Quantpocalyse Now: Preparing For Y2Q

Is China’s quantum-computing success a national-security threat?

David Braue

Melbourne, Australia – Sep. 26, 2022

Encryption is our strongest defense for data that needs to be kept away from prying eyes, but advances in quantum computers mean a simple math problem could compromise data encryption as we know it — and, if China parlays its recent progress into a quantum advantage, precipitate a massive power shift as long-held secrets are exposed to the world.

Cybersecurity specialists have been warning about the dangers of what is being called Q-Day or Y2Q — the point when still-evolving quantum computers become powerful enough to brute-force today’s encryption algorithms — but what was once a long-term blip has become a near-term threat after China debuted a usable quantum computer in August.

The promise of usable quantum computers has propelled a new quantum race between China, the United States, and European Union, where scientists are capitalizing upon recent advancements in quantum techniques to advance the state-of-the-art at a dizzying pace.

For all the promise of quantum computers to make short work of immensely complex challenges in drug design, natural-resources exploration, engineering, and other tasks, quantum computing is “a blessing and a curse,” Alissa “Dr Jay” Abdullah, PhD, deputy chief security officer & SVP of Emerging Corporate Security Solutions at Mastercard and a long-time math enthusiast and educator, recently told Cybercrime Magazine.

The curse? Modern encryption’s reliance on a math concept you probably learned in the fourth grade: factoring, in which you find two numbers that can be multiplied to produce a third number (the factors of 24, for example, are 1, 2, 4, 6, 12, and 24).

Contemporary public/private key systems like RSA use random, extremely large prime numbers to generate cryptographic “keys’’ for encrypting and decrypting emails, websites, messaging traffic, video calls, and more.

Today’s 256-bit encryption offers 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possible combinations.

That’s 115,792 trillion trillion trillion trillion trillion trillion possible combinations — and even the world’s current fastest computer, which can perform 1,102 trillion calculations per second, would take trillions of trillions of years to guess the decryption key.

“Cryptography relies on the difficulty of factoring, and the time-consuming nature of factoring for classical computers,” Abdullah explained. “From a mathematical perspective, we thought that we’ve been able to encrypt data and it’s going to be lasting us for perpetuity — but actually, perpetuity is coming to an end.”

That end is now worryingly close: due to the strange and promising power of quantum physics, once Q-Day is upon us quantum computers will be able to accomplish the same task within seconds or minutes — leaving any encrypted data theoretically vulnerable.

There are even concerns that nation-state and private-sector cyber criminals may be stockpiling encrypted data for the day they can crack it open and sell or utilize its secrets.

Heading off the quantpocalypse

The doomsday scenarios around quantum have driven concerns that the technology has become the subject of a new arms race, with The White House announcing two presidential directives in May to accelerate quantum-computing research.

The implications of losing the race are “frightening to consider,” noted Theresa Payton, former CIO at The White House, who recently penned a Newsweek editorial warning that the U.S. is losing the quantum race to China.

“The cybercrime we have today is not even anywhere near the type of cybercrime we could potentially be facing tomorrow, depending on quantum computing only being in the hands of a few and not being commercially available.”

If countries like China provide nation-state groups with access to quantum computers, Payton added, “their ability to crack pre-quantum computing encryption, take information, then put it into PQC and run away with it — and even our ability to detect and even know what they took — will be greatly hindered.”

“It is possible that [quantum computers’] capability could be somewhat exaggerated, but until everything is allowed to be opened to academic peer review, which it hasn’t been, we don’t really know for sure.”

The potential worst-case scenarios are concerning indeed.

If quantum computing gives China access to state secrets and encrypted military communications, “we’ve got real problems,” warned longtime security expert Gordon Lawson, a former Navy officer who is now CEO and founder of security-by-obscurity firm Conceal.

“Our [military] forces have to be able to communicate securely and in an encrypted fashion,” he said — and with growing fears of a potential conflict with China already tainting that relationship, losing that secure capability would have “real disadvantage on the geopolitical front in terms of a potential conflict.”

Non-military businesses faced their own challenges if encrypted intellectual property, customer records, employee information or other sensitive material were ever rendered decryptable by quantum computers — but with post-quantum cryptography (PQC) still in early days, Lawson said, “there has to be continued help from the government side to ensure that we’re keeping up and maintaining the standards.”

That burden is particularly important in the context of cloud-based computing environments, Lawson added, since they are fast becoming the repositories of the secrets of the world’s business and government communities.

Developing a defense for encrypted data “has to be at the forefront for those commercial cloud providers and how we as a vendor community interact with them,” he said, “because if encryption gets affected at that layer, we’ve got real problems.”

Has China got our number?

In planning for the worst-case scenario, the National Institute of Science and Technology (NIST) has been working for years to test and approve quantum-proof postquantum cryptography (PQC) algorithms that can be retrofitted onto existing encryption tools — yet despite announcing four final candidates in July, the final standards aren’t due until next year at the earliest.

After that, it will be up to businesses and governments to upgrade every part of their data infrastructure that touches encryption — and in today’s day and age, that means nearly everything.

In the shorter term, Lawson said, businesses need to “be clear about assets and intellectual property that we need to do a better job of safeguarding…. A lot of CEOs aren’t going to be able to directly influence the United States’ ability to develop quantum faster, but they can take a stronger stance towards protecting their own data, and making sure that the right controls are in place.”

“They need to not be naïve about the threat from particular nations when it comes to stealing data.”

Ultimately, as nations continue racing towards Q-Day, their success or failure around quantum computing will shape the nature of information warfare moving forward — and that alone, Payton said, is enough to justify a centralized government response.

“The countries that win the war in quantum technology and corner the market,” Payton said, “are going to be the countries with both economic prosperity but also will hold the keys to ensuring that privacy and security of data is in place.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.