sakkmesterke - stock.adobe.com
A great deal of investment is being made in developing quantum computers, especially by China, and once that goal has been reached, many current encryption methods could be compromised.
The ability of quantum computers to crack most encryption systems in use today has raised fears that failure to take action could leave critical infrastructure, banking and healthcare networks vulnerable, with the first practical quantum computers expected within the next five to 10 years.
Specifically, quantum computers are expected to be able to carry out integer factorisation of very large prime numbers and compute discrete logarithms very quickly, but many current algorithms are based on the assumption that these processes currently require significant time, effort and computing power.
At Infosecurity Europe 2018 in London in May, a top European chief information security officer urged the security community to prepare for quantum computing to ensure their encryption processes are ready in time, and Airbus is doing just that, according to Ian Goslin, UK managing director of Airbus cyber security.
“We are working with various national authorities as well as internally to see how we can provide cryptographic capabilities that are quantum resistant.
“It is something we are continually reviewing because there is no point in waiting until quantum computing is a reality because then it will be too late to look at taking a different approach to cryptography,” he said.
At Infosecurity Europe, Jay Baloo, CISO of KPN Telecom in the Netherlands, explained that the problem arises when it comes to asymmetric encryption. “It is all the public key cryptography that is out there because it is based on complex mathematical problems that would even take a super computer a long time to solve, but that principle breaks down with quantum computers,” she said.
Goslin believes that meeting this challenge will involve a combination of things, including changes to algorithms and the way cryptography systems are developed and architected.
“We are always looking at how we can ensure that what we provide to governments is resilient, secure and able to resist any increases in computing capability,” he said.
Until now, Goslin said technology has not been evolving at a pace that has required frequent revisions. “When I joined the military, a new cryptography system had just been introduced, and when I left 28 years later that same system was still secure,” he said.
However, in future Goslin said he does not expect cryptography systems to have a similar longevity, with the effective life of any new system being significantly shorter than similar systems in the past.
“We are likely to see a much more frequent refresh of cryptography systems in future to keep ahead of advances in computing technology,” he said. “We are going to have to put a lot more effort into looking at this problem on an on-going basis as technology continues to speed up everything.”
The good news, according to Jaya Baloo, is that all the symmetric encryption currently in use is unlikely to be affected by the arrival of quantum computing.
“As long as we keep refreshing keys and following best practices for transferring keys, we are good to go,” she said.
Full integration far off
As for the rest, Baloo said it could take up to 20 years for quantum computing proof algorithms to mature and be fully integrated into organisations. However, she said there are things that information security professionals can and should do now to ensure they are not totally defenceless.
“It is about ensuring that organisations are agile when it comes to encryption and have the ability to adapt and to implement post-quantum ciphers and algorithms when they become available,” said Baloo.
To do this, she said organisations should consider extending the length of their encryption keys to the maximum possible under whatever encryption system they are using to help defend against the first quantum computers, they should consider implementing quantum key distribution to preserve the integrity and confidentiality of data and they should should start preparing to replace existing algorithms with post quantum algorithms.
While some exist already, the US National Institute of Standards and Technology (Nist) is planning to publish new ones once a selection process is completed.
“Organisations can already start considering what are their vital parts of their network where post quantum algorithms should be implemented and talking to their suppliers to ensure that the new algorithms will be supported by their hardware when the algorithms are released by Nist,” she said.
In response to concerns that quantum computers could crack many of the encryption methods used to protect highly sensitive data, BT announced in June 2018 that it has developed a “quantum-secured” network as part of a project co-funded by the Engineering and Physical Sciences Research Council (EPSRC).
The quantum-secured link, which will connect to the Cambridge Metropolitan QKD (quantum key distribution) Network, runs across a standard fibre connection through multiple BT exchanges over a distance of 120km, making it the first high-speed “real-world” deployment of quantum-based network security in the UK.
The network link, which is capable of transferring 500Gbps of data, will explore and validate use cases for QKD technologies. This will include how the technology can be deployed to secure critical national infrastructure, as well as to protect the transfer of critical data, such as sensitive medical and financial information.