Understanding Security Threats from Quantum Computing
A main goal in my writing about new technologies is to write about them in the most straightforward and accessible way. Few areas of technology need this as much as quantum computing which has a constant stream of confusing hype and misconceptions.While quantum computing is still quite far away, its implications on the cybersecurity market are worth exploring well in advance of the technology reaching maturity.
Table of Contents
What is quantum computing?
A new computer design that enables much faster processing and calculations that previous computer models.
Quantum computing is considered an enabling technology. The increased speeds with quantum, as opposed to traditional computer systems, enable other uses that we do not yet understand until we have the tools to discover them. We understand the capabilities but not necessarily the uses.
The best analogy for less technical people is like 4G on your phone, until we reached those speeds and started using them, we didn’t really understand what people would do with the technology, even know we know what the technology could do.
For the majority of people, quantum computing isn’t needed at the moment to live the life they currently enjoy. It won’t make their Netflix faster or help them do the grocery shopping. But in 15 years’ time, you might find your grocery shopping done for you via a quantum powered predictive software that suggests foods for you.
However, in the business and security world, the uses and potential of quantum computing are much more understood. That is because security already operates in a specific area, where quantum will protect or attack more effectively.
How will quantum computing impact security?
To understand the impact of quantum computing on cyber security you have to understand that most cyber security is based around the principle of encryption.
Encryption is the process of taking a piece of data and performing a process on it that is irreversible without knowledge of the process.
In practice this means taking a key, or a piece of code, running an encryption program with that key and then sharing the key with the person you want to read the data who can then use the same program and key to read it.
Each stage of this process requires computing power, the size of the key directly affects the time that it takes to encrypt and then decrypt the information. Security processes are chosen with this practicality in mind, I don’t want to wait 1 month to read my emails, so the process needs to be fast enough to match the service being delivered.
Due to this factor, there is a current upward practical limit for key sizes and how much computing power it is allowed to use. However, if we reach a quantum computing situation where the amount of computing power scales massively, then so too will encryption potential and the potential of brute force attacks.
What is a ‘brute force’ attack?
A brute force attack is where a piece of encryption is broken without knowing the encryption key, but instead by trying multiple combinations until the key is found.
Encryption is designed with this in mind, which is why you get the common idea that a certain key size will take say 100 years for a current computer to brute force the access key. The practical limit of encryption is based on a reasonable medium between computing power and time needed to encrypt data and the amount of time it takes to brute force the key.
Of course, this changes when quantum computing comes into play.
How will quantum computing change brute force attacks?
On the surface, quantum computing shouldn’t change the nature of brute force attacks massively. As more computing power is made available to brute force attack, more power is also made available to encrypt and protect against that.
However, there are a few considerations here:
- Malicious actors may develop and gain access to quantum computing power before others. It’s easy to imagine a situation where a malicious entity has a research breakthrough, before their competition and begins to attack them successfully.
- Development of a new technology does not mean broad scale consumer rollout, so while companies might have access to the technology, how do you also protect smartphones/home desktops etc.
- Data that is created now, will still be stored when quantum computing is more widely available. Meaning sensitive information being shared now, can potentially be accessed much more easily in the next 10-20 years. This is called ‘Harvest now, Decrypt’ later.
Will quantum brute force attacks break cyber security encryption?
The short answer is yes, the long answer is yes, but not for a long time. It will be highly dependent on the level of encryption placed on the data and the key length.
Much of the confusion with quantum computing – and many other new technologies – is that people view them as a new level or a transition, someone invents quantum computing and suddenly it is super-fast and everywhere. In reality, it functions like a wave that never breaks, building power and changing over time.
The first quantum computers that make it to the market might be fast but will not be fast enough to break the highest level of encryption.
It all really comes down to processing power and maths. There is a calculation as to how much processing power it would take to perform a brute force attack and there is a key length that makes it impractical to do that attack. Currently available encryption methods would still take the currently forecasted quantum computers centuries to break despite their increased speeds.
Using simple numbers, if a computer was capable of 1 calculation a day, you would set the key length to require 100,000 calculations, so it would take 273 years for the computer to break that encryption, assuming it did nothing else for those 273 years.
However, if the computer suddenly can do 2 calculations a day, then suddenly it would only take 137 years. The industry has been comfortable in this pattern because the increase was linear, computers would grow X% more powerful and encryption could be increased by X%. Quantum is a technology that enables exponential growth, so instead of going 1, 2, 3, 4, 5, instead it might go 10, 20, 40, 80.
But, if you make that original number, the number of calculations required to break the key at a high enough amount, you have a large amount of growth in power needed before it becomes practical to break that key.
It’s hard to accurately predict the level of growth as its hard-to-understand what quantum growth in computing speeds might enable in computer research. However, experts believe they can plot the trajectory of the technology and plan for it.
So, there shouldn’t be an immediate threat to cyber security just because quantum computing is available, and experts and companies are putting practices in place to protect data even in a post-quantum world.
But there are still concerns about ‘Harvest Now, Decrypt Later’.
What is ‘harvest now, decrypt later’?
‘Harvest now, decrypt later’, is the idea that data that is currently being generated can be harvested and stored until it can be decrypted by more powerful computers later.
This is relevant only if the timescales align, for example, if data is generated now, but cannot be decrypted for 50 years, is it still valuable? Some types of data, e.g., personal information or conversations about people still alive might be, but operating information from businesses likely wouldn’t be.
This is a big factor in calculating cyber security risk from quantum encryption, if the technology doesn’t arrive for 10 years, and your company operates in 3-5 year strategies then you might not need to be anxious about the risk from quantum until we get closer to the technology being available.
But many companies and countries do have long-term strategies and documents that are secret, and that need to be protected for the long term, this is where ‘harvest now, decrypt later’ becomes a real consideration.
Companies need to understand a realistic timeline for the development of quantum computing and determine whether their encryption practices will stand the test of time. The goal isn’t to make data that can never be decrypted but just to guarantee that by the time it is decrypted it is no longer relevant.
However, there are some interesting approaches being designed with current technology that could offer protection from brute force threats. One example is security-focused database sharding.
What is database sharding?
Database sharding is the process of splitting a database up into multiple sections that can then be hosted on multiple machines.
Originally its purpose was to allow the management and control of large data sets by breaking them into manageable chunks, or to enable storage of large datasets across multiple machines rather than having to own a huge, centralised piece of storage hardware.
However, with quantum computing it is taking on a new aspect as people look to new methods to secure their data.
How can database sharding protect against quantum cyber security threats?
Database sharding can protect against quantum cyber security threats by creating shards that are independent, contain no whole pieces of data and have no knowledge of other shards.
Looking at groups conducting guerrilla campaigns across the world, and at some criminal organisations, we can see the power of ignorance when applied to the broader structure. What an individual doesn’t know, they cannot tell.
This same principle is being applied to data base shards. Normally, even though a database is sharded it is still closely interconnected to enable maximum functionality and to allow the database to function as a whole. Each part of the database is connected and understands its relationship to the other parts of the database.
However, this is not necessarily the case. It is possible to build a database with shards that do not know they are part of the central whole. Each individual shard of the database would contain no complete information and contain no information about the locations of other shards. Breaking into one of the shards of data would deliver nothing, no information, and no leads.
Somewhere there would be a centralised system that could reassemble the database from the pieces and deliver the data to the end user, but that system could be protected, isolated, and secured more than a whole database.
This is an interesting approach to security, but it is not practical for the majority of users, as we are talking about a complex and potentially slow system. However, there may be certain situations where this is a necessary step.
How should companies prepare for Quantum cyber security threats?
There are some practical steps that companies should consider preparing for quantum cyber security threats, such as:
When it comes to quantum encryption and cybersecurity, there are still unknowns and many things that might happen or could be a threat. However, none of these things will happen overnight, and as much as quantum computing may be used to attack it will also be used to defend.
So, much like any new development in security in the last 10 years, quantum is a risk, but one that can be understood, planned for, and mitigated.
It’s important that companies understand the threats, take them seriously and be prepared to change things if needed, it’s not currently an urgent problem to be responded to, but it should start to be on the agenda at companies of all sizes. Even smaller companies can ask what encryption they use, and how secure they are.
While this is not a threat that requires immediate action, it is one that will require some action, and unfortunately ignorance is not protection. So hopefully this article has helped shed some light on the development of quantum cyber security and its implications for companies.