurity? This article explains what quantum computing is, when it is expected to arrive, and what its anticipated impact on cybersecurity is.
What is Quantum Computing?
Since the beginning, traditional computers have operated in the binary realm, using bits that represent ones and zeros to calculate and process data. Current computers are limited in their abilities because they can only deal with one set of inputs and one calculation at a time. Enter qubits, which are volatile and changeable by nature and responsible for powering quantum computers.
Thanks to the principle of quantum superposition, qubits can store the values of one and zero at the same time. This means that quantum computers can solve multiple calculations with multiple inputs at the same time.
Quantum superposition gives a group of qubits the ability to explore different paths through calculations. When programmed correctly, paths leading to incorrect answers are ignored while the correct answer(s) are left highlighted. Thus, quantum computers are expected to be a valuable tool for businesses because they perform fewer calculations to find solutions, which saves time and money. Their power has the potential to be transformative and disruptive to business because of their ability to solve puzzling business questions and tackle other issues like optimizing financial portfolios, training artificial intelligence, and designing efficient logistics networks. It is also anticipated that quantum computers will transform cybersecurity.
When Will Quantum Computing Come?
In their recent report “The Next Tech Revolution: Quantum Computing” McKinsey & Company makes note that quantum computing is currently in its infancy. But by 2025, it is expected that industries like finance will start to see the benefits of quantum computing. As it becomes more accessible through the cloud or on its own, it is likely that other industries will follow suit.
Digging deeper into McKinsey & Company’s projections for quantum computing’s arrival, it is more realistic to expect a longer time frame of at least 10 years before it reaches mass adoption. It is estimated that there could be 2,000 to 5,000 quantum computers throughout the world by 2030. However, it could be 2035 before these tools are in place to tackle business issues because of the numerous pieces of hardware and software required. The finance industry is the industry most expected to benefit from the introduction of quantum computing.
How It’s Expected to Impact Cybersecurity
While it is expected that quantum computing will transform industries, especially finance, it will also transform cybersecurity. Even though quantum computing is not expected to become widespread until 2030 or later, businesses should begin preparing for its arrival today. Why? It is believed that quantum computers will someday be capable of factoring prime numbers used with asymmetric encryption methods, which are the foundation of current data security systems, meaning it is time for businesses to reevaluate their cryptography systems.
Traditional encryption relies on the manipulation of large prime numbers. It is difficult for present-day computers to crack these numbers. However, since quantum computing will be able to parse such complex data much quicker, a new generation of quantum-resistant encryption algorithms is needed to avoid potential catastrophic security breaches across the business world.
There are currently no quantum computers capable of managing the massive number of qubits needed to perform the factoring required to crack current security. But in 10 to 20 years from now, this is likely to change, which would put businesses, including the finance industry, at increased risks. Therefore, scientists, policy makers, and cybersecurity experts are setting their sights on developing post-quantum cryptography (PQC) to address these expected issues.
NIST Shortlists the Round 3 Candidates for Post-Quantum Encryption
The National Institute of Standards and Technology (NIST) is taking quantum computing’s threat to cybersecurity very seriously. Since 2015, NIST has been seeking new encryption algorithms to replace those that a quantum computer could potentially break.
In 2016, NIST began its open request for proposals and algorithm submissions. The organization released its criteria for the encryption and guidelines for public submissions of candidate algorithms. Initially, 69 viable candidates were submitted from across the globe. By conducting cryptanalysis, NIST was able to break some of the algorithms received and examine how the code could execute and operate within current machines. In 2020, NIST announced their round 3 shortlist of 7 finalists and 8 alternate candidates. It is expected that NIST will soon (at the time of writing) announce their first set of quantum-resistant encryption algorithms that have been chosen for standardization.
How to Become Post-Quantum-Prepared and Standardized
So how does a business become post-quantum-prepared? Firstly, do not wait until NIST issues its standard. The time to become post-quantum-prepared is now. Begin by determining what data is most likely to be sought out by cybercriminals..
Keeping the amount of important/vulnerable data in mind, a strategy should be developed to address the business’s priorities for using quantum resistant encryption. Next, develop your priorities for quantum-resistant encryption while making a plan to upgrade your infrastructure for the next several years.
Ensure that the:
- PQC candidates will provide an elevated level of post quantum robustness.
- Chosen algorithm will assure legal compliance and assertion.
Typical investments in the banking sector have an investment horizon of 10 years. During this period where PQC is likely to appear, changes in algorithms and standards - based on gained additional knowledge and evolved standards as well as triggered by zero-day leaks - impose an agile cryptographic architecture which can embrace modifications in shortest time periods and with minimal effort.
Cryptomathic’s Crypto Service Gateway (CSG) provides a crypto-agile platform, which enables rapid replacement of algorithms and policies in an automated way. With Cryptomathic’s crypto-agile solutions, banks will be able to run a hybrid strategy to enable a seamless 2-step migration to PQC:
- Planning: prioritizing the application migrations while retaining the use of current algorithms compliant with banking regulations will assure that the institutions will provide proven security and legal assertion for the time being.
- Migration: when the time is right, the migration to algorithms from NISTs PQC candidate pool will bring the highest security in the long term, in line with technical advances in quantum technology. When using Cryptomathic CSG, the switch-over from current cryptographic algorithms to PQC can be as simple as a few mouse clicks.
References and Further Reading
- Selected Articles on Quantum Cryptography (2017-today), by Dawn M. Turner, Rob Stubs, Terry Anton and more
- Selected Articles on Crypto-Agility (2017-today), by Dawn M. Turner, Jasmine Henry, Rob Stubs, Terry Anton and more
- The next tech revolution: quantum computing (2020), by McKinsey & Company
- Post-Quantum Cryptography (retrieved 15.01.2022), by the NIST Information Technology Laboratory - Computer Security Resource Center
- Final Version of NIST Cloud Computing Definition Published by the National Institute of Standards and Technology, October 2011.
- NISTIR: Report on Post-Quantum Cryptography by the National Institute of Standards and Technology, April 2016.
- Cryptomathic Answers Compliance-Driven Call for Crypto-Agility by Cryptomathic, May 2018.