What is the roadmap to a quantum-safe future?

Representation of a quantum chip
(Image credit: Shutterstock)

In recent months there have been flurries of activity surrounding the development of quantum computers and our push towards supremacy – from Google’s ‘time crystal’, to a breakthrough from Sydney researchers that will help us control millions of qubits as quantum computers scale.

Yet despite the almost constant updates and breakthroughs, the roadmap to a quantum future is still based on what is, at best, a “loose” timeline. Last September IBM took a stance and stamped a date on it. It claimed that quantum computing is set to go mainstream by as soon as 2025, and it even laid out a roadmap for how it intends to get there.

About the author

Duncan Jones is Head of the quantum cybersecurity division at Cambridge Quantum.

But what is the roadmap for not only getting to a quantum future, but a quantum-safe future? A future in which the advancements being made in quantum computing don’t surpass, or come at the expense of the security that underpins our very way of life. A scenario which is being dubbed the “quantum cryptography apocalypse” and which is currently a matter of when, not if.

Apocalypse now?

It’s widely known that quantum computing challenges traditional cybersecurity. So many of the encryption methods we use today, even the most advanced and complex, rely on the fact that classical computing is unlikely to ever have the capacity or power to crack them. Yet quantum computing has the potential to, and at some point in the future likely will.

The issue is that because we don’t know when this threat will become an immediate concern, many organizations, including those which make the very technologies that are at risk, aren’t taking this threat as seriously as they ought to be. The key to getting them to take it more seriously is to highlight just how much time they have left to sort it, and the way to do that lies in Mosca’s Theorem.

Proposed by quantum expert Michele Mosca, the theorem effectively says that if the time we want our data to remain secure for (X), added to the time it takes to update algorithms and processes to be quantum secure (Y) is greater than the time it takes to develop powerful quantum computers (Z), it’s time to panic. Or: “If X+Y > Z, then worry.”

Although this seems simple, it’s a complex equation to evaluate and depends on each organization's current position. Plus, notably, it relies on knowing the value of Z. If we take the example given by Google’s CEO back in February, then we have five to ten years. Other estimates place it closer to 20.

If we err on the side of the latter, is it really going to be possible to upgrade and prepare entire countries, organizations, businesses in time? The answer lies in taking a deeper look at Mosca’s Theorem and how we use quantum technology itself today to unlock quantum-safe cryptography tomorrow.

X: The amount of time we want our data to remain secret for

While individual organizations will be at different stages in the Mosca equation, and while most people are obsessing over the figure of Z, it’s much more helpful to take a broad look at where we are in regards to the X+Y.

Generally, the data that organizations own and handle, from financial records to intellectual property, needs to remain sensitive for years, and there is some information, for example health data, that we would want to be private forever.

Organizations need to be evaluating now both how long their existing solutions can keep this data secure for and how long will it take to upgrade these systems, to make sure the data remains secure and secret long into the future.

Y: How long will it take to change?

The solution to the quantum threat takes two forms: a change to quantum-safe algorithms, plus a change to quantum-proof key generation methods. The former has been the main focus for a number of years because there is still some debate about what form these new quantum-safe algorithms should take. Not only to protect current systems from the quantum threat, but to protect future systems.

Since 2012, for example, academics, experts from governments, and industry giants, including Intel, Microsoft and Cisco, have been meeting annually to discuss these solutions, as part of ESTI’s Workshop on Quantum-Safe Cryptography.

More recently, the National Institute of Standards and Technology (NIST) launched its post-quantum cryptography “competition”. It called on experts to submit algorithms that are “capable of protecting sensitive information well into the foreseeable future, including the advent of quantum computers.” A total of 82 initial proposals were received and as of July 2020, this has been narrowed down to seven finalists. It is expected that the final standard will be refined and announced by 2024 at the latest.

For many companies, the “Y” period will not begin until this standardization is complete and even then, NIST has warned that changing algorithms may take decades. This is because the new algorithms are not necessarily drop-in replacements. The new algorithms may not have the same performance or reliability as legacy algorithms due to differences in key size, signature size, error handling properties, number of execution steps required to perform the algorithm, key establishment complexity, and so on.

It’s also because many information systems lack what NIST calls “crypto agility.” That is, they haven’t been designed to support rapid changes or adaptations of new cryptographic algorithms without making significant changes to the system's infrastructure. This is especially problematic in scenarios such as industrial IoT, where devices are deployed for decades and their hardware security cannot be upgraded in the field. 

Quantum-proof key generation

Fortunately, the second part of the solution – quantum-proof key generation – has taken huge leaps forward in recent years. We’re even at the stage where such quantum-proof key generation is commercially available, using the phenomenon of quantum entanglement to produce random numbers and create keys that are not only provably unpredictable but provably unobserved and unsimulated. The protocol is inherently self-testing, meaning that it can only generate keys that are truly random. The keys are so perfectly random, even the most advanced quantum computers in the future will be incapable of predicting or simulating them.

Other firms, including Amazon, are similarly putting resources behind this concept. Although their work isn’t yet suitable for cryptography – due to the fact it’s not private, and doesn’t currently perform self-testing to check for errors – it demonstrates that if such a behemoth like Amazon believes in the importance of quantum randomness, it’s time for businesses of all sizes to take notice. Which leads us back to Mosca’s Theorem and the very real need for businesses to start considering when, and how they’re going to prepare for the inevitable.

There are very few ways of looking at Mosca’s Theorem where the equation isn’t screaming at us to panic. This is why the most forward-thinking, switched-on companies are already working on building quantum-safe solutions before any algorithms are standardized, and is why those companies will likely survive the quantum cryptography apocalypse and their rivals could be left in the dust.

At TechRadar, we've featured the best business VPN.

Duncan Jones is Head of the quantum cybersecurity division at Cambridge Quantum.