The rise of quantum computing may soon enable us to solve complex real-world issues like the climate crisis and drug discovery more quickly. By harnessing the laws of quantum mechanics to process information in a fundamentally new way, quantum computers can solve certain business problems beyond the reach and speed of conventional and classical computers.
However, quantum computers could also cause havoc as they can compromise existing cryptographic systems, putting secure communications and data protection at risk.
The RSA algorithm is one of the common cryptographic systems used to encrypt and decrypt messages over the Internet with public and private keys. It uses the product of two selected large prime numbers as the encryption key, and only the person who knows the prime factors of the key can decrypt it. What makes this challenging is that the key size is recommended to be at least 2,048 bits or 617 digits long, so it would take a classical computer trillion of years to find the prime factors from the key and break the RSA encryption.
Given their superior computational power, quantum computers are expected to break the RSA encryption easily. “A number of encryption schemes widely used on the Internet are today based on the assumed difficulty of certain computational problems, such as factoring a number into its constituent primes, which turn out to be relatively easy for quantum computers to solve. The net result of this is that many of the protocols used to encrypt data, securely establish encryption keys, or digitally sign documents today, are vulnerable to attack by quantum computers,” says Joe Fitzsimons, CEO of Singapore-based Horizon Quantum Computing.
Tech research and advisory firm Forrester estimates that quantum computing will render existing cryptographic systems ineffective for protecting sensitive information in the next five to 30 years. But organisations should take steps to be resilient to quantum threats now.
Armando Dacal, group vice president for Asia Pacific and Japan at the digital security company Digicert, explains: “It is critical to act now to minimise the risk of ‘harvest now, decrypt later’ attacks, where attackers collect confidential encrypted data to store until they can decrypt it using quantum computers.
See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way
“Businesses failing to address this threat risk exposing sensitive information, financial data, and customer details to exploitation. This could lead to data breaches, financial losses, damage to reputation, and legal repercussions. Moreover, failure to adapt to post-quantum cryptography could result in a competitive disadvantage.”
Encouraging the shift to quantum-safe
Several countries globally have taken steps to encourage the development and adoption of quantum-safe technologies.
See also: Responsible AI starts with transparency
In the US, President Biden has signed a National Security Memorandum to mitigate the risks of quantum computing to national security. Meanwhile, the European Commission is working with all 27 EU member states and the European Space Agency to design, develop and deploy a secure quantum communication infrastructure spanning the European Union, including its overseas territories.
As for Singapore, it has been conducting nationwide trials of quantum-safe communications technologies to enhance network security through its National Quantum-Safe Network (NQSN) initiative since 2022. NQSN builds on more than 10 years of quantum research efforts from the Centre for Quantum Technologies (CQT) and is hosted by the National University of Singapore (NUS). Under the initiative, universities, companies and government agencies work together to demonstrate the technical feasibility of deploying quantum-safe technologies, such as Quantum Key Distribution (QKD), to protect against quantum computing risks.
Researchers at the NQSN. Photo: Centre for Quantum Technologies, NUS
To further realise the vision of a quantum-safe Singapore, the Infocomm Media Development Authority (IMDA) has appointed Singtel, SPTel and SpeQtral to develop nationwide, interoperable quantum-resistant networks under the National Quantum-Safe Network Plus (NQSN+) programme.
Scheduled for a mid-2024 launch, Singtel’s NQSN+ will employ modern quantum-safe technologies such as QKD, which is a secure method for distributing encryption keys only known between shared parties, and post-quantum cryptography, a new, advanced form of encryption algorithms that are protected against attacks from quantum computers.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
We are securing our data networks from advanced quantum threats for our [business] customers and giving them easy access to solutions to safeguard their critical data in the quantum age.
Ng Tian Chong, CEO, Singtel Singapore
He continues: The quantum-safe network will leverage Singtel’s managed network services and fibre network with selected exchanges stipulated as trusted nodes to establish a reliable, secure and resilient nationwide quantum key distribution network. This enables enterprises to secure their communications across the island and extends quantum-safe security to new use cases and applications such as identity, mobility and authentication services."
Who’s at risk?
Organisations operating and storing large volumes of data with long shelf lives are at higher risk of quantum attacks, especially the ‘harvest now, decrypt later’ attacks.
Industries such as healthcare, financial services, governments and critical infrastructure are some of the most vulnerable to this threat due to their reliance on sensitive data and long-term security requirements.
Armando Dacal, group vice president for Asia Pacific and Japan, Digicert
He also shares that the Internet of Things (IoT) and financial services sectors are most eager to embrace quantum-safe solutions. “Those are the right verticals to be active right now because of the high assurance requirements for financial institutions, and the long trust lifetimes of IoT. It would be great to see more interest from the healthcare space, but that space is very much driven by minimal compliance and the relevant regulatory standards haven’t been updated yet.”
Miles Upton, regional general manager for Asia at Cambridge Consultants (part of Capgemini Invent), also observes that the financial services sector is among the first to look at quantum-safe solutions. He says: “Having recognised the industry-wide challenge of transitioning to quantum-resistant security, financial institutions and industry players are fostering cross-company cooperation in association with the regulators to build a resilient and secure ecosystem for the quantum age.”
To encourage more financial institutions to embrace quantum-safe solutions, the Monetary Authority of Singapore (MAS) released an advisory cautioning financial institutions on the cybersecurity risks associated with quantum computing last month. It also highlighted some of the measures financial institutions should consider in their journey towards quantum-resilience.
Quantum-resilient algorithms
There are currently two approaches to mitigating quantum security threats, according to Associate Professor Alexander Ling from NUS’s Department of Physics. He is also a principal investigator at the Centre for Quantum Technologies and lead principal investigator for Singapore’s NQSN.
The first approach is to find new mathematical problems that quantum computers cannot solve or find a one-for-one replacement for the mathematical problem we use in encryption today. Such problems can be used for post-quantum (or quantum-resistant) cryptographic algorithms (PQC). While there has been progress in this area led by some government agencies globally, Ling notes that bad actors will find flaws with those algorithms as soon as they are announced, so there will be an ongoing effort to find and develop quantum-resistant algorithms.
Horizon Computing’s Fitzsimons believes this “mathematical/algorithm” approach will require a long time. He says: “A number of quantum-resistant encryption algorithms have been proposed that can be implemented on conventional computers without modification. But these derive their security from computational assumptions, and we do not know for sure that there are no quantum algorithms that might break these schemes.
There are also quantum cryptography schemes, which derive their security from the laws of physics and are not vulnerable to computational attacks. However, such schemes do not yet provide a full replacement for the existing cryptographic infrastructure that we have become reliant on.
Joe Fitzsimons, CEO, Horizon Quantum Computing
The current lack of standards also hinders the mass adoption of quantum-safe algorithms. Cambridge Consultants’s Upton says: “Quantum-resistant encryption algorithms that utilise alternative mathematical problems have already been developed. However, the lack of an industry standard has prevented their proliferation till now. The National Institute of Standards and Technology [NIST] in the US is driving the standardisation process of these encryption algorithms, and it is expected to publish its initial standards in Q2 this year. Once published, we expect to see more compliant PQC technology to help mitigate the immediate quantum risks.”
The hardware approach
The second approach is hardware-based and looks at QKD, which uses fundamental quantum mechanics principles to facilitate secure communication without interception.
So, if two data centres want to exchange data between them, they can install a quantum transmitter and quantum receiver to generate encryption keys to encrypt the data transferring back and forth. This is quite viable over relatively short distances like that in Singapore when [those devices are] linked by an optical fibre.
Associate Professor Alexander Ling, NUS’s Department of Physics
In line with this, Ling and his team at NUS and CQT are building up a testbed for quantum transmitters and receivers to show that they can work reliably in Singapore. However, he notes that quantum hardware is not the final solution to becoming quantum-safe; the hardware must be used in conjunction with complex mathematical problems as part of the network to help organisations improve their cyber defence capabilities in a cost-effective manner.
Organisations, adds Ling, should also embrace a multi-layered defence-in-depth strategy to fortify their data protection against future advances in decryption methods and tools. One way of doing so is to gain cryptographic agility or crypto-agility, which is the ability to adapt and switch cryptographic algorithms seamlessly and efficiently.
Cambridge Consultants’s Upton agrees that crypto-agility will be vital in a post-quantum world. “Having an upgradable security design architecture [will help] mitigate quantum computing risks. Building systems with ‘sell-by dates’ will enable timelier updates to new, more robust algorithms as threats evolve.”
Sharing the same sentiment, Digicert’s Dacal says: “As businesses transition their algorithms, it is crucial to incorporate crypto-agility, or reduce the time necessary to replace current cryptographic algorithms with quantum-safe algorithms. This can be achieved by maintaining visibility into cryptographic keys and assets and adopting centralised crypto-management strategies consistently across the enterprise with accountability and ownership.”
Moreover, Dacal believes crypto-agility could help reduce outages and operational costs, and with strategic changes like mergers and acquisitions. “Forward-thinking organisations that have invested in crypto-agility will also be better positioned to manage the transition to quantum-safe algorithms when the US NIST releases the final standards in 2024.”
Getting started
Since early quantum-safe solutions are available today, what should organisations do to become quantum-resilient?
Upton believes organisations should set a clear and realistic roadmap in their transition towards quantum computing to avoid merely buying into the hype.
They can do so by:
- Auditing existing security infrastructure and paying special attention to areas relying on asymmetric cryptographic schemes, given their heightened susceptibility to quantum attacks;
- Understanding the potential consequences of why these cryptographic schemes may fail (such as loss of confidentiality), and how it might affect the business, and subsequently prioritise vulnerability fixes;
- Identifying where ready-made PQC tech could be applied to mitigate any imminent risks before committing to developing a custom solution to solve specific vulnerabilities;
- Taking advantage of readily available solutions, implementing ‘quick wins’ to address immediate vulnerabilities, and developing detailed roadmaps for deploying more complex custom solutions and long-term strategies.
Organisations with large numbers of embedded systems utilising public key infrastructure are bound to face a tougher challenge in transitioning towards quantum-safe measures
Miles Upton, regional general manager for Asia, Cambridge Consultants (part of Capgemini Invent)
He continues: Quantum applications are mostly implemented by third-party partners, such as Capgemini, which helps to smoothen the process by providing businesses with tried-and-tested quantum systems, strategic roadmap and domain knowledge. This also enables overall cost and time savings by ensuring that employees can continue to focus on safeguarding existing infrastructure.”
Enterprise customers in Singapore can consider subscribing to Singtel NQSN+ as a complement to their existing data network or as a new quantum-safe data network that Singtel fully manages.
“Singtel NQSN+ enables customers to integrate the service into their existing networks seamlessly. Using compatible encryptors, we will help customers implement quantum-resistant encryption and monitor its status and operations. With our experience in managing large, complex networks, customers can expect minimal disruption to existing business operations when migrating to the quantum-safe data network,” says Singtel’s Ng.
Becoming quantum-safe involves a complex transition process likely to last several years. Given the availability of quantum-resilient solutions/services today and that governments are expected to release final PQC standards soon, organisations must act now to gain crypto-agility and proactively fortify their cyber defences. That way, they will be ahead of malicious actors exploiting quantum computers to supercharge hacking.
