Is Quantum Computing an Imminent Security Threat?

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Alexei Balaganski, he's lead analyst for cyber security at KuppingerCole analysts. And today we will be talking about an interesting topic, which makes lots of noise.

Currently, we will be talking about quantum computing. Hi, Alexei. hello. Thanks for having me again. Great to have you. And you've mentioned that to me before we started that we need to mention that we both are not really quantum theory experts, but nevertheless, we want to cover that topic in a bit more detail. And the main topic today is, is quantum computing an imminent security threat to start out with a first basis. What is quantum theory in general?

As you mentioned, it's a really mighty topic on itself are quantum computing and cyber security, but you're absolutely right before we go into deeper details, you have to address the real basics. So just to remind to our listeners, that altar theory basically describes the way our universe works on a subatomic level. We really don't have to go deep into details of the physics and mathematics involved, but basically, maybe some people even remember something from the school or physics courses about light, which behaves sometimes at the same time, both of the particle and the wave.

And that's actually one of the basic foundations of quantum theory. We don't have to know how it all works in details, but probably one of the most popular examples of explaining how quantum theory works is showing us Kat experiment, where you put a cat into a box and you cannot see in a cat and you cannot predict whether the cat is alive or dead at the moment. All the quantum theory would suggest that it actually both the life and death at the same time and the physics is call it a quantum superposition.

Let's say that a quantum thing cubit can exist, not just in a single state, like a binary, one binary zero. It can exist both of those states simultaneously. There's a certain probability. And the other aspect we have to remind about that a quantum state cannot be safely observed externally. Every time you try to basically touch a cubit to understand what current state of it is, this quantum superposition disappears in the quantum state. It will be fixed to one of those probable states.

And this is in a nutshell, the major, the biggest difference from the quote unquote traditional computing or those traditional computers, we all know and use daily. They work on binary logic. So every tiny electronic gate on a computer chip is either zero or one. Whereas the cubits, the smallest entity in a quantum computer cannot single fearlessly existed multiple states, and when done properly, and when using a specially designed algorithm, those quantum computers can achieve amazing breakthroughs in computing performance. And I'm not talking about being faster than a traditional computer.

That's a given, you're talking about solving a problem, which a traditional computer would require billions of years to calculate in hours and minutes. The one we are talking about the so-called quantum supremacy, it's not really about who will build the biggest quantum computer.

First, it's about designing such a innovative algorithms, which can solve problems, not just faster, but, and solve problems, which were unsolvable before. Okay. If I understand it correctly, the technology allows to formulate these algorithms in a way that they are way superior to existing traditional all grid rhythms in traditional computing, which is really just zero slash one based in the logic. So it is capable, as you said, of being much faster, much more efficient, much more performance than existing technologies.

When, when we're talking about this concept in the security context, what are the greatest risks for traditional security? When we look at quantum computing in relation to traditional security, well, First of all, all right, I'll remind you again that a quantum computer is not just faster than your traditional one. It works on a completely different physical and logical principle, if you will. So you cannot just say, okay, I have this computer program. I want to port it from my laptop to a quantum computer running somewhere in the world.

And the people around let's say million times faster, but it's not easy, right? You actually have to create a completely new and extremely mindbogglingly, complicated computational methods to run directly on quantum computer. And by the way, those quantum computers already exist, but they are still highly experimental and very, they have very few working elements or cubits. And those cubits are usually extremely complicated and sensible. They might be based on laser devices or superconducting elements. So they are extremely expensive and they break like every second.

So at the moment, a quantum computer is in a way exist in both states. It's kind of, it's already here, but it doesn't work that well yet.

But again, if you are able to create an algorithm for a quantum computer, let's say to break an encryption method, you can do it in hours or minutes for them cryption methods, which traditionally would probably take billions of years to crack. So obviously encryption symmetric encryption is like the, it's the foundation of the key stone of modern information technology.

It's used everywhere in cloud computing in our secure communications, in digital signatures for legal documents anywhere, and almost a symmetric encryption methods rely on a very basic mathematical problem, which is called prime factorization, trying to explain it really, really simply you have two key. One is your private key, which you use to encrypt your data. And the other key is your public key, which you give out to your friends or partners and they can decrypt your encrypted data. With that key. Each of those keys is basically a huge prime number.

And to be able to decrypt your data, you have to multiply those two prime numbers and the resulting half prime number. If your semi-private there'll be your key and or to break this encryption, you basically have to do the rewards. You have to take huge long number and find its prime components. This is called prime factorization, and it's an additional computer really long, a prime number. You'll take millions of years to break. When the quantum computer, it will take probably hours in. This is that quote, unquote security threat people are talking about.

So traditional security is relying on the fact that our computers or our traditional computers are not in the situation that they can in a reasonable time do this prime factorization. And that is the basis for our security. And now that we have quantum computing, which is capable of achieving that, as you said, in minutes or hours, that actually breaks the basics of our encryption mechanisms. Right? Exactly. So either a threat, well, I guess it depends on what you are encrypting, but is it a risk?

Yes, absolutely. And like every other risk you have to over think about it's two components, it's probability and its impact. Like if I am talking to you right now over zoom and our chat is encrypted, but if somebody breaks the encryption and steals our orchestra recording before it's published, it's a risk it's even quite probable. I would say, you don't even need a quantum computer for that, but what would be the impact? Would it really kind of demand additional security measures for us to Institute for the maintenance from the future?

Probably not, but if you were a bank in time or your customer, and we were talking about a sensitive financial data in transmission, that risk impact would be totally different. So Usually when we talk about risk management, we have, of course, what you mentioned impacting profitability.

And once we understand impact and probability, we really want to find the right measures to mitigate these risks with adequate controls, with adequate measures, what would be such mitigating measures when it comes to these risks that arise from quantum computing, Or obviously again, those measures can be where a different ranging in costs and or effort to implement and so on. And it all basically boils down to your balance of risk and mitigation, but obviously in the very short-term and easiest solution would be just to increase your key length.

And this has been done already even before or quantum computing, or like 20 years ago, we were using a much shorter RSA encryption keys, for example, 256 bits long nowadays, or 4,096 is already in use. And nothing prevents us from using even longer keys, right? The longer the keys, the harder it is to break it even on a quantum computer. So for some relatively low impact risk scenarios, that alone would be totally fine.

Of course, if you are talking about more sensitive situation, you might want to switch to a different encryption methods, which is not left vulnerable to quantum computing. There are in fact, multiple companies and academic research teams working now, already on developing those quantum resistant methods, if you will. And of course it will take probably a few years to not just develop tests them, but to standardize them, to make them ubiquitous everywhere. All the work is already underway.

So we are already kind of, okay, we have a humankind, we already are getting prepared for that as we speak, or even my, for some experts would say that a quantum computer as a real imminent threat and physical theme, you could use to correct physical encrypted messages somewhere will not be available for another 10 or 15 years. It's not that much of a timeframe actually for some scenarios. So people are already working on that, getting ready.

And of course now we're asked some other interesting quantum related developments as well on all the so-called quantum key distribution is not directly related to quantum computing. In fact, the tests were a little too good with that quantum key distribution utilizers, another imminent feature of physical quantum, the so-called quantum entanglement. The idea again, in very simple words, are that you take to subatomic particles and you don't know almost magical process.

You connect them to each other and any time something changes on one of those entangled particles, the other one will magically change in its state as well, even when they are far away from each other. And if I'm not mistaken, the current record of distances are already around several hundred kilometers. So in fact, nowadays you can already buy a product based on this quantum entanglement method, which would guarantee that these are the temperament between those two particles, with the function of the channel, which is physically impossible to wiretap only you and your partner.

On the other end, you'll be able to exchange information on this channel and any third party attempting to basically ease, throw up on your channel would immediately destroy that connection. So it will be immediately detected. And this is the foundation, which is the basis for quantum key distribution, which are all the technologies for exchange and security keys is guaranteed absence of a middleman, which could steal your keys though.

In fact, a quantum theory actually helps to improve your encryption security, not just to break it Okay. If I understand it correctly. And if you look at risk assessment, as you've mentioned that we have to judge the impact, but the probability of a machine or a quantum computer being around our quantum algorithm, being around that is capable of raking actually really breaking traditional encryption. This probability is as of now still very low, actually it is zero because it has not been yet implemented. Nevertheless, we know what this will look like.

And so we are really in the situation to prepare for the situation while it is still not the case. So actually this from a risk management perspective, this is almost perfect because we can really prepare for the time when this will be the case. But as you've mentioned that there are services already. On the other hand, these real quantum computers are more or less, very, very experimental, very, very in stable as you've described it. But what is already available on the market. If I want to look at quantum computing per today, what can I actually just buy with money on the market?

So first of all, quantum computers do exist already take my vote on it. I've seen one I've touched myself. Okay. If you will.

So yeah, though, those are not just available. There are multiple vendors which are trying multiple different technologies to power on the cubits and then to build a proper quantum computer from those elements of the biggest challenge of this existing quantum computer, they are extremely bulky, expensive, and extremely unreliable. They basically, if they break many, many times per second, on the other hand, they are working to an extent, and there are some algorithm of already available or which address this are permanent interruptions in quantum computation.

They can still work on such a half broken quantum computer with successful results again. So I am not really an expert. So I would not give you an exact numbers so estimates or whether you can already break sort of a key lens of a certain aggression methods, hopefully not, but maybe you will be able to do that next year, who knows.

But the fact that those quantum computers are already working and they are even already available to anyone as a credit card, because all major cloud service providers, Amazon, Google, IBM, Microsoft, they all offer their own managed quantum computers for you to run your applications On. Okay.

So if this is the case, if these platforms are readily available for those who are willing to spend the money, if it's only a matter of time that we can expect that mechanisms that can break traditional encryption algorithms, which are based on this prime factorization, what does that mean when we want to prepare, as I said before, so the situation is clear. We know what is going to happen, or maybe it's just right now happening.

Is there something available in cryptography when we just look at that single aspect of security, is there anything available that is not subject to this vulnerability of encryption so that we can brute force?

So these traditional encryption mechanisms, is there some other mechanism that is resilient towards, Oh, what's the goal I have to reiterate once again, that nothing changes fundamentally with quantum computing to brute force and break and encryption method was already possible earlier with traditional computers just needed lots of computers and lots of time, but again, with the power of the cloud, or if you have enough money, you can rent tens or even hundreds of thousands of computing units and break a reasonably large encryption key in a reasonable amount of time.

There are known cases of this done for academic research or even for some law enforcement reasons. I think there was a report recently that whether it's Australian police or some other police department successful in breaking them iPhone encryption, it took them like three years. But then again, for some use cases, that's not too long, the cost for others that's way too long. And it's all, again, bows down to your risk management. Some are only sensible and useful within minutes or even seconds. The others can still be useful after breaking them in 10 years.

Again, it all boils down to your own risk assessment. And again, as we've already mentioned, there are some short term middle term and long term possibilities to address those risks.

So yes, you have to think about a longer keys. You have to think about new encryption methods, which are already designed to be in vulnerable to quantum brute-force. And if you will, but then again, that will probably be a ongoing battle because sooner or later, there will be new, more powerful quantum computers on you, more efficient algorithms that will break those new methods again. So that's life as usual as it were for decades and maybe hundreds of years before that. Okay.

If I understand that correctly, many, if not all of the usages of this traditional asset metric encryption that we currently use is currently under threat, as you've mentioned already, because you can, can just group together, lots of, lots of computers to do that in a reasonable time and with the upcoming new algorithms or modified algorithms ready for quantum computing, this will be something that can even take place in a very short amount of time. That should mean that we should reconsider each and every incarnation of this traditional encryption within our internet infrastructure.

And are there any initiatives under way to slightly and, and continuously move towards more Supreme, more resilient encryption mechanisms because this is everywhere. Well, first of all, again, let's remind our listeners that everything can be a threat. An asteroid might hit earth next year, and we will all die with all of our clouds and computers. The only problem on that, or rather the brightest luck with it's extremely right. So to an extent at least applies to quantum computing or the threat as well, or for the next few years, it's, I would say still rather improbable to go grow in time.

But then again, with time, we have more opportunities, more leg room to upgrade our infrastructures are and to address all those challenges. Yes, you've mentioned there are initiatives, there are again, multiple or standards bodies and multiple academic research groups working on those new quantum resilient encryption methods.

And again, the internet has survived multiple threads. You probably remember like the open SSL Bach was hugely impactful. Like hundreds of thousands of systems around the world were affected. We have survived it probably some companies have lost some sensitive data because of it because they have underestimated their risks, but as the whole internet survived, the human kind survived. And hopefully it will be just like that with the quantum threshold. Right. I take this as the summary and the resume for today's episode of that podcast.

We just could touch very, very briefly on that really complex and otherwise also interesting topic. I think we can pick up again in an upcoming episode on that again, I think there's much more to look at, but first of all, we need to watch this technology. We need to watch what's going on there. We need to embrace it. We need to understand it, and we need to make sure that we prepare for it, especially also for post quantum cryptography and be ready for what's happening. Could you agree on that? Absolutely.

Okay, perfect. Thank You very much, Alex, for being with me today, we will catch up on this. I'm really sure. Thanks for today. Thanks to the audience for listening and yeah. Thank you for giving me that great insight into that great topic. Thank you very much. Aleksei Well, thank you, materials and goodbye. Bye-bye