What happens when cyber attackers reach quantum-advantage?

Aerospace and defence group Thales is investing in a large ecosystem of partners to work on quantum-resistant cryptography: without it, legacy cryptography could be broken overnight

Credit: Dreamstime

Quantum computing is inching into the mainstream, with large enterprises pushing their labs to create machinery that will work in the applied world, rather than just the theoretical.

That being said we're still a way from what IBM calls "quantum advantage" – when quantum machines are able to overtake tasks performed by traditional computers.

While researchers are not in total agreement about what the "killer applications" for quantum will prove to be, one area it's expected to provide a significant boost is cryptography. But that is set to be a two-way street.

Although largely confined to laboratory settings at present, some day in the not too distant future, access to quantum computing will be more widespread.

Already interested researchers can play around with the IBM Q System One, not to mention its composite building blocks through the open source Qiskit framework. Other businesses betting big on quantum include Airbus and Google.

As tends to be true with almost all advances in technology – especially those with such potentially profound, far-reaching consequences such as quantum – malicious actors will already be considering the ways in which they will help their day-to-day operations.

French aerospace, defence, and security conglomerate Thales is laying down preparations for such a day, especially as it relates to cryptography, something that senior vice president at the firm, Todd Moore, believes could be broken entirely by significant leaps in quantum.

In the worst case scenario all current generation cryptography will need to be retrofitted with new quantum-resistant cryptographic algorithms – a potentially mammoth task.

Indeed, America's National Institute of Standards and Technology (NIST) is already working on building common frameworks that would enable "quantum-resistant" cryptographic algorithms. A spokesperson from NIST says that the organisation believes draft standards for quantum-resistant public-key crypto algorithms could be published as soon as 2022, but the date is not "set in stone".

Moore says the company's recent decision to partner with ISARA and ID Quantique hinges on building a "crypto-agile", "quantum-safe" security framework into its future products.

"We're starting to prepare ourselves from an international perspective: what does it mean to be in a quantum-ready world - to protect against the threat that's coming this way?", he asks.

"The idea is you want to be prepared to support whatever the new standard is for quantum risk in our products - we call this crypto agility, and all that means is that our products are programmable, whatever the use case may be, we'll be able to quickly implement whatever becomes the new standard for a quantum-resistant algorithm."

At the same time, it is working on a quantum random number generator with ID Quantique to ensure strong key generation, as well as working on quantum key distribution, so that anytime encryption or cryptographic operations are needed, the key associated with it can be securely distributed among all the different elements – whether that's moveable data or something at rest that needs decrypting.

Moore says that the long and short of it is that all data encrypted with legacy cryptography would be "at risk". There is this "storm coming our way," he adds: "As soon as quantum computing does exist, people have to be prepared for how they can build systems and protect their data in such a way that it doesn't come under attack from this new quantum threat."

The sheer scope and scale of the storage arrays, databases and other data locations dotted across the world means that could be quite the ordeal if performed manually.

Businesses like Thales, then, are working on capabilities where all those objects encrypted with legacy cryptography could be updated to the "latest and greatest" standards automatically in the background.

Moore believes that some enterprises have their "head in the sand" about these possibilities, having deduced that the threat is far enough in the future for future-proofing against it to be far from a priority.

"Others are more proactive," Moore adds. "I don't see a lot of companies we work with today actually implementing things at this point of time, because again, the standards haven't caught up. We're still talking about a lot of moving parts: what is the quantum-resistant algorithm we're going to use? What is the certification, what does the ecosystem to be quantum-ready look like?

"I would say a lot of companies are starting to think about that malicious actor coming your way... I think in the next years, not months, but not decades - in the 2020s - you're going to see companies start putting safeguards in place, or at least putting components in place, so that whenever the time comes, they'll be able to upgrade and implement these standards."

A cynic might suggest that, just as with AI, quantum could be set to become the next snake oil de rigueur for a security vendor landscape that's always had its opportunists ready to cash in on the latest buzzword.

Indeed, Moore's colleagues at last week's Black Hat/DefCon in Las Vegas observed a greater number of quantum-focused startups in attendance than ever before.

But, he says, this is indicative of the growing interest in the area: "Quantum technology startups are growing exponentially – we've been asked to meet with no less than 10, so I think we're seeing a lot of people coming out of these research organisations that see the need, see the storm looming, and are starting to build technologies to support it.

"We are meeting with those types of folks as a company, we recognise there is no standard at this point of time, but when it does we have to be able to quickly implement the technologies to get the support of customers.

"I think there is collaboration on the industry side, we see a lot of startups, partners wanting to integrate different parts of the ecosystem ... who's going to be the winner in this space is still to be determined.

"From a Thales position, we're just making sure we are putting ourselves in a place where we don't become beholden to one technology or one vendor. It's why it's so important for us to have large partnerships, and a large ecosystem of partners."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Thales

More about GoogleIBMQQuantumTechnology

Show Comments