Whatever the discovery, whether life-saving drug or revolutionary alloys and semiconductors, we want it sooner. Supercomputers have responded, and have speeded up such discoveries for decades, says a Microsoft technical report.
The power of an exascale supercomputer could move a new drug from idea to clinical trial in a year, Hewlett-Packard Enterprise said in 2023.
Quantum computing produces computational results exponentially faster than modern supercomputers. Global Tech Council, an organization that provides education on cutting-edge technologies, said Google’s new Willow quantum computer chip solved a benchmark computation in under five minutes that would take the fastest classical supercomputers, such as Frontier, approximately 10 septillion (1024) years.
The ever-increasing speed of quantum computers bodes both well and poorly for cybersecurity. Cybersecurity experts expect quantum encryption will prevent cybercriminals from using quantum computers to decrypt sensitive data. Cybercriminals have been waiting for quantum computing so they can use it to break the existing encryption that protects stolen password databases. Using a ‘harvest now, decrypt later’ strategy, these bad actors steal encrypted password databases and other sensitive data, and store them for future decryption when sufficiently powerful quantum computers become available.
The race to cryptographically relevant quantum computers
The first-generation Cryptographically Relevant Quantum Computer (CRQC), one that can break encryption such as Rivest-Shamir-Adleman (RSA), is likely to be rather large and power-hungry, requiring sophisticated chips from a leading provider, said Tim Hollebeek, vice president of industry standards at DigiCert, a provider of digital certificates. Those requirements limit contenders for the first CRQC to large tech companies and nation-states, said Hollebeek.
Candidates to be the first to achieve a CRQC include companies such as IBM, Google Quantum AI, Microsoft, Toshiba, and InfiniQuant, according to Mike Logan, CEO of C2 Data Technology, a data privacy solutions company.
The Willow chip from Google Quantum AI has a capacity of 105 qubits, according to Sebastian Straub, principal solution architect at N2WS, which provides backup and recovery solutions. A qubit is a quantum bit, the basic unit of information in quantum computers. Straub said it could take 4,000 to 6,000 logical qubits, and the specialized quantum computer arrays that would make up a CRQC, to break RSA encryption.
Nation-states such as China and Russia are developing quantum computing capabilities using internal research and development and international collaborations. According to Logan, Russia has a 50-qubit quantum computer prototype developed in a collaboration between the Russian Quantum Center and Lomonosov Moscow State University.
According to Logan, the Russia-China Quantum Computing Cooperation supports joint research in quantum computing, including quantum processors, software, and communication systems.
Vulnerable encryption algorithms
“All the existing asymmetric cryptography algorithms are vulnerable to quantum attacks. This largely means RSA and Elliptic Curve Cryptography (ECC), since those are the two main asymmetric algorithms in use today,” said Hollebeek.
Asymmetric cryptography uses public and private keys for encryption and decryption to secure communications, digital signatures, and key exchanges over insecure networks. Digital signatures authenticate the message sender. Key exchange is a process that enables secure encryption key sharing.
Organizations use RSA for key exchange and digital signatures; ECC is in many applications, including TLS/SSL, digital signatures, and cryptocurrencies, according to Rahul Mahajan, vice president and chief technology officer of the Digital Business Transformation unit at Nagarro, a global consulting firm. Transport Layer Security (TLS) encrypts data in transit. Cryptocurrencies use ECC for digital signatures and key exchange.
“A successful CRQC could crack these [popular encryption] algorithms in a matter of hours to days, versus billions upon billions of years for non-quantum computers,” said Logan.
Setting the date for the first CRQC
Opinions vary on when we’ll see a CRQC, with some experts forecasting as soon as three years and others as late as 20 years. Said Majid Shaalan, professor of computer science at Harrisburg University of Science and Technology, “Based on my observations at the recent Supercomputing 24 Conference in Atlanta, GA, which highlighted the remarkable convergence of quantum computing and High-Performance Computing (HPC) advancements, it is reasonable to expect that this threat [to popular encryption methods] could emerge much sooner, potentially within the next three to five years.” An HPC uses multiple interconnected servers in parallel to process massive data and complex calculations at high speeds.
According to Heather Vescent, cybersecurity futurist at The Purple Tornado, a quantum computer that can crack widely used encryption could arrive between five and 20 years from now. “There could be a breakthrough. There could be an external event that causes the U.S. or China to double down or delay it,” said Vescent.
Vulnerability to quantum encryption cracking
Critical infrastructure, cryptocurrencies, and the hardware/software supply chain are likely targets of decryption by CRQCs. “Critical infrastructure, such as water supply, power grids, and Supervisory Control and Data Acquisition (SCADA) systems and Internet of Things (IoT) networks, use older cryptography primitives and protocols, which could be vulnerable to quantum computers that can break current encryption algorithms,” said Javed Samuel, vice president of Cryptography Services at cybersecurity consultancy NCC Group.
SCADA controls and analyzes industrial processes for critical infrastructure run in real time by natural gas companies, electricity providers, water treatment facilities, and others. IoT networks connect smart devices and sensors for data retrieval and control.
According to Samuel, threat actors could compromise cryptocurrencies that have grown significantly in the past decade by leveraging public-private key cryptography, which could lead to a collapse of trust and widespread financial and operational damage.
Washington, D.C.-based think tank the Hudson Institute suggests a quantum computer-enabled hack against Bitcoin’s underlying system could create economic losses beyond the wallets of Bitcoin owners to those of everyday Americans. The Hudson Institute analysis assumes a 99.2% collapse in the price of Bitcoin, which would lead to price declines in other major cryptocurrencies and traditional financial assets and markets.
Threat actors “could use quantum computers to compromise the supply chain of hardware and software, potentially introducing backdoors or vulnerabilities,” said Mahajan.
CRQCs could break encryption to introduce backdoors into hardware components and to exploit supply-chain management software vulnerabilities, including blockchain systems.
Challenging transition to post-quantum cryptography
“In several of my CXO [C-level] conversations, it came out that many leaders acknowledge the potential future threat of quantum computing but underestimate the complexity and lead time required for a successful transition to Post-Quantum Cryptography (PQC),” said Mahajan. PQC is cryptography that the National Institute of Standards and Technology (NIST), a federal agency, developed to protect against potential attacks from quantum computers.
According to a Moody’s report, implementing the new cryptographic standards across devices includes operational difficulties and an estimated 10-to-15-year timeline for a comprehensive transition to PQC. Operational challenges include unfamiliar PQC algorithms, which can increase developer errors.
How to prepare for the quantum threat
According to Adam Everspaugh, a cryptography expert at Keeper Security, a cybersecurity company, adopting NIST’s PQC standards is a crucial first step in preparing for a quantum threat.
Companies can set priorities to balance adoption against security requirements and budget constraints. “Organizations should assess long-term risks and prioritize securing high-value assets. Public-private collaboration is key to balancing security and costs effectively,” said Everspaugh. Organizations can collaborate with NIST and the Cybersecurity and Infrastructure Security Agency (CISA), which offers guidance on quantum-readiness roadmaps and cryptographic inventory assessments. NIST actively seeks input from the cybersecurity community and stakeholders as it develops PQC.
However, the journey to quantum-readiness is ongoing, and research into PQC standards to address developments in quantum decryption must continue. “From a government perspective, continued investment in PQC research and development is crucial to ensure we stay ahead of the curve. It’s a balancing act: managing current security needs while strategically preparing for the quantum future,” said Mahajan.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment