“Quantum Particulars” is an editorial guest column featuring exclusive insights and interviews with quantum researchers, developers, and experts looking at key challenges and processes in this field. This article, which focuses on quantum-secure encryption, was written by Denis Mandich, CTO and Co-Founder of Qrypt.
While 2023 was an unprecedented year for generative artificial intelligence (AI) – from the widespread public use of AI with ChatGPT to the rise of malicious large language model (LLM) engines like WormGPT and FraudGPT for cybercriminal activity – the impact is limited compared to the threat quantum poses to our collective privacy.
I believe that quantum computers will come online within the next five years just as Google CEO, Sundar Pichai predicted. Qubit counts have doubled nearly every year since 2020. IBM has been following this trajectory with a recent announcement of the largest transmon-based quantum processor yet with 1,121 functioning qubits. A team from QuEra, Harvard and MIT has also produced a 48 logical-qubit error-corrected quantum computer capable of reliable operations. We are in the era of true quantum computation. These advances have paths that promise to scale to much larger devices that can fill a data center. But these aren’t happening in a silo. I expect this pace of quantum advancement to continue, making it possible for quantum computers to run more and more complex calculations than ever previously possible.
But it’s a double-edged sword. Time and time again we see that as technology advances – much like with AI, or even the transition to cloud – cybersecurity threats also advance and become more complex forcing security leaders to rethink their cyber protocols and priorities.
The Harvest Now, Decrypt Later Attack Method
This is why security and business leaders need to take quantum computing advancements seriously. Quantum risk is not a future problem but a now problem. The reality is that our data is vulnerable to “Harvest Now, Decrypt Later” (HNDL) attacks now. Today, sensitive data is secured through Public Key Infrastructure (PKI), RSA, and Elliptic Curve Cryptography (ECC) methods for secure key exchange. But as quantum computing advances these encryption methods will soon become obsolete as the symmetric keys used to encrypt data and the data encrypted with those keys become exposed to quantum risk.
Cybercriminals are already collecting and storing encrypted data with the intention of decrypting it later for actionable insights and financial gain. In September, there were revelations that Chinese government-backed hackers, a group called BlackTech, have been infiltrating routers to gain undetectable backdoor access to the networks of companies in the U.S. and Japan.
The HNDL attack method is and will remain one of the highest potential payout attacks in 2024 as the cost for malicious actors to store stolen data is minimal, and the possible financial value is very high. Why wouldn’t cybercriminals prioritize attacks of this nature? Targeting low-level access points will pay dividends as the entry operation to more high-value assets like over time. Data like DNA or other genetic data, weapons data, corporate secrets and intellectual property have long-lasting value that is worth the wait of quantum computing advancements to gain access to.
So, what’s the answer? True post-quantum cryptographic solutions. The transition to post-quantum cryptography will be much more complex, however, than the past cryptographic transitions – many of which are still in process and began when digital networks infrastructure was tiny by comparison. It took over twenty years for the advanced encryption standard (AES) to replace data encryption standard (DES) and 3DES, which was previously the gold standard but has since been compromised and recognized as an insecure encryption algorithm and was depreciated in December. I anticipate the move to PQC will take at least a decade, but more likely twenty years, so this transition needs to start now.
The Public Sector Shift to Post-Quantum Cryptography
Since the transition will take decades, there’s heightened urgency to address quantum security risks now. I anticipate that this year, we will see more standardization of and transition to post-quantum cryptography across critical sectors and governments. NIST will issue new Post-Quantum Cryptography (PQC) Standards following its initial draft published in August. The National Quantum Initiative Act reauthorization will also continue making its way to the House floor for a vote in the coming months, with a goal to transition the U.S. from quantum R&D to actual application.
The Impact of SEC Disclosure Rule on Quantum Security
On the private sector side, security leaders and CISOs will be held to an even higher standard given the new Securities and Exchange Commission’s cybersecurity reporting rules, which states that if and when a cyber breach occurs, organizations are mandated to publicly report cyber incidents within four business days after determining the incident was material.
To avoid not only the security and operational repercussions, but also potential reputational damage, this means that CISOs and cybersecurity leaders will need to monitor systems more closely for HNDL attacks. Organizations should conduct an audit of their cryptographic systems to understand what encryption methods are in use across their businesses today, know where the encryption keys are stored, evaluate the risk with each cryptographic system and ultimately begin the transition to quantum-secure encryption methods as soon as possible. This will be an ongoing effort to make this adjustment, but an important one to ensure the security of critical data now before quantum computers are exploited by bad actors to decrypt sensitive information.
The rapid advancements in quantum computing present great opportunity, but also pose an imminent and profound threat to our collective data privacy and security. This year is poised to bring regulatory measures and a heightened awareness of the quantum threat, but malicious actors are already getting their hands on sensitive data. The transition to quantum-secure encryption needs to begin now.
Qrypt CTO and co-founder, Denis Mandich, focuses on quantum security, R&D, post-quantum encryption (PQC) algorithms, and standards bodies. He holds several patents in cryptography, cyber technologies, and information processing. Denis is a founding member of the Quantum Economic Development Consortium (QED-C), a founding member of the NSF-funded Mid-Atlantic Quantum Alliance (MQA), an industry advisor to the first NSF-IUCRC-funded Center for Quantum Technologies (CQT), advisor to the Quantum Startup Foundry and former board member of quantum chip manufacturer Quside. Before joining Qrypt, Denis served 20 years in the US Intelligence Community working on national security projects, cyberinfrastructure, and advanced technology development. He has degrees in Physics from Rutgers University and speaks native-level Croatian and Russian. He publishes extensively on the quantum threat to national economic security.