How quantum computing could threaten IT security
“What could cause a digital Armageddon?” That is a popular question to pose to information and cyber security professionals, and when asked, I don’t hesitate: Quantum computing.
While the principles of quantum computing are certainly complex, at a high level, the risk from quantum computing can be understood fairly quickly. Unlike a digital computer bit, which can only be a zero or one, a quantum bit, or qubit, can be a zero, one, and everything in between—all at the same time.
For those who are not quantum physicists, this can be mind-blowing, but the result is that a quantum computer can offer such a huge speed upgrade to solving certain problems, that some problems previously thought to be nearly impossible to solve may soon be solved.
That may be good news for medical research, as investigators face a growing amount of complex data that must be manipulated to achieve breakthrough findings. However, such immense computing power is bad news for security.
For instance, it isn’t a question of if, but when, today’s cryptography that protects the Internet will be broken. Some experts have said that this is likely to occur in the next three to seven years—it’s just a matter of having enough qubits. It will likely take 100 to 300 qubits to fuel a quantum computer powerful enough to break the security. Working quantum computers with fewer qubits already have been developed.
In addition to governments like the United States and China, major companies, such as IBM, Google and D-Wave—are pursuing quantum computing. D-Wave already has quantum computers available for purchase commercially (including one with 2,000 qubits), but its systems are primarily useful for solving optimization problems, rather than for general purposes, and are not suitable for breaking cryptography.
IBM is working on a general-purpose quantum computer that likely would be suitable. Earlier this year, IBM announced that it had built a working prototype with a real quantum processor and 16 qubits. Google indicated that it had a prototype with 22 qubits.
Money plays a role, as quantum computers must be cooled to almost absolute zero (the temperature of outer space) to operate, making them very expensive and something that only large corporations and governments would be able to afford.
The underlying security of the Internet today is primarily based on the complexity of factoring large semi-prime numbers. There has been a quantum-factoring algorithm around for 20 years by Peter Shor that factors semi-prime numbers, but requires a quantum computer to implement. With today’s computers, it would take thousands and thousands of years to factor a large semi-prime, but with quantum computing, that timeframe is potentially slashed to minutes, and even seconds.
Not long ago, Shor’s algorithm was implemented on a small quantum computer with four qubits to quickly factor small semi-prime numbers (like the number 15), and it was able to do so in a matter of seconds. If replicated with a future, more powerful quantum computer to handle larger semi-primes like the ones that form the foundation used to encrypt the Internet, the security of the Internet would essentially be broken. This will occur as soon as a quantum computer is available with sufficient qubits.
Post-quantum cryptographic solutions have been proposed. NIST considers quantum crypto breaking a serious enough risk that it has issued a call for papers on the subject, with the deadline upcoming later this month. Experts and scientists have been working to find solutions that can be implemented into the Internet to replace the current method we’re using now—hopefully before powerful enough quantum computers come out and disrupt the Internet’s security.
Likely because of the complexity of the scientific principles—you need to be a quantum physicist to have a true appreciation for Shor’s algorithm—this topic does not generate nearly as much attention as it should. At this stage, the risk from quantum computing is well-understood by top cryptographers, but by few others.
However, that will certainly change. Information security and information technology professionals, executives and boards should closely monitor the situation, follow how things progress with NIST, and begin giving thought to what could unfold in the coming years.
Ultimately, quantum computing could have staggering implications on our professions and society as a whole, transforming everything from space exploration to the financial markets.
In the meantime, the next time someone asks you what could cause digital Armageddon, you should not need to hesitate to come up with your response.
This post originally appeared on the ISACA blog, which can be viewed here.