In recent years, we have experienced numerous examples of the inability of our cybersecurity to resist hacker attacks. This includes successful attacks against both large companies and key national functions. The attack on the payment systems in the Danish 7-Eleven stores in August is the latest example, and—a few years ago—the English healthcare system was exposed to attacks that prevented access to patient records, calendars, etc. This led to the cancellation of all planned activities, and only patients with acute injuries were treated.
The threat to cybersecurity will not diminish in the coming years and will become even more relevant in connection with the imminent emergence of the supercomputer of the future: the quantum computer.
“Our current encryption and data security will not be sufficient at all when the first quantum computer becomes a reality. At present, the quantum computer is only at the prototype stage, but if the development continues as expected, usable quantum computers will become a reality within the next decades," says Assistant Professor Christian Majenz, DTU, who is one of Denmark’s leading experts in quantum cryptography.
New standards and protocols needed
The development means that virtually all our current encryption and IT security must be improved and secured against attacks from quantum computers. With a quantum computer, both individuals and foreign powers could do great damage to critical infrastructure in connection with a conflict or be able to access and make unauthorized use of highly personal data.
Improvement of IT security is a major task, not least in relation to the security connected with our use of the Internet. We know the current encryption as ‘https’, which is used in front of the website address and secures the connection between your PC and a website. This encryption—called TLS—consists of two parts. The first part is a so-called ‘handshake’, where your device and the server on the Internet exchange a cryptographic key so that a communication process can be initiated—for example that you are granted access to the content of the website.
“We would like to maintain this part of the encryption as unbreakable. Otherwise, it will be possible for a quantum computer to access sensitive data we don’t want published. For you as a private person, this may, for example, be data about your health which you find by visiting sundhed.dk. Or it could be classified state or military data,” says Christian Majenz.
Two important areas selected as the first
The US National Institute for Standards and Technology (NIST) is responsible for the standardization of cryptography to protect IT security in the United States and thus—in practice—also worldwide. The standardization ensures that all types of devices worldwide use the same algorithms and protocols when accessing the Internet. This applies regardless of whether the device is your doorbell or a giant server, and no matter where in the world the device is physically located. In other words, the standardization ensures a practical uniformity comparable to, for example, the size and design of screws, so that the same types of screwdrivers can be used in both Asia and South America. But standardization also ensures a much greater extent of testing for faults and errors than a single company could afford to perform.
NIST has just announced which quantum-proof cryptographic protocols will be the first to be standardized.
“Unsurprisingly, these are algorithms in two fundamental areas. The first is key exchange, which is used to secure a joint secret key for two parties which they can use for their communication and which a third party cannot calculate and thus break into. The second is digital signature. Using a digital signature protocol, a person can generate a key pair consisting of a private key and a public key. The person can then sign a document using the private key. This signature can be verified by others using the public key, which secures the identity of the signer,” says Christian Majenz.
“When the two cryptographic areas—key exchange and digital signature—are secured against quantum attacks, we’re already in a relatively good position.”
The work to standardize the quantum-proof cryptographic protocols means that researchers from all over the world are now starting to test and characterize the published algorithms. Some of the researchers will work to prove the security of the algorithms, while others will try to find vulnerabilities before the hackers do and thus gain access to data.
Christian Majenz belongs to the first group of researchers who—with the help of mathematical calculations—will theoretically prove the security. This requires not only a great deal of insight into and experience with the mathematical models to be used, but also with quantum theory as a whole.
“Our work to prove and hack the published algorithms will also enable us to reveal any holes. But this is precisely an additional purpose of our work, so that we can patch these and incorporate them in new algorithms and thus further increase security,” explains Christian Majenz.
Quantum attacks real threat
Although we have known about the work with the development of quantum computers for a number of years at this point, it is only now that the work to secure protection against attacks from these computers has really begun. Because even though we already know about threats to cybersecurity, they are multiplied many times with the advent of quantum computing.
The reason for this is that the calculation methods of the quantum computer differ significantly from a conventional PC. Where a conventional PC makes calculations individually and thus, for example, has to spend an unreasonably long time on finding the identical values in a very large volume of data connected with the encryption, a quantum computer can adopt a more ‘global’ approach and very quickly find such repetitions and thus be able to hack into data.
Cryptographic algorithms being developed in race against time.
“We want to spend the necessary time developing new cryptographic solutions that are completely secure and can protect our sensitive data. But—at the same time—the quantum computer is breathing down our necks, and we therefore have to act here and now. This means that we will experience a period with hybrid encryption—where we both continue with the current cryptographic algorithms and concurrently use the newly-developed algorithms against attacks from quantum computers—so that both codes must be broken to access data,” says Christian Majenz.
The next step will be to protect the quantum computers of the future from unwanted attacks. The first slender experiments have already been conducted in this field, but the work will probably only really reach a large scale once the quantum computer is being used to a greater extent.
