Last year’s news of Google achieving quantum supremacy, together with the growing early-stage offering of cloud quantum computing services, has put this new computing paradigm under the spotlight. Quantum computing is still far from mainstream adoption, and it is currently mainly used for scientific purposes. Once it becomes commercially available, it could easily break current encryption algorithms and threaten information security and privacy.
The paradigm of quantum computing stems from quantum mechanics, a field of physics, which scientists began to explore at the dawn of the 20th century to study the behaviour of matter and light at the atomical and sub-atomical level.
In order to understand how a quantum computer works, it is helpful to see how it differs from a classical one. The latter —that is, one that can be modelled by a deterministic Turing machine — uses bits as the basic data unit. Instructions are written in binary code of 0s and 1s and are translated into electricity to operate the transistors that compose the CPU. 0 indicates “off,” and 1 “on.” This means that only operations for determined values of 0 and 1 can be performed.
On the other hand, a quantum computer uses quantum bits, in short qubits, as the basic data unit. The value of qubits can be all possible values of |0⟩ and |1⟩ at the same time. This is made possible by leveraging the laws of quantum mechanics, which allow for the phenomena of superposition and entanglement. Consequently, qubits can perform operations with a significant efficiency advantage over a classical computer, de facto rendering some tasks only feasible through quantum computation.
What are the implications for information security?
When it comes to information security, quantum’s sheer computational advantages mean that it could easily break the cryptographic systems that underpin today’s data protection methods and internet infrastructure.
Currently, most of the sensitive data transmitted over the internet are encrypted with public-key or asymmetric algorithms, which allow for both public and private keys to encrypt exchanged messages to protect their confidentiality, integrity, and authenticity. Such algorithms are used to, among others, secure online banking transactions, authenticate digital signatures, and, in conjunction with symmetric encryption, secure internet browsing (HTTPS). In this case, a sufficiently powered quantum computer could decrypt data without knowledge of the private key.
For instance, the Rivest-Sharmir-Adleman (RSA) algorithm, a widely-used form of asymmetric encryption currently based on 2048-bit numbers, could be broken by a 20 million-qubit computer in just 8 hours, according to the MIT Technology Review .
In the same way, symmetric encryption algorithms could also be affected by the perils of quantum computing. RSA is used in conjunction with the Advanced Encryption Standard (AES), a symmetric encryption algorithm, to enable the Secure Socket Layer (SSL) technology applied to encrypt and secure communication between a server and a client over the HTTP protocol (hence the name HTTPSecure). In this dynamic, both server and client need to exchange the generated private keys confidentially and securely. However, current key exchange mechanisms are at high risk of being tampered with through quantum computing.
Additionally, this would also bring regulatory considerations to light since organizations could lose their compliance with data protection and privacy regulations. For example, Article 32 of the EU General Data Protection Regulation (GDPR) requires organizations to ensure that data is processed securely and privately by implementing appropriate technical and organizational measures such as encryption . Therefore, quantum computing risks might render current cryptography systems no longer appropriate in the eyes of the law.
The state of post-quantum cryptography