Protecting Connected Devices with Quantum-Generated Cryptographic Keys

Quantum computing company Quantinuum last week Quantinuum released Quantum Origin Onboard, a cryptographic innovation that provides quantum computing protection for connected devices.

In this Q&A, Quantinuum head of cybersecurity Duncan Jones explains the challenges of protecting connected devices, how a quantum computer helps generate cryptographic keys that are as unpredictable as possible, and the importance of protecting essential assets like critical infrastructure and banking systems.

Enter Quantum: What is Quantum Origin Onboard?

Duncan Jones: Quantum Origin is something we launched a couple of years ago. It helps customers to generate strong cryptographic keys using quantum computing. We plug into their existing cyber infrastructure and we generate cryptographic keys for them that we can mathematically prove are unpredictable, which is the main ingredient that you want to have in a cryptographic key.

Quantum Origin Onboard is a new variant of this product that you can plug into your infrastructure. Some customers said we want to put this everywhere in our infrastructure, and some of our infrastructure is disconnected, in an air gap system. Quantum Origin Onboard is a software library that you can put into a device or a system, and it helps that system generate stronger keys.

What are the cybersecurity challenges presented by IoT infrastructure?

Typically, IoT devices are not renowned for security; it is an area of usually higher cyber risk for a company when they deploy IoT devices. One of the reasons why we're excited to start putting Quantum Origin Onboard into IoT devices is because they do need strengthening against cyber risks; they're out there, on the frontline.

They're often deployed for decades, so if you make a mistake from a security perspective, it can be very costly to fix. Industrial IoT systems in critical national infrastructure are a good fit for the Quantum Origin Onboard. It is also suited to air-gapped corporate IT systems where cloud service isn't appropriate.

Quantum Origin Onboard uses a “quantum seed”, what is that?

We execute a three-qubit circuit on our H-Series computers, and we do that millions and millions of times to build up a collection of challenges to the quantum computer and responses from the quantum computer.

We pass that data through a Bell test, which we use to quantify the amount of unpredictable behavior we've just witnessed. What comes out of that process is a relatively small piece of data of a few 100 kilobytes which is of an unknown amount of randomness.

At this stage, we know that it's 84% perfect and once we know what it is, we can distill it into what we call the quantum seed, which is a piece of data that is as highly unpredictable as possible. We have a very strong mathematical guarantee of how predictable that is.

Are post-quantum cyberattacks one of the threats you’re strengthening systems against?

A lot of the organizations we're working with are thinking about the threat of quantum and they want to adjust both the way that they generate the keys and the type of keys they generate to make sure that both are resilient.

We have not invented a new type of encryption; we work with whatever the customer chooses to use. Many of our customers are still using today's algorithms like RSA or elliptic curve cryptography. But some are starting to look at quantum-safe algorithms as well. We support both, but the way that we generate our keys and that guarantee of unpredictability will hold universally and that will still be true in 20 years, regardless of the quantum computing power of your adversary.

What companies would use Quantum Origin Onboard?

Anybody who is generating cryptographic keys, which these days is every industry. Our focus areas have been initially around financial services, utilities and critical national infrastructure clients – the places where cybersecurity is often of the highest importance because these companies have to retain the trust of their customers.

In banking, you must trust that the bank is going to be able to protect your money. But critical infrastructure areas it's also a life safety question, as well as the people hacking the system. People can die, so that's been our initial focus. But ultimately, this technology is broadly applicable, and we anticipate this becoming the de facto approach to generating keys over time.

This article first appeared on IoT World Today's sister site, Enter Quantum