Here’s a little thought experiment for you. It starts with a question:
When do you think that practical quantum computers will be available?
Please feel free to leave your answer as a comment below. Due to the nature of this publishing medium and the way it works, I won’t get your answer for a few weeks, but I can assure you that your answer will not alter the results of this thought experiment.
Because I can’t see your answer for a while, I’m going to tell you about some relevant information that I have, thanks to IBM Research. IBM has been developing quantum computers for several years now. In 2021, IBM announced the 127-qubit Eagle quantum processor. The company unveiled the 433-qubit Osprey quantum computer last November and has stated that it plans to put this machine online by the end of this year. The company’s stated goal is to build a quantum processor with more than 4000 qubits by 2025, and the company has a roadmap to get there.
My answer to this first question about the timing for accessible quantum computing is “real soon now;” however, I encourage you to do your own research.
Now for the next part of the thought experiment. When do you think bad actors will start using quantum computers to crack the security of the world’s data? If you read the EEJournal article that I published last November, “Looming Crypto Crisis Rides In With Quantum Computing,” you’ll find a quote from Ray Harishankar, an IBM Fellow and Vice President working on quantum-safe cryptography:
“NIST has put out some reports and you also have national security memorandums that call out 2035 as a date. NSA announced [in September 2022] that 2035 is the date they expect things to be compliant [with yet-to-be-published quantum-safe cryptography standards].”
This 2035 estimate was echoed in a world Economic Forum article published by Deloitte and the World Economic Forum. The US National security Agency (NSA) said that all web servers and all the network devices should be compliant by 2030.
Well, it’s four months later and I have an update that you probably won’t like. According to Dr. Michele Mosca at the Institute of Quantum Computing, University of Waterloo:
“There is a 1 in 7 chance that fundamental public-key crypto will be broken by quantum by 2026, and a 1 in 2 chance of the same by 2031.”
IBM’s Harishankar provided that quote during a recent presentation on quantum-safe cryptography, and, if you believe that quote, you’ll realize that it’s already past time to do something about data security in your designs. Now, that’s a problem because NIST, the US National Institute of Standards and Technology, has yet to publish standards for quantum-safe cryptography. NIST has a process underway at the moment and has four candidate quantum-safe cryptographic algorithms in a draft standard for creating and verifying digital signatures and for data encryption, but those standards won’t be finalized for a while. Because digital signatures and data encryption have different requirements, multiple algorithms are needed.
Let’s take a step back to scope this data-security problem. Our entire digital world sits on top of a cryptographic foundation. Here are a few examples to remind you of just how pervasive cryptography has become in our everyday lives:
- Internet: Domain Name Service (DNS), Hyper-text Transfer Protocol (HTTP), Telnet, File-Transfer Protocol (FTP)
- Digital Signatures: eIDAS – PDF Advanced Electronic Signature – (PAdES), Advanced Electronic Signatures (AES), …
- Critical Infrastructure: Code updates, Control systems, Car systems, IoT
- Financial Systems: Payment Systems: (EMV, CHAPS, Fedwire, Target2, EURO1, …), SWIFT, Settlement Systems
- Blockchain: Wallets, Transactions, Authentication
- Enterprise: EMAIL – PGP, Identity Management PKI/LDAP, Virus scanning patterns, PKI Services, Bespoke applications
Every piece of data that flows over the Internet or through private networks relies on cryptographic security, and most of that security is based on the RSA algorithm, the public-key cryptographic scheme most favored in all of cyberspace. That’s the same algorithm that Dr. Michele Mosca gives a 50/50 chance of being broken by 2031 using quantum computers.
What happens when quantum computers can break today’s encryption? According to Harishankar, bad actors will be able to undertake activities such as:
- Creating fake identities for websites
- Creating fake software downloads and software updates
- Launching extortion attacks by threatening to disclose harvested data
- Creating indistinguishable fraudulent land records or lease documents
- Manipulating software updates and forging financial transactions through fraudulent authentication
- Manipulating legal history by forging digital signatures
- Decrypt lost or harvested confidential historical data by cracking encryption keys
Now, should you think to yourself, “Whew! I’ve got a good seven years before I need to worry,” please think again. Bad actors are already vacuuming up and storing all of the packets they can find on the expectation that they will be able to decrypt these packets in a few short years. If you think that old data will be obsolete, then please reconsider, for two reasons explained by IBM’s Harishankar: data needs to stay secure for a long time and there’s an inherent multi-year lag when upgrading digital infrastructure.
How long does data need to stay secure? Here are a few international examples provided by Harishankar:
- US Health Insurance Portability and Accountability Act (HIPAA) records: 6 years from its last use, Securities exchange act
- Tax Records – 7-10 Years in most countries, Sarbanes Oxley
- Health Canada Guidance for Records Related to Clinical Trials (GUI-0068) – 25 Years
- Medical Records in Japan – 100 years
How long does it take to upgrade digital infrastructure? Here are a few examples, again provided by Harishankar:
- Passports – 10 years from issue
- Road vehicles – 15-20 Years
- Critical infrastructure – 25-30 Years
- Aircraft and trains – 25-30 Years
- Critical Mainframe Applications – 50 Years
These few bullet points underscore the urgent nature of modern cryptography for sensitive data, and today, what data isn’t sensitive? Note that the longer equipment stays in service – in applications with the longer life cycles – the more urgent it is for this equipment to adopt quantum-safe algorithms. That’s because the equipment will be in service as more and more capable quantum computers come online.
For its part, IBM has been experimenting with the use of quantum-safe algorithms to encrypt information stored on some of the company’s tape drives and has equipped its z16 mainframes with the Crypto Express 8S Hardware Security Module (HSM), which provides quantum-safe API access to two of NIST’s selected quantum-safe algorithm candidates – CRYSTALS-Kyber and CRYSTALS-Dilithium. In addition, the company has incorporated quantum-safe technology and key management services into LinuxONE 4, its highly secure, enterprise-grade Linux server.
However, only a small fraction of the devices on the Internet are high-end servers like IBM’s z16 mainframes, and the threat is to every device on the Internet. Today’s situation seems dire: the quantum-safe encryption standards won’t be final until 2024, if all goes according to plan. With no standards in place, there are no IP cores to implement the quantum-safe cryptography algorithms. Hardware that ships today is guaranteed to be obsolete by 2031.
To me, this situation demands the use of FPGAs to implement preliminary standards and to be ready as soon as standards are in place. One of the first places where these quantum-safe standards are likely to be implemented is in data centers, and I’m currently placing my bet on FPGA-based IPUs. As far as other Internet-connected hardware is concerned, I think FPGAs are the only way to create hardware implementations of quantum-safe cryptography algorithms that will be fast enough to support line-rate encryption and decryption, until a standard arises, until IP cores can be certified against the standards, and until those IP cores can be implemented in ASIC and SoC silicon.
One thought on “Tick Tock: The Quantum Boogeyman is Coming for Your Most Sensitive Data”
1. Some cryptographic devices, like the IBM HSMs you mention, already have internal FPGAs where new algorithms can be implemented.
2. You talk about what would be “fast enough to support line-rate encryption and decryption”, but the actual encryption of data would no be done using the new, quantum-safe algorithms – it would be done with a symmetric algorithms such as AES. The quantum-safe algorithms might be used as part of key transport or key negotiation, but the actual encryption would be done with other (faster) algorithms.