November 3, 2023
Quantum computers are not yet sufficiently powerful to break public key encryption, but there are immediate quantum threats that should be addressed immediately. Hackers have already begun with harvest now, decrypt later attacks – stealing data and storing it with plans to decrypt it once quantum computing matures, posing substantial risks to organizations and their valuable data.
John Prisco is the CEO of Safe Quantum, a consultancy that champions the commercial adoption of quantum technology. In June 2022, Safe Quantum entered a partnership with Toshiba in the areas of quantum key distribution (QKD) and quantum communications. In this Q&A, he explains the urgency of proactively addressing quantum threats now to protect organizations and why combining QKD and post-quantum cryptography (PQC) keeps data safer.
Enter Quantum: What is the immediate security threat posed by quantum computers?
John Prisco: We have a problem called harvest now decrypt later so you know, we do it or adversaries do it. They frequently harvest tremendous amounts of data off of submarine optical. It's easier to tap into those things at the landing point, especially in the South China Sea.
You can just inexpensively save tremendous amounts of data and even though it's encrypted, and you can't read it today, the hope is that when there's a cryptographically relevant quantum computer you will be able to decrypt this information. We can't rest and say we have five to 10 years or more before a quantum computer is cryptographically relevant, we don't have any time because people are harvesting information today. We have to take a different tack that's more immediate.
What is the role of QKD in keeping data safe?
QKD provides forward secrecy which is very important. If you've authenticated your QKD hardware, and no one has hacked into it during that authentication, all the keys that you produce will be secure from that point forward.
Another really important thing about QKD is that it's evident if somebody's trying to tamper with your data because we're relying on the no-cloning factor and the Heisenberg uncertainty principle and all the quantum principles that say, if you just try to observe a quantum state, you're going to change it.
With Toshiba’s QKD technology gear, there's a marked increase in bit error rate if somebody is trying to launch a man-in-the-middle type attack. I've not discovered that in the wild, but in our proof of concepts, we usually create that condition to demonstrate to a potential customer that the hardware will recognize this before it ever transmits data. The key is if you can't share the key between Alice and Bob, you don't try to share the data, and that's what makes QKD such a good opportunity for security.
What about quantum communications?
Quantum communications includes things like entangled photons, optical repeaters and that sort of thing. They're pretty far away but will form the beginnings of the quantum internet. Today, we have QKD as a ready and working solution. That’s getting picked up in the U.S., China and Europe. In the U.K. you have the BT-Toshiba ring, which is a great demonstration of a quantum-secured network.
What should be the immediate priority for organizations looking to secure their data now?
There are several things to become aware of. The first is inward-looking. What makes up my data? Why is it important and what kind of shelf life does it have? For example, when we're working with the financial vertical market, if they're looking at trades, it's not terribly important to guard a trade for more than a few milliseconds because it's public. But for example, in health care, you've got critically private information and it has a lifetime shelf life so requires a careful analysis of how the data is handled.
You can also familiarize yourself with QKD and the PQC algorithms that are being vetted by NIST. I am the chairman of the Use Cases Technical Advisory Committee at Quantum Economic Development Consortium (QED-C), which is the organization that was formed as a result of the National Quantum Initiative Act. We've been working for two years on hybrid arrangements with QKD and PQC.
We like that approach because it gives us no single point of failure. When I ran a cybersecurity company, we learned that you had to have more than one solution working simultaneously, and it had to have a totally different failure mechanism. QKD and PQC do that perfectly.
We're dispelling some of the concerns that the NSA and GCHQ in the U.K. have had because we've proven the security of QKD. We probably need to prove it a little more for the Department of Defence. What took the wind out of their sails this year was the failure of one finalist algorithm, which is called Rainbow and then that was broken over a weekend with a laptop computer, which is frightening.
Other than telecommunications, as addressed by BT and Toshiba, what other industry-wide post-quantum initiatives are underway?
Financial services is another vertical where standards are going to be extremely important. The Fedwire system is really susceptible, as is most critical infrastructure. We've looked at the trillion-dollar events that would occur if Fedwire was brought down for even a day and we've been working on putting together a hybrid solution with QKD and PQC that could be installed in the Fedwire system.
Similarly, the Department of Energy has the largest machine in the world, which is the power grid, and the most important in terms of critical infrastructure. We did a project with Oak Ridge National Laboratories and I wrote a paper on it that was published in Forbes Technology Council.
There are several vertical markets where it's critical to try something now to be prepared. We're in the early stages of quantum, not only in terms of building a cryptographically relevant computer but also what the networks would look like to produce the best security in the various verticals.
This article first appeared on IoT World Today's sister site, Enter Quantum.
About the Author(s)
You May Also Like