Quantum Technology is a Blessing for Information Security

Martijn Dekker
7 min readApr 1, 2022

The rise of quantum technology is a blessing for information security as it will force us to replace current security controls with inherently secure ones, but only if we embrace this technology now.

Security by complexity

Information security is concerned with protecting confidentiality, integrity and availability of data. In the current age of digitalization, it is clearly a topic of main interest to many. So if for instance hackers can compromise the integrity of a payment transaction, by changing the beneficiary account, they can perform fraud. Information security professionals have used cryptographic methods to make sure hackers cannot read or change payment transaction. Many systems in the world rely on cryptography for their security.

It is good to realize that cryptography is not secure inherently. It is only secure in the sense that it would probably take so much time for anyone to decrypt an encrypted text (without knowing the key), that by that time (say after the heat death of the universe) the information obtained is no longer confidential or valuable. Of course, decrypting with the key is very easy, so hackers also try to steal or guess keys. Securing the keys is therefore crucial, just as secure key generation. I will say more about this later.

I can say in general that many security measures currently in use have a similar characteristic: they are designed to make sure that breaking the measure (say by decrypting without knowing the key) is a hard problem. And the hardness is determined by the complexity of the reverse computation required. Often that complexity is also determined by the amount of randomness included in the algorithm (for example the randomness used in key generation).

How hard a problem is, depends on the tools that you have available. Currently we use classical computers and their computing capabilities. But we know that for a quantum computer some problems that are hard for classical computers today, will be easy problems. In particular, Shor’s algorithm reduces many cryptographic methods to not so hard problems if an actor would be able to use a quantum computer. Therefore, many security professionals, including myself, used to consider a quantum computer as a kind of nuclear bomb, it would destroy security as we know it.

A Quantum Computer is not a Nuclear Bomb

Forward thinking information security professionals started reviewing all their security controls and look for the hard classical mathematical problem they derive their security from and then replace that problem with a problem that is also hard for quantum computers.

In case of cryptography, researches have been looking for new cryptographic methods that would be resilient against a quantum computer. And such candidate methods have been found.

Having such quantum resilient methods does not solve the issue in itself. To replace a cryptographic scheme, is not an easy task in practice. In larger IT estates, like those operated by large organisations like banks, this is a huge effort and in general it takes years. IT professionals have experience with replacing cryptography in their machines. I have experience doing that and we all know that the crypto agility, the ability to quickly adapt or replace cryptographic systems, is extremely low in larger IT systems and even lower in embedded systems like the Internet of Things.

So we are seeing a shift in thinking by security professionals about quantum technology: no longer should they see quantum computing as a nuclear bomb, but as a curable disease, and the cure is quantum resilient crypto. But then security professionals started to worry about time: how long until a viable quantum computer will there, and do we have enough time, given our low crypto agility, to replace all our crypto? A good example that illustrates this worry is the replacement of Secure Hash Algorithm or SHA1 by SHA256. SHA1 was demonstrated to be weak in 2005, but only in 2017, 12 years later, web browsers no longer accepted the cypher.

So, I think, that even if such a viable quantum computer is still at least 10 years away (which is in my opinion likely), the time to act is now. Companies and organizations must start to replace their cryptography with quantum resilient cryptography now. This is very urgent. There is no law, or external factor like popular web browsers no longer work, that forces you to start re-encrypting so it is important that companies develop an internal sense of urgency. And you can replace those cyphers even without incurring (too much) extra costs by embedding it into the lifecycle management of their assets. What you also should do is re-encrypting your archives by the way. In fact, quantum computing is not the biggest thread for cryptography, regardless all the current hype. Cyphers are being compromised or demonstrated to be weak, all the time. Improving crypto agility is a must regardless quantum technology.

From Approximate Security to Inherent Security

And while this shift took place, I have noticed also another shift in my own thinking. A realization that the security controls that we are so proud of today, are in fact compromises. They do not provide real security; they only provide an approximation of security or they only delay a breach until the asset that need to be protected is probably no longer critical. A security control that derives its effectiveness from a problem being hard, is bound to be broken over time. For example, by Moore’s law, that simply states classical computers are twice as fast every 18 months. Or by discovering new classical algorithms that show that the problem was not so hard after all.

We have seen hackers over and over again, not shying away from doing the hard and complex work and find ways of cracking a hard problem, even on classical computers.

For example, hackers have been able to avoid the problem of decryption without knowing the key by either finding ways to steal the key, or to guess the key. Remember that I said earlier that randomness is used to generate random keys. But to be honest, we only have pseudo random generators currently. And hackers have sometimes been able to guess keys by understanding the bias in these pseudo random number generators. Defenders tend to think this is too difficult and assume security and this attitude must change.

We talk a lot about quantum computing, but quantum technology provides a wide range of applications of which computing is, in my mind, only the endgame. Other applications are quantum communication and quantum sensing. Both are also relevant for information security, and therefore for our digital society as a whole.

Quantum communication is the technology that enables one to set up inherently secure communication channels. Inherently means that the receiver of information from this channel will know, always, whether anyone else has been able to eavesdrop on the communication. So, it is an inherently secure channel in the sense that it is tamper proof. Of course, as soon as the receiver detects someone is eavesdropping, he can close the channel and set up a new one. While quantum computing is still at least a decade in the future, practical quantum communication will be here in only a few years.

But there is more. Next to quantum computation and communication, quantum technology provides new ways to sense position and time. Quantum Sensing provides ways of actually sensing movement and the passing of time. Now why is this relevant for security? There is a clear use case in military security. When you realize that all modern armies have weaponry like guided missiles and drones, rely on GPS signal for their proper functioning while at the same time any modern armies have GPS jammers to try to deflect the incoming missiles. So it is clear that any army that can build autonomous weaponry that can navigate GPS-challenged battlefields, will have an advantage. This is why the USA Department of Defence invests billions of dollars every year in quantum sensing. This technology is actually here.

But next to the military use case, just think of companies like oil companies, that rely on robotics and Internet of Things in their plants and oil pipelines. All these technologies that protect and monitor their operations rely on GPS. Another example is the dependency of accurate time measurement in correct working of GSM networks. So those Chief Information Security Officers should be looking at quantum sensing technology.

Quantum technology also provides true randomness. Remember that current cryptography relies on random key generation but we are only able to create pseudo random keys and hackers have been able to guess the key by understanding the bias in our generators. No matter how hard or complex it is to decrypt without the key, once you can guess the key, there is no security.

Quantum technology provides ways of building true random generators. As with all quantum technology, this is not easy, but we should not shy away of doing the hard and complex work, as it will provide truly secure cryptographic key generation.

Quantum is a Blessing

Although information security professionals should be proud of the controls they have built and the level of security we have brought to our society, the rise of quantum technology highlights that those controls provide only approximations of security that suffices in the classical space, but not in the quantum space. At the same time, those very quantum technologies provide new controls that provide inherent security, not approximate security.

To leverage this inherent security, information security professionals, the defenders, need to do what our attackers have been doing for years. Information security professionals should not shy away from doing the hard and the complex work. They should start to learn about quantum information, quantum communication, quantum computation. They should learn quantum technology.

This is urgent, because quantum technology is the final technological revolution. Once humans learn how to use the very fabric of spacetime for computations, there is no technology beyond that. There is no technology beyond quantum technology that will allow security professionals to repair the security of the quantum internet. So, we have to get it right the first time. We have to embrace quantum security now.

“there is no technology beyond quantum, so we have to get security right the first time”

The rise of quantum technology is a blessing for information security as it will force us to replace current security controls with inherently secure ones, but only if we embrace this technology now.

This blog is based on a speech of the author at the Barleaus Diner, november 2019, of the Amsterdam Institute of Advanced Study, Amsterdam.

--

--

Martijn Dekker

Martijn had a PhD in pure mathematics, is top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.