Quantum supremacy: is the security and confidentiality of internet exchanges doomed ?
From its first steps guided by Alan Turing to the triumph of AlphaGo over the legendary Go player, LeeSedol, computer science has built a reputation as science in constant turmoil. Since the ’90s, a new theory has been developing: that of quantum computing. Since the ’90s, a new theory has been developing: that of quantum computing. The electronic components of computers are then designed to be particularly subject to the laws of quantum mechanics, this physical theory of the infinitely small. The visionaries Peter Shor and Lov Grover developed algorithms in the 1990s to exploit these phenomena, and the contribution of quantum computing is still largely theoretical to this day. The contribution of quantum computing is still largely theoretical to this day. The quantum computer is far from offering the same functionality as a conventional computer, but it has the capacity to provide solutions to problems that were previously unsolvable in practice. Among them, a mathematical problem that appears to be insignificant, but whose complexity of resolution embodies a fundamental pillar of the security of transactions on the Internet: the factorization of very large integers into prime factors.
The encryption on which the digital economy is based may be compromised by future quantum computers that will be able to break encryption codes in record time.
As shocking as it may seem to people who have grown up in the age of digital supremacy, the capabilities of computers are indeed limited. At a fundamental level, they continue to operate on a 1 and 0 basis, but this is set to change with the advent of quantum computing. This is not just a routine system upgrade: a single quantum machine is theoretically more powerful than all of the world’s current supercomputers combined. Naturally, more powerful computers offer more powerful capabilities, which have many advantages. On the other hand, the increase in computing power can potentially undermine today’s security standards. The encryption on which the digital economy is based can be compromised by computers capable of breaking codes in record time. Businesses cannot afford to wait for encryption standards to adapt and must therefore take the necessary steps to protect themselves. Where do you start?
What is quantum computing?
Quantum computing marks an important milestone in the way computers work. Unlike today’s computers that are limited by “binary” processing, quantum computers can process many intermediate values, which occupy the same space at the same time. This principle makes computers exponentially more powerful. Complex computation-based technologies are expected to benefit from a huge increase in computing performance and potentially take 3D animation, virtual reality, medicine, artificial intelligence, and many other fields to new heights.
However, quantum computing is still far from being widespread. First publicized in 2016 with the launch of the IBM Q, it has since stopped making headlines. Today, most of the players in this field are still at the research and development stage and will remain so until 2022, according to a Gartner estimate. This is mainly due to the nature of quantum computing, based on the theories of superposition and entanglement physics that are still largely experimental at this stage. The ultimate goal of these theories is ambitious and requires a substantial amount of time and effort (not to mention investment), which explains the wide disparity of estimates regarding the launch date of a powerful quantum computer.
If quantum computing is still so far away, why should companies care about it now? One of the main reasons is that, despite its potential benefits, quantum computing is likely to expose them to an unprecedented set of risks, especially because of its impact on encryption. The entire digital world is based on encryption. All sectors, including banking, commerce, healthcare, insurance, and the public sector, use encryption-based systems for their operations. For example, online banking would be unthinkable without this technology. Without encryption, the digital economy would simply cease to function.
Encryption uses a combination of keys – long, complex lines of code that even today’s computers can’t compute. Estimates suggest that it would take 10.79 quintillion years for a modern computer to exhaust all possible combinations. It is this difficulty and inviolability that makes encryption so useful.
For quantum computers, this is reduced to a few months or even less. Using a quantum machine to break commonly used public-key algorithms could affect all machines and the companies that use them and cause a major security breach.
Rebalancing the forces
Make no mistake: quantum computing holds great promise for our world. However, we need to understand that a critical transition period will occur. For a while, most organizations will use normal computers, while a very limited number of organizations, mostly nation-states and very large technology companies, will have quantum computers. This situation will result in a huge power imbalance, especially if a nation-state were to endow a group of hackers with quantum capabilities.
So how can companies maintain their security? Obviously, by upgrading their encryption. Some theories are circulating as to their evolution: reticular cryptography, multivariate cryptography, and hashing of quantum algorithms have been suggested as potential solutions. In parallel, innovative research on the quantum key distribution (QKD) is currently promising for several of these techniques, all of which could protect us against cyber attacks from a quantum computer. However, like quantum computing itself, these techniques are still conceptual and there is no consensus on what to develop first.
The importance of crypto-agility
While upgrading encryption is the best defense, companies cannot afford to wait until then. Quantum computing is not yet available, but it is under development, unlike quantum computer-resistant encryption, which is still in its infancy.
Until encryption standards have adapted to quantum capabilities, agility is the best defense tool available to companies. If organizations want total control over the keys that encrypt their encrypted communications, they can quickly search for and replace compromised keys to limit the potential damage from cybercriminals. This ability to quickly change the cryptographic environment keeps them ahead of the game. After all, even quantum computers will take some time to decipher an encryption key.
Since an average company has thousands of encryption keys scattered throughout its environment, it is impossible for IT to control them fully and individually manually. The only way to take control of the cryptographic environment is to automate the discovery and management of each of the encryption keys used by the company. This is the best way for companies to adapt to quantum computing. With all the interest in this technology, it’s never too early to start.
A community of QPC researchers has formed
For 25 years, we have known that digital security will be challenged by quantum computing.
Faced with this threat, which seems inevitable, many researchers have embarked on the development of algorithms capable of resisting this new approach to computing.
These are post-quantum algorithms or “Quantum-Safe”. For, apart from inventing encryption algorithms that are considered mathematically safe against a decryption attempt by the quantum computer, the industry must harmonize the algorithms finally chosen to secure a banking transaction, an Internet payment, or the sending of a sensitive file.
As early as the end of the 2000s, the IEEE standardization committee launched work on this issue, imitated in this respect by the American National Institute of Standards and Technology (NIST). NIST was already behind the standardization of the essential AES and SHA-3, a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche.
Mathematically, thwarting the capabilities of a quantum computer is not beyond the reach of researchers, but it is still necessary to choose an algorithm that has no mathematical weaknesses, that does not consume too much machine power and that does not make data exchanges excessively heavy.
The competition launched by NIST mobilized 87 international teams of researchers.
The first phase of evaluation saw 69 algorithms accepted, a number that will be lowered in 2019 after the second phase of testing, and finally, the list of candidates for phase 3 was drawn up in
July 2020. Four algorithms are still in the running for public-key encryption, three for electronic signature…
NIST’s goal is to have standardized algorithms in place by 2022 so that the industry can implement them and have them in production by 2024.
David Renty adds: “It is estimated that quantum computers could be in place by 2035-2040, but this is an issue that needs to be addressed today. You can imagine governments storing numbers that can’t be broken, but will be in 20 years’ time. This is a very important point to be taken on board by States and the arms industry in particular. That’s why, while there is still a lot to be done in cybersecurity to deal with issues such as patching or user computer hygiene, companies now need to integrate this quantum dimension into their monitoring units. »
Key sharing by quantum entanglement
In addition to this research to implement post-quantum algorithms on conventional IT infrastructures, another option is taking shape in the much longer-term: the use of quantum technologies to secure data exchanges.
The idea is to use a quantum information network (QIN) to transmit encryption keys using the quantum entanglement phenomenon of two particles.
Many research centers have experimented with this revolutionary technique via fiber-optic networks, exchanging encryption keys using entangled photons. But the most spectacular example of this approach was the quantum-encrypted videoconference established in 2017 between Bai Chunli, President of the Chinese Academy of Sciences, and his Austrian counterpart Anton Zeilinger.
Exploiting the quantum entanglement phenomenon, the satellite distributed entangled photons between the two centers – one in China, the other in Austria – 7,600 km apart to share an encryption key without it being intercepted by a third party.
A revolutionary approach that could well shake up the world of cryptography once again beyond 2040!
Two levels of protection against the quantum computer
To counter these attacks of the future, researchers in both public and private laboratories are exploring two avenues. One, post-quantum cryptography, consists of looking for algorithms that resist attacks from quantum computers. Its name can be confusing: these new algorithms follow the rules of classical cryptography and do not use quantum phenomena. They are simply new ways of encrypting data. Problem: there is no certainty that these new algorithms cannot be circumvented by quantum computers.
The other track, quantum cryptography, is physical. It relies on quantum mechanical properties to secure the transport of information. Small particles, called photons, carry the encryption key and replace the mathematical models currently in use.
“Quantum cryptography provides unconditional security, without any hypothesis of flaw”, explains Eleni Diamanti, Research Director at the CNRS, on the phone. Although it is closer to zero risks, it does not come without its drawbacks. Already, in its current state, it cannot replace conventional cryptography, which will continue to be necessary to protect against certain risks. Then, to implement it, it will be necessary to modify communication networks such as optical fiber. An investment that is difficult to make on a global scale.
Towards hybrid cryptography
For the scientist, the cryptography of the future will thus have to combine the two levers.
With his quantum cryptography company, Chris Erven is indirectly following this advice. He has formed a partnership with Cryptonext Security, a French post-quantum cryptography company. The objective: to offer a complete security system. Broadly speaking, their protection would act on both the hardware and software parts. In this way, the entrepreneur hopes to attract the interest of network operators such as Orange, and data center owners such as Google or Amazon. But for now, he has to develop his technology on a smaller scale.
And it is not satisfied with the support of government agencies. But we just need them to work with one or two units of our product so that we can continue to improve it. We’re not asking for millions of dollars in contracts. If only the American and Chinese tech giants invest in the subject, Europe could, in the worst-case scenario, be defenseless.
The development of these new cryptographic methods must therefore go faster than that of the quantum computer. Hence the sense of urgency in the sector. But a hypothetical scenario remains, in which researchers are unable to create a sufficiently powerful quantum computer. In the current state of the art, it offers greater security, but loses performance, especially because it is limited in distance,” says Diamantidi.