Five quantum cybersecurity facts every CTO needs to know

With "Y2Q" approaching, Quantropi's Michael Redding says now is the time to protect against quantum computing-based hacks.

Behind the Scenes at the RSA Conference in San Francisco. Left to right: James Nguyen and Michael Redding. Photo: Quantropi.

By Michael Redding, Chief Technology Officer of Quantropi Inc., an Ottawa-based developer of end-to-end quantum cybersecurity solutions.

On the one hand, quantum computing research is exciting because it paves the way for practical applications ranging from artificial intelligence and computational chemistry to financial modelling and weather forecasting. On the other hand, this very same R&D is dramatically shrinking the amount of time we have until “Y2Q,” the unknown date when hackers will use quantum computers to defeat today’s ubiquitous public-key encryption systems.

Quantum computing harnesses the properties of quantum physics to perform calculations. Unlike conventional computers, which operate using bits, quantum computers use qubits. While bits can be on or off – represented by a one and a zero, respectively, in classical computing – qubits can also be in what’s called “superposition.” This means they’re both on and off at the same time, or somewhere on a spectrum between the two. Ask a conventional computer to find its way out of a maze, and it will try every single branch in turn, ruling them all out individually until it finds the right one. A quantum computer, on the other hand, can go down every path of the maze at once. Qubits allow for uncertainty, and by stringing multiple qubits together, quantum computers can solve problems that conventional computers would take millions of years to solve.

Why should Y2Q and quantum cybersecurity be on every Vancouver CTO’s radar? These five facts answer that question in compelling fashion:

1. Quantum computers will inevitably crack today’s encryption

Today’s public-key cryptosystems use prime numbers to generate cryptographic keys. These keys are secure against brute-force cyber-attacks because it would take millions of years for a classical computer to compute their prime factors. For sufficiently powerful quantum computers, however, these problems will be relatively quick and easy to solve. The good news is that quantum computers don’t yet have the power to crack public-key encryption. But make no mistake: It’s just a matter of time until malicious groups get their hands on a quantum computer that can. In fact, hackers are already thought to be preparing for Y2Q by stockpiling identity-related data to decrypt using quantum tech. This nefarious practice is known as “steal now, crack later.”

2. No one knows when the first successful quantum attacks will occur

Y2Q doesn’t have a set date, and hackers aren’t going to be courteous enough to give us a warning before their first quantum attacks. Security experts have tried to estimate when Y2Q will arrive, but their estimates vary so much that they can’t be used to plan ahead. This uncertain timing is a big part of what makes Y2Q more of a threat than the Year 2000 Problem, aka Y2K, which had a set date that IT professionals could work towards.

3. The Y2Q timeline keeps shrinking

In 2016, Professor Michele Mosca from the Institute for Quantum Computing at the University of Waterloo wrote that there was a one-in-seven chance that quantum attacks would break public-key cryptography by 2026, and a 50-percent chance that it would happen by 2031. Similarly, the Cloud Security Alliance estimates that Y2Q will arrive on April 14, 2030, and has even launched a “Y2Q Countdown Clock” to draw attention to the threat.

A February 2022 survey by Dimensional Research and Cambridge Quantum shows a much gloomier picture. Of the 614 security professionals surveyed, 61 percent think quantum attacks will defeat classical encryption methods within just 2 years.

With quantum tech becoming better by the day, shorter timelines are far from far-fetched. IBM, for example, managed to grow its quantum computers from 65 qubits in November 2020 to 127 qubits in November 2021, and plans to unveil a 1,121-qubit machine in 2023.

4. The bar for Y2Q keeps getting lower

Until quite recently, researchers believed that hackers would need as many as one billion qubits to break today’s public-key encryption. But in 2019, a pair of researchers from Google and the KTH Royal Institute of Technology of Sweden described a way to break 2048-bit RSA in eight hours with just 20 million qubits.

Google and IBM plan to build quantum machines with a million qubits by 2030, so we are still far from the number of qubits necessary to break public-key encryption. However, algorithmic optimizations and leaps in quantum research might significantly shrink the computing requirements of this task.

5. Mission-critical organizations are taking action

In cybersecurity contexts where failure is not an option, action is already being taken to prevent and mitigate the effects of Y2Q. From NATO to the White House to the U.S. federal government, many of the world’s most influential organizations are acknowledging that quantum computers will inevitably break encryption methods in place across national and global economies, defence systems, and public and private infrastructure. Multinational companies are doing likewise: Deutsche Telekom, for example, recently announced that it is collaborating with my new employer, Ottawa-based Quantropi, to prepare for cybersecurity threats by benchmarking the performance of the latter’s quantum-secure cryptography tech.

After a long career with Accenture in Silicon Valley, I recently came out of retirement and moved to Canada’s capital to join Quantropi on its mission to make the world secure for the post-quantum era. This mission starts with education and awareness, which I hope this has provided. Should you have any questions, I am happy to continue the conversation. Please feel free to drop me a line here.

Join the conversation

or to participate.