Quantum computing attacks – An increasing threat to business
Given the shockwaves resulting from the effects of leaking memos from Britain’s ambassador to the USA , the need to protect such information for long periods of time has been starkly brought into focus. Although the suspect for the leak has yet to be formally identified, it seems that the exfiltration method was ‘crude’ and likely to have been an individual with access to historical files.
While the repercussions of this diplomatic incident at the highest level are yet to play out, there is no doubt that this information leakage issue has caused significant problems for the U.K. government and has potential implications for its commercial organisations trading with the USA.
But how much should other government departments and ordinary commercial business be concerned about improving the protection of their files to reduce the growing risk financial damage caused through fines and lost business due to reputational damage?
If you imagine that the potential for such leaks magnifies as a result of technological developments allowing those will malice aforethought to break the confidentiality of data files encrypted electronically using cryptography thought to be unbreakable within a conceivable timeframe, and consider that this could affect not just central government data but data held by commercial organisations of all sizes as well, then there is a real cause for concern for all.
Recent research has thrown up some worrying theories that warrant our attention sooner rather than later since they may not remain theoretical for very much longer.
Issues around protecting file confidentiality and the need for encryption
For any organisation, there are a range of possible technical controls available to protect sensitive historical information from being leaked, with access control and data loss prevention being the most obvious and widely deployed front-line defences. However, supporting controls including key management and encryption are also essential for long-term protection of data files, which expand massively where subject to longer retention periods.
Over time, in an information-rich environment it becomes difficult to rely on access control and data loss prevention alone as individuals join and leave, get promoted or move around different departments and vast amounts of data are transferred, referenced, stored and archived across different systems when performing data management.
Even assuming the decryption keys are well secured along with the physical environment (building etc.) and the staff (being properly vetted and monitored) are too, there remains vast amounts of data files facing the threat of cryptanalysis by attackers if they gain access to internal files held within or transmitted between government organisations and increasingly more widely to organisations of all kinds.
Consequently, encryption becomes an essential backstop control so that even if access to a file is available to an unauthorised individual, the data within it is encrypted so the individual cannot see the contents of without access to the appropriate encryption keys and the material is protected by using encryption algorithms that are robust enough to resist cryptanalysis to obtain the data without the key.
Quantum computers operate on completely different principles to existing computers, which makes them really well suited to solving particular mathematical problems, like finding very large prime numbers. Since prime numbers are so important in cryptography, it’s likely that quantum computers would quickly be able to crack many of the systems that keep our online information secure. Because of these risks, researchers are already trying to develop technology that is resistant to quantum hacking, and on the flipside of that, it’s possible that quantum-based cryptographic systems would be much more secure than their conventional analogues – Abigail Beall and Matt Reynolds – Wired Magazine.
The origins and application of Quantum Computing applied to data encryption
Quantum Physics remains a hot topic of conversation today since scientists began recognising that matter could not be neatly divided into particle-like and wave-like forms a couple of centuries ago, the term first being used in Johnston’s paper “Planck’s Universe in Light of Modern Physics” (1931) and building on Max Plank’s description of quantised energy back in 1900 followed later by Einstein’s description of ‘energy quanta’ in his seminal paper “On a heuristic viewpoint concerning the emission and transformation of light” (1905), and continuing today in papers which further challenge our classical understanding of the world , by providing evidence of the existence of concepts fundamental to quantum computing such as entanglement .
Without using quantum algorithms, it is considered practically impossible for today’s non-quantum physics to provide a method to break the RSA 2048 codes in less than around 6.4 quadrillion years for today’s desktop compute power to factor the resulting 617-digit number  – beyond the predicted end of the Universe – and even with the most powerful computers on the planet, the range is in the billions of years.
However, after re-examining the original ground-breaking research from American mathematician Peter Shor in 1994, the original quantum algorithm was modified by Martin Ekera of the KTH Royal Institute of Technology, Sweden  to enable the factoring of large prime numbers far more efficiently than classic computing models which struggle to break ‘trapdoor’ algorithms, taking a long time reverse to find out which two numbers were multiplied to arrive at a given number.
Who is at risk from quantum computing attacks and when are they likely to become a reality?
Government and defence organisations data files are obviously most targeted by actors employing advanced cryptanalysis such as foreign intelligence services and domestic politically-motivated internal attackers, however organisations that have sensitive data files about individuals (such as healthcare, social services departments, criminal justice records, nuclear energy, etc.) are also increasingly at risk.
National cyber defence organisations of the leading global powers monitor developments in cryptanalysis closely, and have assessed the current and future ability of quantum computing to recovering data encrypted by current ciphers and key lengths, such as RSA with 2048-bit keys to ensure they are capable of protecting the information for a suitable length of time (after which disclosure ceases to be embarrassing or dangerous to reveal) which needs to be 25 years or more in many cases.
Since 2014 the theory has been that a quantum computer would require a billion ‘qubits’ to break RSA 2048, and reaching that number seemed possible based on the progress real-world experimental quantum devices built in 2012 (factoring 143 using four qubits) and 2014 (factoring 56,163 using 70 qubits), an average improvement of nearly 20 times per annum.
However, it turned out that this multiple exponential growth rate is not linear due to ‘noise’, and earlier studies have anticipated that even with quantum computing being developed at the most optimistic predicted rates, it would still take decades to reach a level of maturity where RSA 2048 could be cracked in a timeframe short enough (e.g. less than 25 years) to be considered a threat using quantum computers on an industrial scale .
The latest research  indicates that these previous estimates are out by orders of magnitude (requiring only 20 million rather than a billion qubits) identifying efficiencies which can be implemented by cryptanalysts using innovative techniques so that it will be possible to deliver an industrial device which can break RSA 2048 codes in a matter of hours, in a timeframe likely to be significantly less than 25 years.
Why should SMEs worry about the threat of quantum computing attacks to their data?
In the majority of non-government and defence organisations, this is unlikely to cause much concern: finding details of a commercial transaction older than a few years will be of little use to attackers for example. However, given the fact that the safety estimates have reduced so dramatically in just a few years of research many commercial organisations should be feeling a lot less comfortable with today’s predictions – As the history of computing has revealed many times over, the rate of technological development in areas of significant interest to business have been hugely underestimated;
“I think there is a world market for maybe five computers.”
— Thomas Watson, chairman of IBM 1943.
“There is no reason anyone would want a computer in their home.”
— Ken Olson, president, chairman and founder of Digital Equipment Corp. 1977).
What can be done about the potentially devastating impact of attacks using quantum cryptanalysis becoming feasible more quickly than anticipated?
The good news is that there are quantum-resistant cryptography methods being developed (notably in the NIST Competition to select future quantum algorithms ) which will be sufficiently resistant to cryptanalysis to redress the balance. Unfortunately, these are likely to require a significant investment in new technology to introduce and potentially involve high-cost write-downs of ‘non-quantum-ready’ technology purchased over the next few years giving both government and commercial businesses something of a dilemma, especially since they are struggling to gear up to protecting themselves against today’s emerging cyber threats.
Mitigations could be to improve other areas of security, both technical and administrative (e.g. focus on access controls and carry out better staff vetting etc.)
Optimising IT don’t have quantum physicists among their staff, but we do have Cyber-security professionals who have been involved with the industry for as long as it has been in existence and can advise you on both long-term strategic decisions and short-term planning to ensure protection to the extent required (no more, no less) from the perspective of your business, rather than purely on the technology itself.
Contact the Cyber-security team on 0330 403 0011 to discuss your Cyber risk management needs.
Author: Graham Clements, Certified Information Systems Security Professional (CISSP), Senior Cyber-Security Consultant at Optimising IT.
1. https://theconversation.com/is-quantum-computing-a-cybersecurity-threat-107411. Dorothy Denning, “Is quantum computing a cybersecurity threat?” 17/12/2018
2. https://www.mailonsunday.co.uk/wires/ap/article-7245585/Leaked-UK-memo-says-Trump-axed-Iran-deal-spite-Obama.html, Mail Online, Associated Press, July 15th 2019
3. https://www.digicert.com/TimeTravel/math.htm – The Math Behind Estimations to Break a 2048-bit Certificate, Digicert
4. https://www.eurekalert.org/news-releases/698961: “Where is it, the foundation of quantum reality?” – Dr. Pawel Blasiak, The Institute of Nuclear Physics Polish Academy of Sciences, Cracow, 11 October 2018)
5. https://arxiv.org/pdf/1905.09084.pdf – Martin Ekera, “Revisiting Shor’s quantum algorithm for computing general discrete logarithms”, KTH Royal Institue of Technology, Stockholm, 23/5/2019
7. https://www.wired.co.uk/article/quantum-computing-explained – Wired Magazine
8. University of Glasgow (13 July 2019). “Scientists unveil the first-ever image of quantum entanglement”. Phys.org. Retrieved 13 July 2019