The Implications of Quantum Computing for Cyber Security

The rise of quantum computing can be seen as a revolution with potentially negative consequences for cyber security. This emerging technology could operate up to 100 million times faster than the classical computers, and while this brings numerous positive opportunities, dark times for cyber security seem to be coming. This places a lot of pressure on the shoulders of policymakers, who have to make hard decisions in times of great change and rapid technological revolutions. It is therefore of the utmost importance that policymakers and other political stakeholders are provided with comprehensive factual documents and evidence-based policy recommendations. This policy brief discloses the risks of quantum computing for cyber security, identifies possible policy options, and offers evidence-based recommendations.

In this policy brief, a hybrid multi-layered approach combining classical and post-quantum cryptography is proposed as the way forward. While this recommendation is costly and time-consuming it is crucial for mitigating the cyber security risks posed by quantum computing and should therefore be considered as an investment rather than an expense.

What is Quantum Computing?

Quantum computing is a revolutionary form of computation that leverages the principles of quantum mechanics to process information. Unlike classical computers, which use bits as the smallest unit of data (represented as 0s and 1s), quantum computers use quantum bits, or qubits, that can exist in multiple states simultaneously. This phenomenon, known as superposition, ensures that quantum computers are up to 100 million times faster than the classic computer (IBM, 2024).

Additionally, qubits can exhibit entanglement, meaning their states are interconnected regardless of the physical distance between them. These unique properties enable quantum computers to tackle problems that are virtually impossible for classical computers to solve, such as optimizing complex systems, modeling molecular interactions, or breaking modern cryptographic protocols.

The risk of quantum computing to cyber security

The arrival of quantum computing is a major emerging technology, that will have extensive consequences for cyber security. Quantum computing is a very specialised technology that is built on hardware and algorithms that are very different from classical computers. While this emerging technology seems to bring forth many positive breakthroughs, the disruptive ability of a quantum computer to break current cryptographic keys remains one of the main risks (Lee, 2021).

Currently, there are two main types of used encryption; symmetric encryption, where the same private ‘key’ is used to encrypt and decrypt specific data, and asymmetric encryption, which consists of a public key that encrypts messages, and a private key that can decrypt the messages (Suguna et al., 2016). These ‘digital signatures’ rely on mathematical problems that are hard to solve. But since a quantum computer has so much more computing power, these problems will be a lot easier for it to figure out (NCSC, 2023).

The Threat of 'Harvest Now, Decrypt Later' 

The implications of this emerging technical development are enormous. The first problem that arises is that encrypted information that was intercepted in the past could be decrypted by quantum computers in the future, this is the so-called ‘harvest now, decrypt later’ phenomenon (Brattain et al., 2022). See the image below for a simple overview of this issue.

Government entities and possibly criminal adversaries are currently intercepting and retaining encrypted sensitive information that is being transmitted. Their intention is to take advantage of the fact that a quantum computer with cryptographic breaking capabilities will likely be accessible during the time period in which the collected data is still relevant. Once this happens, the data will be exposed in unencrypted form, enabling it to be exploited for malicious purposes, such as financial or strategic gain. Data that remains sensitive for more than a few years is especially vulnerable to this risk (Brattain et al., 2022).

In addition to this, stakeholders who do not take the right measures in time against the arrival of quantum computing are extremely vulnerable to widespread (data) breaches. However, actors that rush this important process to mitigate the quantum risks will likely suffer various flaws across their IT infrastructure, enabling malicious actors that do not use quantum technology to exploit these errors (Lee, 2021).

Thus, in conclusion; it is undeniable that the emerging technology of quantum computing poses a significant threat to cyber security and contemporary encryption techniques. To mitigate this future threat, we must protect today’s data.

Identified policy options

In response to the discussed threat of quantum computing for cyber security, a few courses of action that come with benefits and limitations are identified.

Post-quantum cryptography

First, the usage of post-quantum cryptography (PQC) is a widely discussed option in the battle against the downsides of quantum computing. Post-quantum cryptography is the rise of cryptographic systems (quantum secure algorithms) for ‘normal’ computers that can withstand attacks from quantum computers (ENISA, 2021). The most promising development within PQC is Lattice-based cryptography. Lattice-based cryptography is built upon abstract structures of mathematics (Micciancio & Regev, 2009).

PQC has many benefits but also a couple of limitations. First of all, PQC is widely recognized as the main and best choice for the battle against quantum computing. Thanks to its relative resemblance to existing encryption methods it can simply be seen as an extension to current cryptographic measures (Deloitte, 2022). Next to that, extensive academic research suggests that PQC is the most likely to be secure against yet known possible quantum attacks (Micciancio & Regev, 2009). In addition to this, PQC is a software-based solution that can be implemented within the current IT infrastructure of an organisation. No special extensive hardware or other techniques need to be used in order to implement this form of protection. (Deloitte, 2022).

As stated earlier, PQC also has its downsides. Currently, all forms of PQC that are identified through the NIST standardization process exhibit performance limitations. In comparison with the currently used cryptographic algorithms, PQC requires lengthy keys and a long processing time. This makes it more costly than traditional cryptographic measures and  unsuitable as the direct replacement for currently used cryptographic algorithms (Deloitte, 2022). Next to that, when organisations switch from classical encryption to post-quantum encryption, there is a risk that they will make mistakes during this process due to insufficient knowledge and resource allocation. In the end, this will lead to the implementation of post-quantum cryptography, but other potential cyber security vulnerabilities arise due to the limitations of the implementation.

Quantum Key Distribution

The second identified possible course of action to limit the risk of quantum computing to cyber security is the usage of quantum key distribution (QKD). Quantum key distribution leverages the unique characteristics of quantum mechanical systems to create and share cryptography keys by using specialised technology (NSA, n.d.). It works by sending particles called photons, between two communicators. These so-called photons can differ in form and represent a 0 or 1. If someone tries to intercept the so-called photons, their state will change which will alert the parties that are communicating. So if for example, Alice and Bob communicate, Alice will send her message that consists of the photons to Bob. If Bob receives the message with the exact same photons, the message is delivered securely. However, if Bob receives a message that consists of another photon than Alice sends him, he knows that someone is eavesdropping (Surf, 2023).

One benefit of quantum key distribution is that it claims to provide better protection against the so-called harvest now, decrypt later offenses. While the senders and receivers will know when someone is eavesdropping on their communication because the photon changed. Next to that, QKD can be used in combination with other forms of encryption in order to add a new protection layer. And lastly, QKD involves information theoretic security. This means that no certain specific algorithm can be created in order to access the exchanged cryptographic keys (Deloitte, 2022).

QKD sounds like a perfect solution, however, it has a number of severe limitations. First of all, QKD cannot be used by classical computers. Therefore, this technical development requires very expensive specialised hardware such as dark fiber cables. This makes it not adaptable to every stakeholder that needs secure communication (NLNCSA, 2024). Besides that, QKD also finds its limitations in distance. Signal losses in the fiber cables grow when the distance becomes larger. It is currently not possible to ensure reliable secure transmission when the distance is longer than a few hundred kilometres. A potential solution for this is to use quantum repeaters or satellite-based QKD, however, both are not available at present, are very expensive, and hard to scale (NLNCSA, 2024). Lastly, because QKD requires physical hardware such as fiber cables and or satellites, it makes it highly vulnerable to attacks in the physical sphere. When stakeholder A wants to communicate safely with stakeholder B, stakeholder C can disrupt their secure communication by sabotaging the required physical layer (NLNCSA, 2024).

Quantum Random Number generation

The third and last potential course of action to limit the risk of quantum computing to cyber security is the usage of quantum random number generation (QRNG). QRNG is a method in which legitimate random numbers are generated build on quantum computing. As cryptographic algorithms often require truly random numbers in order to generate secure cryptographic keys, the QRNG can generate legit random numbers which makes it harder to break the cryptographic key (NOREA, n.d.). This method does this by measuring photon polarization or electron spinning. This data is therefore not predictable in any way as it would violate the law of physics (NOREA, n.d.).

This practice comes with some good benefits. First of all, classical random number generators are indeed not totally random but are always derived from some kind of source. Therefore, classical computers are not able to generate true random digits. While on the other hand, QRNGs can come up with genuine random numbers. Therefore, digits that are created by QRNGs are harder to crack and more secure (Xiongfeng et al., 2016). In addition to this, the randomness of this method can be checked with formulas and simulations. Therefore, in the future, the usage of QRNGs can be certifiable which ensures transparent secure communication (Kaufman, 2021).

Of course, QRNGs also have their downsides. Just as QKD, QRNGs require very specific hardware that takes up space and costs huge amounts of money. However, the most noticeable drawback of QRNGs systems is the speed (Kaas-Mason, 2019). This method is extremely slow and will therefore be impractical to implement into the daily lifestyle. Next to that, QRNGs are (because they are truly random) not repeatable. In some cases, such as software testing, scientific research, or algorithmic development, repeatability is desired in order to make improvements. QRNGs are not repeatable and are therefore not ideal to implement when tests must be run, research is conducted or algorithms need to be developed.

Realistic policy recommendations

After evaluating and assessing the identified possibilities with their benefits and limitations, it is recommended to take a hybrid approach, in order to combat the risks of the emergence of quantum technology in the field of cyber security.

A hybrid solution uses both classical and post-quantum cryptography (PQC) together, in parallel within one single protocol. To break this very secure solution, an attacker would need to break both the classical and the post-quantum algorithmic cryptography. Thus, the security of this very complete solution is at least as good as the security of each method separately. The objective of this hybrid solution is to reduce the potential security risks that are caused by the relatively low level of maturity of the new post-quantum cryptography, while on the other hand also adding the additional security layer of post-quantum cryptography. This hybrid construction can and should be implemented by all organisations that are likely to become the victim of harvest now, decrypt later attacks today until new effective techniques become available.

The main limitation of this hybrid solution is that it is very time-consuming as organisations now need to implement two cryptographic algorithms for one single encryption protocol. Next to that, as discussed earlier this makes it also a cost-consuming solution. However, we argue that the relatively more costs and time compared to classical cryptography is a reasonable trade-off for more security and protection of data now and in the future. When sensitive data of an organisation is compromised and decrypted in the future, high fines or extortion sums could be expected. It is therefore important that this hybrid solution is presented as an investment rather than as spending or costs.

References

Brattain, Walter, & Bardeen, J. (2022). Quantum and the Cybersecurity Imperative. Digital Debates, 15. https://www.researchgate.net/profile/Tobias-Scholz-14/publication/366213685_Quad_Vadis_A_Risk_Assessment_of_the_Quad's_Emerging_Cybersecurity_Partnerships/links/639804a6095a6a777426d640/Quad-Vadis-A-Risk-Assessment-of-the-Quads-Emerging-Cybersecurity-Partnerships.pdf#page=15

Canada, C. S. E. (2021, February 11). Preparing your organization for the quantum threat to cryptography - ITSAP.00.017) - Canadian Centre for Cyber Security. Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017

Deloitte. (2022). Quantum Cyber Readiness. Deloitte Development. https://www.deloitte.com/content/dam/assets-shared/legacy/docs/research/2022/gx-risk-deloitte-quantum-cyber-readiness-perspective-2022.pdf

European Union Agency for Cybersecurity. (2021). Post-Quantum Cryptography. https://doi.org/10.2824/92307

French Cybersecurity Agency, Federal Office for Information Security, Netherlands National Communications Security Agency, & Swedish National Communications Security Authority. (2024). Position Paper on Quantum Key Distribution. Open Overheid. https://open.overheid.nl/documenten/797c7e8e-9c70-4a98-bfb4-11cb5f19515f/file

Kaas-Mason, M., Prpic, G., & Suriyasuphapong, S. (2019). Comparison of Pseudo, Chaotic and Quantum Random Number Generators and their use in Cyber Security. Roskilde University. https://rucforsk.ruc.dk/ws/portalfiles/portal/66525767/Comparison_of_Pseudo__Chaotic_and_Quantum_Random_Number_Generators_and_their_use_in_Cyber_Security.pdf

Kaufman, J. (2021). Quantum Random Number Generators. University of Chicago. https://homes.psd.uchicago.edu/~sethi/Teaching/P243-W2021/Final%20Papers/Final_Project.pdf

Lee, M. (2021). Quantum Computing and Cybersecurity. In Harvard  Kennedy School. Belfer Center for Science and International Affairs. https://www.belfercenter.org/sites/default/files/2021-07/QCSecurity.pdf

Ma, X., Yuan, X., Cao, Z., Qi, B., & Zhang, Z. (2016). Quantum random number generation. Npj Quantum Information, 2(1). https://doi.org/10.1038/npjqi.2016.21

Micciancio, D., & Regev, O. (2009). Lattice-based cryptography. In Springer eBooks (pp. 147–191). https://doi.org/10.1007/978-3-540-88702-7_5

Nationaal Cyber Security Centrum. (2023). Post-Quantum Cryptography. Ministerie van Justitie en Veiligheid. https://english.ncsc.nl/publications/factsheets/2019/juni/01/factsheet-post-quantum-cryptography

National Security Agency. (n.d.). Quantum Key Distribution (QKD) and Quantum Cryptography (QC). https://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC/

NOREA. (n.d.). Quantum Random Number Generation. Beroepsorganisatie van IT-Auditors. https://www.norea.nl/uploads/bfile/9564d55d-1d2f-420f-915a-cf01d0cba9d3

Suguna, S., Dhanakoti, V., & Manjupriya, R. (2016). A STUDY ON SYMMETRIC AND ASYMMETRIC KEY ENCRYPTION ALGORITHMS. International Research Journal of Engineering and Technology, 03(04).

What is Quantum Computing? | IBM. (n.d.). https://www.ibm.com/topics/quantum-computing

What is quantum key distribution? (n.d.). SURF Communities. https://communities.surf.nl/future-computing-and-networking/artikel/what-is-quantum-key-distribution