Alan Turing, the father of modern computer science, is perhaps best known for his work at Bletchley Park during World War II. Turing and his team developed Bombe, a machine that was capable of reliably deciphering the infamous German Enigma code. What made Turing’s Bombe successful was its ability to run codebreaking operations so efficiently. This giant leap in capability has been credited as an integral part of the Allied victory of World War II. Since then, the world has been in an encryption arms race—a cycle where new encryption technologies are met by the increased capabilities of hackers. As quantum computers become a reality, they will be today’s Bombe, slingshotting the capability of hackers beyond current encryption technologies.
Computer science has come a long way since Turing’s time in Bletchley Park, but the process of encoding and decoding remains much the same. We participate in this process every day with services like iMessage and WhatsApp. When you send a text message, your phone uses a unique “encryption key”—essentially a complex math equation—to encode your message. While your messages move through servers or over Wi-Fi connections, no one can read what you’re sending. Only when the message reaches the recipient will it be decoded by a complimentary encryption key. This basic process of encryption is used in everything from text messages to healthcare data and financial transactions. With such widespread use comes a sustained effort by malicious actors to “crack” encryption keys and get access to sensitive information. US policymakers, cyber security experts, and the general public must take this threat very seriously.
Like Bombe, hackers rely on increasingly fast computers to decipher encryption keys. In response, encryption keys become more complex, leading to a cybersecurity arms race. But what would happen if hackers suddenly had access to computers that were a hundred million times faster? While that may seem like a trivial question, we will soon have the answer as quantum computers become a reality. Today’s computers operate on a binary system of zeros and ones. In contrast, quantum computers operate on qubits, which can be any number in between zero and one, or even zero and one simultaneously. This means that qubits can be arranged in infinitely more combinations in infinitely less time, giving quantum computers the ability to operate millions of times faster than traditional computers. When quantum computers become operational, hackers will be able to run decryption algorithms much faster, or even just guess every character of an encryption key. As is the nature of an arms race, encryption methods will eventually catch up to meet this challenge. However, there will be a time when hackers have an asymmetric advantage. We must take steps to prepare for this limbo period in which the world’s cyber infrastructure will be tested.
While the theory behind quantum computers is not new, quantum computers are transitioning from a theoretical possibility to a burgeoning reality. Recently, companies like IBM, Microsoft, and Google have made significant investments in quantum computing. They hope to bring their products to market in 10 to 20 years. This short timeline has put a unique burden on cybersecurity experts.
Developing a quantum computer requires immense scientific and financial resources. Luckily, this means that illicit non-state actors won’t have the resources to take advantage of the transition period. Instead, the main threat comes from nation states. Being first to the game on quantum computers will give countries a massive advantage.
China is the largest state investor in quantum computing, putting an estimated $15 billion into its development and building a 90-acre quantum research facility, the largest in the world. With EU and US public spending at $7 billion and $2 billion respectively, it’s clear that China wants to win the race. The United States has already seen the effects of China’s cyber warfare. In the past few years alone, China has infiltrated government servers, meddled in US elections, and stolen trade secrets. China developing the first quantum computers would present an untold security risk for the United States.
In recognition of this threat, governments and researchers have created a new field of post-quantum cryptography (PQC): the development of algorithms that can withstand hacking attempts by quantum computers. According to the National Institute of Standards and Technology (NIST), quantum computers could “break many of the public-key cryptosystems currently in use,” compromising our cyber infrastructure. In 2016, NIST responded by asking researchers to develop and submit algorithms that can withstand attacks from quantum computers. Recently, the organization announced that four of these algorithms will be standardized so that cybersecurity administrators can start implementing them into their systems.
While NIST is certainly taking proactive steps, we don’t know if these new algorithms will work until they are put into use. The Rainbow Signature Scheme, a cryptography algorithm proposed in 2005, was “believed to resist attacks from quantum adversaries.” Unfortunately, in February 2022, it was discovered that Rainbow could be broken by a single laptop over a weekend. In essence, while the algorithm could likely sustain attacks from quantum computers, it overlooked attacks from the conventional computers we use today.
In any arms race, there is a period of time when one side needs to play catch up, and this period is where the greatest risk lies. In response to the breaking of Rainbow, the Rand Corporation noted, “If a deployed PQC algorithm contained a security flaw, an enormous amount of sensitive information could be left vulnerable.” The commentary suggested that the NIST offer bug “bounties” as a potential solution. For years, some of the largest companies have offered rewards to people who are able to hack into their systems. These bounties allow companies to fix vulnerabilities and provide a legal avenue for hackers to make money. While several companies have had success with such programs, they would be difficult to implement for PQC algorithms. Although a bug bounty program may help identify vulnerabilities that can be exploited by conventional technologies, as was the case with Rainbow, because the larger hacking community does not yet have access to quantum computing technology, they won’t be able to test quantum attacks.
It’s clear that the winner of this quantum arms race will, at least for some time, have a massive cyber advantage over the rest of the world. While the race to develop the first widely usable quantum computers is still ongoing, and while the United States will certainly try to win this race, we must be prepared to come in second. Knowing the risks and investing heavily in post-quantum cryptography will be vital. Furthermore, cyber administrators will have to work quickly to patch vulnerabilities as they come to light. We don’t yet know what the post-quantum world will look like, but we do know that the transition period will be a time when some of our most sensitive information could be at risk.