Security experts and governments around the world should rightly be concerned about the perils of quantum computing in the future.
A lot of headlines and recent events have driven focus on the risks, as well as opportunities, provided through the innovations of Artificial Intelligence. In the background, however, another form of advancement yields equally worrying data security and privacy risks. This technology — quantum computing — has the ability to forever change our world, through the acceleration of optimisation, machine learning tasks and how we implement integrity of trust in securing communication and data.
Quantum computing represents a profound seismic shift in the current capabilities of supercomputers. It is not bounded by the limitations of current digital computers and uses properties inherent in quantum mechanics — the property of being in multiple states at once rather than binary. This particular distinguisher has the ability to support society through complex problem solving, improvements to material science and artificial intelligence enhancement.
The computational power of quantum computing poses a particular risk in cryptography. The cryptographic protocols used to protect data rely on mathematical operations which are difficult to reverse. The vastly improved powers that quantum computing offers could overcome the computational barriers to breaking typical encryption protocols in use today. Those powers could be deployed to decrypt encrypted data which is already in the hands of bad actors, or to break the encryption protocols protecting data in transit.
Whilst a small number of experimental quantum computers exist today, the technology is still in its embryonic stage and subject to many challenges including the degree of errors it generates. Not to mention that the cost of quantum computers limits access to the technology for both research institutions and commercial entities.
It is therefore surprising that a recent post by Dr Ed Gerck, Founder Planalto Research, Chief Scientist and ZSentry architect, claims to have used quantum computing to break a widely used encryption key, RSA-2048, with low cost and accessible equipment. Those claims have yet to be independently and robustly verified. Whilst there have been some great strides in the overall advancement of quantum computing, driven by academic institutions, technology firms, investors, and government initiatives, breaking an encryption key for RSA-2048 in the way Gerck reports would be a true turning point.
In his post, Gerck speaks to using a system of "simultaneous multiple-state logic" to carry out quantum computations. Gerck further mentions this was all carried out using commercially available cellphone technology and a Linux desktop distribution. Furthermore, Gerck has quoted it only cost $1,000 to overcome the complex hurdles of quantum computing. An amount that seems like a drop in the ocean compared to the hundreds of millions of dollars governments and private industries have invested into bringing quantum computing to fruition.
Whilst this could be a breakthrough if true, many experts have been cautious about the findings and are seeking further details to back up the claim. Currently, only an abstract of the research paper has been published online which claims to have discovered a novel way to deduce prime factors required to break RSA without special equipment.
Without the details of the paper, it is difficult to see how this would be possible at all. It may be that this is a theoretical piece of work. Only an actual demonstration against an RSA-2048 would prove otherwise.
So where does this leave us, and more importantly what are the consequences to data privacy and security from it?
Whether Gerck's claims materialise or not, security experts and governments around the world should rightly be concerned about the perils of quantum computing in the future.
Quantum computing has the potential to unlock and render encrypted communication on a mass scale. This has profound implications on a national security axis but also to everyday individuals. Encrypted data that has been breached in cyberattacks would now be crackable in a matter of moments rather than the near infinite number of years estimated by the very best supercomputer power today.
Given that the 'state of the art' is an important touchstone in the security obligations imposed by both the UK and EU GDPR, the prospect of a significant breakthrough in quantum computing, and its implications for encryption and data security should not be ignored. There are already examples of communications providers enhancing their approach to encryption to stay ahead of the potential developments in quantum computing. For example, users of Signal's messaging service will shortly benefit from a new encryption protocol which combines encryption strategies to protect against both digital and quantum computing. The risk of so called 'harvest now, decrypt later' attacks only serves to illustrate the need to stay ahead of the curve.
Work is currently underway by government and big businesses to switch to quantum-resistant methods. In a timely manner, the UK's National Cyber Security Centre (the "NCSC") has just published (3 November 2023), a white paper on "Next steps in preparing for post-quantum cryptography". This guidance provides details on how operators of Critical National Infrastructure should prepare for post-quantum cryptography. In a not too dissimilar vein, the U.S Government has mandated switch over dates under the Commercial National Security Algorithm Suite (CNSA) 2.0.
It is fully suspected that businesses will follow suit in due course with regulatory and framework standards requiring to account for when mass commercial proliferation of quantum computing comes into effect, particularly when in the hands of a malicious actor.
Irrespective of whether Gerck's claims are true, at CyXcel we believe there is no place for complacency. Cyber security is a continuous endeavour and prevention will remain the best form of protection against the risks posed by advancing technologies. Our unique blend of technical, consulting, and legal expertise all under one roof means we can help you get under the skin of your organization to strengthen your security and reporting mechanisms for the future.
CyXcel — the edge when it matters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.