By Elle Zesky
Analyst, Center for Terrorism, Extremism, and Counterterrorism
[Download the HD report here]
Executive Summary
It is highly likely Quantum Computing technologies (QCT) will post a significant data security risk over the next ten years. However, given the complexity of the technology and needed overhead of resources it is highly unlikely any attack using QCT would come from a nonstate actor. Rather, any abuse of QCT would likely be a state sanctioned cyber-attack. The members of the GIFCT have an obligation to their users to move away from cryptographic algorithms which are vulnerable to quantum cryptanalytic techniques and seek out Post Quantum Encryption (PQE) techniques. The capability for Quantum Computers being able to break commercial encryption is inevitable and is in the not-so-distant future. It is projected that the world’s leaders in this technology may reach this capability as early as 2023 and could reach a 1 million qubit capacity by 2030.
Overview: The Race Towards the Quantum Age
There is a global cyber-arms-race underway. The goal is the creation of a powerful Quantum Computer. Most countries involved project they will be able to achieve quantum supremacy in the next ten years. The front runners of this race have proven to be private sector technology companies within the Unites States and China, working from both institutional and government awarded funding. Quantum computing could drive the development of life saving medications, rapid developments in machine learning, it could lead to the dawn of a new secure communications age, and it could create the architecture for a faster, more sustainable technological future.
However, it could also lead to the breaking of all modern encryption networks and break modern computer security methods as we know it. With the development of QC comes an existential threat to everything which is guarded by Advanced Encryption Standard (AES) encryption. AES is often used to encrypt government classified documents. RSA (Rivert-Shamir-Adleman) and ECDSA (Elliptic Curve Digital Signature Algorithm) encrypted data, are used to encrypt nearly all passwords and websites used by the public. Public Key Encryption (PKE) would be easily broken by QC, and parallel ‘Brute Force Attacks’ on could be carried out at a pace and success rate never before seen.
In 2019, Google created the Sycamore quantum processor (QP) which was able to perform specific tasks in 200 seconds. The specific tasks completed would have taken the world’s fastest supercomputer 10,000 years to complete. In doing so, the Sycamore QP reached ‘Quantum Supremacy’. This QP is only comprised of 54-qubits (running at 53). However, Google has a plan to reach 1 million qubits by 2030. In 2020 IBMs Quantum Computing mission created the largest known QP at 65 qubits and released a road map for the development of its quantum computers, its largest goal is to have a QP containing 1000 qubits by 2023. This is to say, developments in QC are moving quickly and the members of the GIFCT should feel obligated to begin preparing today.
What is a Quantum Computer?
It is imperative to understand that the development of Quantum Computers will not wipe out the usage of conventional computers. It is also important to understand that QCs are not able to behave and are not designed to be used as a conventional computer. QCs must be designed specifically to complete targeted operations . For bad actors who are not affiliated with a state actor, Quantum Computers will not be economically feasible, accessible or a likely mode of attack.
A QC utilizes quantum mechanics which allows it to run on qubits rather than the typical bit. Where a ‘bit’ exists in a 1 or 0, electronic or optical pulse, a qubit exists as a subatomic particle, like an electron or photon. A qubit is subject to ‘superposition’, meaning a single qubit can exist as a combination of 0 and 1 at the same time. This allows a QC to get through many potential outcomes simultaneously, this results in a quantum ‘collapse’ into 1 or 0. This is the key to a QCs speed.
Why Quantum Computers Pose a Threat to Encryption and Passwords
Due to superposition, bad actors could quickly move through mathematical and algorithmic obstacles faster than ever before5 . Thanks to these phenomena qubits lead to exponential processing power. So much exponential power that if a QC is designed specifically for a certain cryptographic target, they could eventually work its way through every possible permutation of cryptographic keys very quickly and effectively carry out a Brute Force Attack and get into personal accounts or decrypt data.
QCs which can carry out such attacks on a small scale already exist, as stated above. This is not a problem to leave to the future this is a problem that is complex enough and worrisome enough that it must be tackled as soon as intelligent capability is identified.
How Does it Work: Shor and Grover Algorithm
Advanced QCs, when designed specifically, can solve some of the most common methods of encryption. Often, QCs utilize either the Shor or Grover algorithms. Shor’s algorithm gives an exponential gain over classic computational algorithms as it pertains to integer factorization and discrete logarithms. This leaves cryptosystems like RSA, which depends on factoring being impossible for large enough integers, vulnerable to being broken by Shor’s algorithm run on an advanced QC.
Grover’s algorithms give a quadratic advantage in database searches. Theoretically, Grover’s algorithm could weaken the security of any symmetric cryptographic algorithm, this includes AES. Grover’s algorithm does have limitations. Hash functions which produce 256-bit outputs are not expected currently to be threatened by the current state of quantum computing. Even if Grover’s algorithm is utilized, it would take 2400 qubits to break a hash function like SHA256 (a partner function to AES).
However, Grover’s algorithm opens password insecurity. Password hashing is at a higher risk due to the space of user passwords not being very large. For example, a 10-character password could be permutated by Grover’s algorithm in about 10 billion steps, which at the speed of a classical processor would take only a few seconds.
The Answer: Post Quantum Encryption
Overall, the end goal is for all computational and cryptographic systems to be encrypted with Post Quantum Encryption methods. Post Quantum Encryption (PQE) can be implemented using today’s classical computers and will help the computers of tomorrow be impervious to attacks from quantum computers. However, developing methods of PQE takes an extreme amount of mathematical knowhow and expertise. One of the strategies to achieve PQE, is to increase the size of a digital key. This raises the amount of computational power exponentially.
Other strategies include developing more complex ‘trapdoor’ functions. To do this, the worlds best mathematicians would have to develop such complex mathematical equations that even Shor’s algorithm couldn’t solve without so much overhead that the utilization of a QC would be rendered useless.
Regardless, the goal is to make sure that whatever strategy, adopted, can be widely spread, quick enough to outpace bad actors and with enough accessibility that all personal use machines which contain data can quickly update to the new encryption standards. Leading institutions like the US National Institute of Standards and Technology (NIST) claim they are likely to begin drafting techniques as early as 2022.
Liminal Recommendations
Members of the GIFCT should act proactively to prepare user data for the quantum age. It is crucial for the United States to continue to fund projects which develop Post Quantum Cryptography, biometrics, secure coprocessors, to fund teams which aim to develop a system to replace RSA and ECDSA cryptography and static passwords.
In the liminal period, all members of GIFCT which house personal data must either force a password reset and enforce stricter password standards or move away from passwords all together swiftly with a strong meantime method. The members of the GIFCT should also begin encrypting their sites using hash functions which produce at least 256-bit outputs. Members should instead seek to move into the use of biometrics, one-time-passwords, device identification and multi-factor authentication.
Leveling the Playing Field During the Shift: Coprocessors and Equity
It is highly unlikely Quantum Computers or Quantum Computing technology will be widely available to the public anytime soon. It will likely be governments who utilize the technology first. As such, governments will be able to, at will, get into personal devices without needing to ask tech companies for backdoor entries. While this may sound farfetched, the 2017 Las Vegas shooting posed an interesting ethical dilemma for the private sector.
As such, large software companies should seek to develop a coprocessor which can run post quantum encryption and protect users’ devices from unlawful QCT attacks and data breaches. These coprocessors would likely be comparable to Apples T2 security chip which seeks to combat malicious actors from gaining access to users’ devices and stealing the user’s data.
This would also allow for a safe transition between the time that no user devices utilize PQE and the time where all user devices utilize PQE as it is highly unlikely that all devices could or would be updated in the same instant. It is also within the scope of recommendation for the members of GIFCT to seek development in technological capacity building. With the speed of development at which QC is moving, all demographics should be able to enjoy secure and equitable cyber access as the world moves into an increasingly more technological dependent landscape.
Author's Contact
Elle Zesky
Via LinkedIn: https://www.linkedin.com/in/elle-zesky-279667162/
Graduate Research Assistant: Extremist Content Monitoring at the Center on Terrorism, Extremism, and Counterterrorism (CTEC)
Analyst, MP Strategic Group
References:
https://www.newscientist.com/question/what-is-a-quantum-computer/
https://www.technologyreview.com/2019/01/29/66141/what-is-quantum-computing/
https://www.movable-type.co.uk/scripts/sha256.html
https://qiskit.org/textbook/ch-algorithms/grover.html
https://qz.com/1605685/the-solution-to-quantum-computers-cracking-cryptography/
https://www.technologyreview.com/2019/07/12/134211/explainer-what-is-post-quantum-cryptography/
MPSG will continue to follow these trends as they unfold. It is important to know that this topic is a developing one, and will warrant subsequent inquiries by MP Strategic Group. All content-related inquires may be directed to Robert Sanchez, Director of Research, MP Strategic Group LLC. (robertsanchez@mpstrategicgroup.com)