In the second in his series of collaboration blogs, Senetas CTO Julian Fay explores the emergence of the quantum computer and the implications for data security.
If you believe some of the more excitable media coverage of late, you might think that the entire internet (and our digital economy) is facing an imminent extinction event; one posed by the dawn of quantum computers.
Quantum computers, unlike classical computers, are based on the properties of quantum mechanics and behave very differently to the computers that we all have at home.
In a classical computer a binary digit (bit) is the basic unit of information and can be either a ‘0’ or a ‘1’ at any time. The equivalent in a quantum computer, a qubit, can be both a ‘0’ AND a ‘1’ at the same time. This mind-boggling concept is known as superposition and allows quantum computers to do some amazing things that classical computers can’t.
It’s unlikely that any of us will have quantum computers in our homes to send emails or play video games. However, at some point in the future there will be many large-scale quantum computers in existence that will be used for optimisation tasks, such as predicting the weather or searching quickly through huge data sets. This is where the trouble may lie.
It turns out that some of the optimisations that quantum computers are best suited to can drastically reduce the security of common encryption algorithms that are used today.
An example of this is clever bit of maths called Shor’s algorithm. If run on a sufficiently powerful quantum computer, it would effectively render all asymmetric cryptography useless overnight.
Shor’s algorithm has already been practically demonstrated on a small scale, but is unlikely to pose a practical threat for many years until a powerful enough quantum computer can be built. Opinions differ as to when this is likely to happen. Many experts think there’s a better than even chance of it happening in the next fifteen years and one thing is for sure, large companies such as Google are throwing hundreds of millions of dollars into research in this area.
So, while there’s probably no need to panic just yet, it’s prudent to start thinking now about possible risks to your organisation. One suggestion is to consider doing a Quantum Risk Assessment: https://globalriskinstitute.org/publications/3423-2/
The purpose of a QRA is to provide an organisation with an understanding of the extent of its quantum-related cybersecurity risk; plus, a timeframe within which quantum-enabled threats are likely to emerge.
Professor Michele Mosca from the Institute of Quantum Computing in Waterloo has put together a six-phase process for addressing the quantum threat. It starts with identifying the most important assets that need protection through encryption, defining their digital shelf life (how long they need to remain secure under encryption) and developing a risk profile for the organisation.
Even if you’re a cynic and think that a viable device is still many decades away, the exercise of going through a QRA is still worthwhile; because identifying your crown jewels and understanding their exposure is always useful.
It’s a brave person who bets against the tide of progress. When Google’s GO playing AI DeepMind beat the human world champion last year, it was seen as a major breakthrough that happened years ahead of expectations. When it comes to our digital security hope is not a strategy.