Why quantum computing is a security threat and how to defend against it [Q&A]
Quantum computing offers incredible computing power and is set to transform many areas such as research. However, it also represents a threat to current security systems as cracking passwords and encryption keys becomes much easier.
So quantum is a security threat, but is there a solution to making systems safer? We spoke to David Williams, CEO of symmetric encryption specialist Arqit, to find out.
BN: Why are current encryption techniques no longer adequate?
DW: First, public key cryptography was not designed for a hyper-connected world, it wasn't designed for an Internet of Things, it's unsuitable for the nature of the world that we're building. The need to constantly refer to certification providers for authentication or verification is fundamentally unsuitable. And of course the mathematical primitives at the heart of that are definitely compromised by quantum attacks so you have a system which is crumbling and is certainly dead in a few years time.
A lot of the attacks we've seen result from certifications being compromised, certificates expiring, certificates being stolen and abused.
But with the sort of computational power available from a quantum computer blockchain is also at risk. If you make a signature bigger to guard against it being cracked the block size becomes huge and the whole blockchain grinds to a halt.
BN: Where did you start to look for a solution?
DW: The person who solves this will become very successful, so in 2017 we began an innovation journey. The tech that we had back then most definitively did not work, it didn't solve the problem. What we now have is a product which is called Quantum Cloud. It's just a a lightweight software agent that's 200 lines of code that can be delivered from the cloud and it can be downloaded into any device. We can put it into an IoT sensor, or a battleship, it doesn't matter, it's the same software for all devices.
What that software does is it creates keys for groups of devices that want to communicate securely, so it could be two or 20 or 2000 devices, and they all undergo a process whereby they create a brand new symmetric encryption key, which they then use to communicate securely. We know that symmetric encryption key is computationally secure. A symmetric encryption key is just a long random number, and even a quantum computer in future will not be able to crack it in less than billions of years. Symmetric encryption keys have been used for decades, delivered by human courier, and therefore the algorithm to use such keys is already built into the world's software systems which means there's no great change required for the world to adopt the use of this technology.
We didn't invent symmetric encryption keys, we invented a way to distribute them securely.
BN: Can you give us an idea of how this works?
DW: Imagine two end points in in London and New York who want to create a secure channel. Each device talks to a data center in its city. In each location there are Hardware Security Modules (HSMs) which have identical sets of the encryption key data. That data is put there by 'satellites' which use a quantum protocol to deliver that information in a method that we can demonstrate is provably secure.
Think of the data centers as buckets, three times a day the satellites throw some random numbers into the buckets and all data centers end up with an identical bucket full of identical sets of random information. So, the endpoints talk to the data centers, which have a conversation and they agree on some information or clues to send in common to the end points, without actually knowing what that information is. In a very clever mashup of those clues, and the existing data that they have on their devices, the end points then create simultaneously a brand new random number.
BN: Is this available today?
DW: The satellite technology is still a couple of years away, currently the root source of random numbers is delivered to data centers by a random number generator in a data center, through some terrestrial mechanisms, which is regarded by our customers as secure today. It's not quantum safe yet, but the network gets upgraded in two years time when the quantum satellites launch and the whole thing becomes quantum safe.
BN: How will it tie in with a zero trust world?
DW: Conventionally with satellite quantum encryption, you can either be zero trust or you can be global, you can't be both. Well that makes the whole thing a bit pointless because the internet's global. Our technology is simultaneously zero trust and global. So, in our protocol the satellite is never trusted with the key, an individual receiver is never trusted with the key. It is a zero trust system. But secondly, the endpoint software adds another layer of zero-trust functionality. The data centers never have the key, the key is never created somewhere else and distributed. The key is created locally on the device, and therefore there is no other device in the network which we're trusting with the key. Therefore, the software protocol is also zero trust.
BN: Will the end user logging into their bank or VPN see any difference?
DW: It's unlikely that a consumer will ever see the operation of our new software, you won't see it sitting on your device called 'Arqit's product', it will be baked into other people's applications and it will be a seamless experience for the average customer.
BN: Are there wider applications for the technology?
DW: One of the things we're most excited about is JADC2 (Joint All-Domain Command and Control), which is basically the military Internet of Things. This involves lots of devices that need to operate in dynamic environments. You can't possibly give every single device that you might feasibly want to communicate with a set of keys to cope with every possible scenario it’s simply impossible. And in JADC2 we have to rely currently on old fashioned public key cryptography.
But if every device can just download the lightweight quantum cloud agents, then as soon as you agree that drone needs to talk to that satellite, which needs to talk to that other commander, they just set up brand new key dynamically in real time. We can create unbreakable and trustless keys in the moment that they needed and we can change the access rights.
Of course the same problem is also solved in the enterprise and for consumer devices. So yes, the application of our technology is everything, everywhere. There is no application we've ever thought of where the technology can't make things stronger and simpler.