Is quantum computing ready to disrupt cybersecurity?

Where is quantum computing currently?

One aspect causing a lot of confusion is that quantum will not replace current silicon computing. Quantum doesn't do traditional tasks any better. Rather, it promises transformation around optimization and solving certain algorithms faster. But when will we get there?

Quantum computing is at least five years away from having an impact on technology. And analysts expect it will be an additional five years until it disrupts cybersecurity.

"Quantum computing is approximately at parity with the classic computer," said Mark Horvath, analyst at Gartner. "We see this improving rapidly."

Gartner's August 2021 emerging technologies report predicted that quantum computing will begin providing better optimization results in 2026. Financial and shipping companies will reap the earliest benefits, with use cases such as stock market simulation and delivery route optimization. And in 2029, quantum supremacy -- when quantum computers can measurably solve problems faster than classic computing -- will be reached.

"The best way to put it is we're beyond a research product, but we're not at a commercial product," said Jack Poller, analyst at Enterprise Strategy Group, a division of TechTarget. "A lot of the work is being done at universities and research think tanks. IBM and other big companies are investing in it. Quantum computing requires tens and hundreds of millions of dollars in investments."

Vendors have started announcing their quantum processors. In 2019, Google said it had a 54-qubit processor. In November 2021, IBM announced it developed a 127-qubit quantum processor. Also in November 2021, QuEra Computing, a Boston startup, claimed to have a 256-qubit quantum computer.

We don't yet know the exact number of qubits needed for quantum supremacy. In 2019, Google researchers claimed to have hit it with its 54-qubit processor, but others predict it may need closer to 300 qubits.

Physics is currently the limiting factor for quantum computing.

"People ask me if government X or state actor Y have a huge quantum computer that can decipher everything. The answer is absolutely not," Horvath said. "The state of physics that you need to build such a machine does not exist yet. It will -- and we're working on it."

How quantum computing threatens cybersecurity

The full extent of how quantum computing affects cybersecurity isn't yet known. There are, however, two areas in which quantum computing can threaten cybersecurity that experts are discussing today.

The biggest worry is that quantum computing can break current RSA cryptography. Quantum computing's efficiency may enable it to solve certain algorithms -- including RSA -- faster.

"It's part of operations of complexity," Poller said. "Maintaining the key so nobody else can decrypt your data is based on the mathematical principles of prime numbers. To extract the key requires a complex math problem. If the key is large enough, it won't happen in our lifetime. Say I give you a big enough key and the world's largest [classic] computer. It would still take over a lifetime to decode, making it worthless to you. With quantum computing, you can take advantage of specific algorithms to shrink that time down because the order of the number of operations becomes less."

Two such quantum algorithms that could crack RSA are Shor's algorithm and Grover's algorithm. These quantum algorithms won't immediately break RSA, but will begin to break it down over time. Stored data using current encryption would be most at risk because it would be secured by older encryption that quantum could eventually break.

"That's kind of a hard conceptual thing for people to get their minds around," said Merritt Maxim, vice president and analyst at Forrester. "That's where the threat from quantum is. It means the risks actually increase over time as quantum gets more mature and relevant."

A second quantum computing cybersecurity issue is hackers using it to masquerade attacks, Poller said. These quantum computing attacks could have different behaviors and signatures that slip past current detection software.

"The first set of attacks will be hard to recognize," Poller said. But similar future attacks will be quickly detected and stopped. "It's always a cat-and-mouse game between attackers and defenders," he added.

How quantum computing could improve cybersecurity

Quantum computing isn't all doom and gloom for cybersecurity. Some industry experts are optimistic about quantum computing and have identified two areas where cybersecurity could get a boost: privacy and stronger encryption methods.

In terms of privacy, privacy-enhancing computing (PEC) techniques keep data encrypted while in use and provide in-transit and at-rest protections. Gartner's "Top Strategic Technology Trends for 2022" report noted that PEC methods have matured due to hyperscalers using trusted execution environments and vendors increasing individual security efforts. With PEC, competitors could potentially work together while keeping all data confidential. Data privacy is a hot-button topic. PEC could help solve privacy issues in use cases such as medical record protection and internal analysis.

Related to PEC is the second benefit of strong encryption methods, namely homomorphic encryption, which Horvath called the most interesting aspect. Homomorphic encryption enables third parties to process encrypted data and provide results without ever having knowledge of either.

Homomorphic encryption can use lattices, or multidimensional algebraic constructs, which quantum computing can't solve easily. Experts believe lattice-based cryptography could be the best replacement option for current algorithms.

"What lattices let you do, for example, is pick a number to be encrypted, let the program run the encrypted number until it gets something back, then use some decryption to unlock that," Horvath said. "It looks to you as though the number we're running through the program was clear. But the people who run the program never saw what the number was; they only saw the encrypted version. Because of the math properties of homomorphic encryption, this allows you to compute things without needing to decrypt or read. This is powerful because now suddenly a bunch of web services that have access to your private data can still be run."

How should companies prepare for quantum computing?

While the technology isn't quite there for true quantum computing, it's fast approaching. Companies don't need to immediately leap to action, but now is the perfect time to learn how quantum will affect businesses.

To get started, take inventory of cryptography currently in use.

"Quantum computers are going to be used to design more quantum computers, and that's going to lead to new types of encryption and security protocols," Horvath said. "We're looking at a world where we may be replacing encryption or hashing algorithms every four to five years. Establish policy around this and get used to learning what quantum computing is capable of doing."

There aren't any approved cryptographic methods to replace RSA yet. NIST is reviewing potential algorithms, with round three finalists announced in July 2020. The European Commission established a consortium in June 2021 to create secure critical infrastructure and government communications with quantum.

For now, companies can start to lengthen current encryption keys. For example, companies using 256-bit should go up to 512-bit keys, thus increasing the time it would take to break encryption. File size restrictions will cause issues eventually, but it's a good stopgap until new cryptography algorithms are ready.

"If you double the length of the existing key, you'll increase its strength for about another 10 years," Horvath said. "The problem with doing that is that it doesn't work forever."

Another step is to start thinking about the shelf life of data to figure out exposure time, Maxim said. "How long do you plan to store this data? Is it driven by regulations or in healthcare where you can't delete it?"

After answering these questions, consider when quantum computing will be available and able to break the encryption used.

"This essentially gives you what your exposure time might be," Maxim said. "For example, if regulations require data storage for 10 years and you think a quantum computer will be out in five years, your exposure time is five years."

From there, determine tolerable exposure times for the data and consider how long it would take to migrate to a newer, safer encryption standard.