This blog was written by an independent guest blogger.
Just as cybersecurity professionals are getting used to the possible implications of quantum computers, a new front opens in the quantum arms race: using quantum computers for encryption.
Though quantum computers remain a largely theoretical threat, some researchers are already working on ways to protect systems against the exponential increase in computing power they represent. If cybersecurity is at a tipping point, they argue, and photonic computers are already being deployed to break PGP encryption, it is now time to arm ourselves with systems that match those being deployed against us.
In this article, we'll look at the emerging field of quantum cryptography, and at quantum key distribution (QKD) in particular. We'll then explain what the emergence of these technologies means for the average cybersecurity analyst.
The threat of quantum computers
By now, most of us are aware of the fundamental details of quantum computing, and what it could mean for the safety of commonly used public-key cryptographic protocols. In short, quantum computers can factorize large integers much, much more quickly than traditional computing architectures, and this means that decrypting the 1024-bit keys used by the RSA encryption protocol (for instance) will take a quantum computer a few hours, rather than the years the same process would take on today’s computers.
At the moment, no such decryption attacks have been seen in the wild, and the perceived reality is that it may take decades before quantum computers have the necessary computing power to be used in this way. Nevertheless, given the reliance of many modern systems on such algorithms, researchers are already looking at ways to protect against this kind of attack.
What is quantum cryptography?
Some of the proposed solutions are essentially extensions of existing cryptographic schemes. NIST, for instance, is already recommending that organizations use 2048-bit RSA encryption as a minimum, and that this standard be used for everything from encrypted cloud storage to encrypted email services. Similarly, some analysts argue that extant protocols like TLS can be improved to combat the threat of quantum decryption algorithms. Others are exploring the concept of lattice cryptography, which appears to be uncrackable even by quantum computers.
The most exciting area of present research, however, relies on using the power of quantum computers to encrypt data, and therefore protect it against even quantum-enabled attacks.
This is where the idea of quantum key distribution (QKD) comes in. QKD is built on the system of public key exchange that underpins familiar public-key cryptographic systems, but also makes use of the strange properties of individual photons. The systems being explored at the moment are deployed on standard fiber optic cables, but instead of using them to send a data signal, individual photons are sent.
Because these individual photons are entangled with photons being held in the sender’s system, any interception of them will cause a collapse of the wave function (in the nomenclature used in quantum physics), and the sender will be instantly alerted that their communications have been hacked.
This might sound like science fiction, but such systems are already in use, albeit in a limited scope. China has pushed ahead with QKD, and already has dedicated pipes connecting Beijing, Shanghai, and other cities. Europe is also exploring the technology, and in the United States the first commercial QKD network went live this past fall. The Quantum Xchange is a system that connects New York City’s financial firms with its data centers in New Jersey, and exchanges quantum keys over existing fiber optic networks. The company plans to expand to Boston and Washington, D.C.
At the moment, the applications of QKD remain fairly niche. However, it’s likely that this form of cryptography will rise rapidly in popularity over the next decade. This means, first and foremost, that organizations holding valuable data will have to invest significant sums in QKD equipment. At the moment, an organization wanting to make use of QKD would have to buy a transmitter and receiver, each of which costs approximately $100,000. However, this cost is likely to drop significantly in the next few years.
On the other hand, it’s important to recognize the limitations of this type of system. Because QKD relies on exchanging individual, entangled photons, it cannot be feasibly used as a communication system. Instead, it will be limited to exchanging encryption keys. This, in turn, means that the system, in itself, is unable to protect organizations against what is still the most common form of cyberattack: phishing.
It might sound strange to raise phishing attacks in the context of quantum computing, but in reality the ongoing prevalence of this type of attack points to one of the central contradictions contained in the hype surrounding everything quantum: that the vast majority of threats do not rely on direct decryption of private messages, and so are likely to continue unabated, even in a world where everyone has a quantum computer.
Not that this means we shouldn’t be prepared, however. As William Hurley, IEEE senior member, founder and CEO of Austin-based quantum computing company Strangeworks, told CSO recently, “the theories have advanced farther than the hardware … [but] we shouldn’t wait for the hardware to motivate the switch to post-quantum cryptography.”
In other words, quantum cryptography is already disrupting the cybersecurity landscape, even if the threat remains largely theoretical. In this situation, it pays to be aware of the research being done into how to protect systems over the coming decades, even if an immediate investment in a QKD transmission system seems like an overreaction.