Quantum safe cryptography – waiting to save the world

Future quantum computers will one day bring us many great benefits. Unfortunately they will also break many of the cryptographic protocols on which current Internet security depends. Google’s quantum supremacy breakthrough notwithstanding, this is still most likely many years off. However, sensitive data intercepted and stored today, or long lifecycle infrastructure could already be at risk. Businesses should review their cyber security exposure to understand how this changing environment affects them.

In the modern economy we face many cyber security threats from forgetful users to corrupt employees, from poorly patched systems to malicious malware. However the threat posed by future quantum computers is of a different order of magnitude. With a quantum computer of sufficient size we know how to systematically break key elements of our underlying security infrastructure, including the digital signature and public key cryptographic protocols upon which the Internet and almost all corporate networks depend for basic security. Unaddressed, this threat would destroy the modern digital economy.

The world needs quantum safe cryptography. Fortunately many groups around the world are already working hard on solutions to this challenge. The new tools being developed include the new maths-based algorithms of PQC, supplemented by new physics-based approaches such as QRNG and QKD. Unfortunately how businesses should respond is complicated by a number of factors.

A growing threat

Uncertain time horizons

Google’s prototype quantum supremacy device is much too small and limited in its capabilities to pose a threat today. Experts routinely agree that the road to creating a large scale universal quantum computer remains a long one. When might a quantum computer large enough to mount an attack on existing security protocols be built? Estimated timescales vary wildly:

  • Some continue to doubt that such devices will ever be built [52], though this is now clearly a minority view in the community [1, 6, 39, 40, 53, 68].
  • A more general expert group assessment on behalf of the US NASEM concludes ‘not within the next decade’, implying 2029+ [53].
  • An expert group assessment for the German government has conclusions broadly in line with NASEM, though it points to current publically published data being inadequate for a robust extrapolation of a timeline [41].
  • One academic study (focussing on cryptocurrency security) indicates an earliest date of 2027+ [51].
  • The Global Risk Institute and evolutionQ have recently published a Quantum Threat Timeline report [68] based on a targeted survey of leading international experts. This flags a majority view of a small but non-negligible chance within 5 years (c.1-5%), but significant risk within 10 years (c.5-30%).
  • Most assessments include caveats on the potential impact of “a program where an industrialized nation pours a large part of its research and development activities into a single project comparable to the Apollo program and the Manhattan project” [4, 41, 68].
  • Some point to the possibility that advances in quantum error correction technology could change this timeline [59].
  • To further complicate the picture, the potential of analogue quantum simulators and specialist devices such as D-Wave or Fujitsu‘s annealing based processors is less well quantified and devices of this type retain the potential to further disrupt timelines [33].

Care must be taken in interpreting the dates above. Most experts would agree that the likely timescale for any such large scale quantum computers is probably much further off. Simple projections of ‘numbers of qubits’ are likely to mislead the lay-reader due to the different technologies being discussed and the continuing innovation going on around the whole quantum software stack. Google’s quantum supremacy announcement is actually slightly behind the schedule most of the above authors would have assumed. However relatively early dates cannot be ignored in the context of prudent risk management.

Current threat

What greatly complicates the challenge that many companies face is that data that is intercepted and stored today will be vulnerable to decrypt when a sufficiently powerful quantum computer is built in the future. Boards must be aware that sensitive data with a long shelf life is already at risk.

Many businesses will also be planning investment in assets that they expect to have a long lifecycle. Ensuring these assets will remain safe from future threats is itself a challenge. This is further complicated by the scope of the other great technologies transforming our communication networks.

5G

5G networking is itself a transformational technology, promising a new Internet engineered from the bottom up as an ‘Internet of Things’ and not simply around the needs of human connections and the limitations of fixed infrastructure. However core features of 5G itself introduce significant new security challenges:

  • Network Slicing – a core 5G concept is the ability of the physical network infrastructure to be ‘sliced’ to simultaneously support multiple logical networks, each offering differing service levels to different customers or use cases.
  • Wireless Edge – intrinsic to delivering the promise of high network performance; flexibly caching and processing data right at the edge of the core network introduces significant new security challenges.

The incipient state of 5G rollout notwithstanding, many lay adopters would be surprised at the relatively weak theoretical underpinning of formal 5G security even before the challenge of future quantum computers is taken into account [61]. As Mark Pecen of ISARA speaking at Communitech recently remarked “This stuff just isn’t all worked out yet, as we’re still awaiting the results of the NIST post-quantum evaluation process” [62].

Internet of Things

The IoT devices connected by our new networks will often be smaller and more autonomous than the gadgets we are already used to today. This will put a pressure on processor and memory size and a premium on power performance and battery life.

We have grown used to the rapid obsolescence of PCs, laptops and mobile handsets. However, as the range of network connected device mushrooms, it seems improbable that we will want to continue such a throw-away culture.

  • Smart Vehicles – the automotive sector is in the early stages of a major technological revolution, but few assume that we will want to change our car more frequently in the future.
  • Industrial IoT – as companies adopt networked technologies for the operation and maintenance of industrial plants, refineries and network infrastructure, few will want the business case to be based on frequent hardware replacement.

To meet this challenge a key consideration will be how often security upgrades are required and how easily they can be implemented. It’s pertinent to remember that controlling the authenticity and integrity of software upgrades is itself a key part of our current security infrastructure that is vulnerable to attack by future quantum computers.

Blockchain

Distributed ledger technology is another area of rapid development that many see as potentially transformational. Beyond its digital currency roots, it promises to find application where shared record keeping offers to disintermediate and streamline traditional processes [65].

Blockchain technology is itself built on cryptography. In the majority of cases this includes digital signature protocols that will be compromised by future quantum computers. However, quantum technology promises to offer both a challenge and potential benefits to the blockchain sector.

What progress is the world making towards quantum safe cryptography?

Post-Quantum Cryptography

NIST PQC 2nd Round CandidatesWork to refine quantum-resistant maths based cryptographic algorithms is not new and has been gathering pace since around 2006. Starting in 2016 NIST has formalised a process with multi-national participation to evaluate and standardise PQC protocols with a focus on digital signatures and public key encryption.

Of 82 original submissions, 69 candidates were accepted for ‘round 1’ evaluation during 2018. Of these, 21 were broken or significantly attacked. 26 candidates were then selected for continued ‘round 2’ evaluation during 2019-20.

On Track

The NIST 2nd PQC Standardisation Conference held recently in Santa Barbara [63] was an opportunity to judge progress. Overall the process is very much on track, though challenges remain.

It remains a strength of the NIST process that a diversity of candidates remain. A further ‘round 3’ evaluation is expected for 2020-21 followed by draft standards in 2022 and formal approval by NIST potentially by 2024.

The candidate protocols each have their own pros and cons. They offer subtly different security guarantees and vary in computational performance (the degree of optimisation in current implementations also varies). Importantly, typical key and signature sizes are likely to be significantly increased compared to present day solutions.

Unstructured Lattice-Based – These algorithms offer a high security promise due to their connection to known hard computational problems in lattices (though the formal proof of the security for an actual implementation often remains challenging). However these approaches typically require significantly higher ciphertext/key sizes than conventional crypto systems and don’t yet seem to offer a ‘drop in’ replacement for existing Internet use-cases.

Structured Lattice-Based – These algorithms simplify the lattice by introducing some additional mathematical ‘structure’. This allows for shorter ciphertext/key sizes, and test implementations have indicated potential ‘drop in’ compatibility with key Internet protocols such as TLS 1.3. However, the ‘structure’ is a potential weakness in their security and a potential point of attack.

Code-Based – The ‘Classic McEliece’ submission stands out due to the long (40+ year) experience of the community analysing this system. This makes the discovery of a new conventional vulnerability much less likely. However it suffers from having very long key sizes and long processing times. Other code-based candidates have a less venerable pedigree, but typically have more competitive resource requirements (often sitting between unstructured and structured lattices).

Isogeny-Based – The sole remaining isogeny-based candidate SIKE is notable for its very low key sizes. However processing performance seems to be a concern for its drop-in deployability, or use in power-limited IoT systems.

Several factors complicate the evaluation of the competing protocols:

  • Rollout must ultimately be undertaken across the large, disparate and often anarchic installed base that is the current Internet. In describing work testing PQC deployments, Adam Langley of Google emphasises the lessons learnt from the ongoing process of trying to deploy the conventional TLS 1.3 protocol, “The Internet is very large and it’s not getting any easier to steer”.
  • Small IoT devices will put memory, processing power and the associated battery drain at a premium. Such devices will need sufficient capacity to be easily upgraded as new protocols are introduced.
  • Adversaries may seek to deliberately exploit the extra resource requirements of post-quantum algorithms to make denial-of-service attacks, e.g. by saturating the available memory of a device as it tries to process large PQC keys.
  • 8 of the continuing candidates are known to have patents associated with some part of their implementation. In addition, Daniel Bernstein has drawn attention to one patent with priority date 18 Feb 2010 that appears to potentially affect a range of code-based and Lattice-based schemes with smaller key sizes.
  • By definition PQC protocols are ones expected to protect against known quantum attacks (e.g. via Shor or Grover’s algorithm). However new – as yet undiscovered – quantum attacks may be discovered in the future. New conventional attacks may also be discovered, particularly for those schemes which are relatively new by cryptographic community standards. While it remains possible that any individual protocol, or even a family of protocols could be undermined, you have to be much more pessimistic to think that all would be.

Some would like NIST to move more quickly, perhaps streaming candidates into groups for potential early adoption versus those needing further research. However many are more cautious, “Don’t rush and do this thing right. There is significant need for more analysis; many candidates have received relatively little substantive cryptanalysis” being a representative comment.

In one parallel area, ‘stateful’ digital signatures, NIST does plan to approve the LMS and XMSS hash-based signature schemes right away. These quantum-resistance schemes are ‘stateful’ which means implementations need to avoid key re-use and are thus more challenging and prone to misuse. NIST intends to recommend these schemes only for “a limited range of signature applications, such as code signing”. Mainstream digital signatures remain on the 2022-24 track.

Some sceptics will always have an issue of trust with respect to processes of this nature. In 2006 NIST promoted Dual_EC_DRBG, a standard for supposedly cryptographically secure pseudo-random number generation. However, following the memos leaked by Edward Snowden many see strong circumstantial evidence that the NSA deliberately introduced a backdoor into this algorithm.

While the NIST process was originally envisioned as a global initiative and has successfully secured multi-national involvement from 25 countries and 6 continents, a parallel initiative has now been launched by the Chinese Association for Cryptologic Research (CACR). The competition was announced in Jun 2018. 60 private and public key algorithms have entered the evaluation stage, with the selection process touted to complete by end 2019. This is a much more aggressive timeline than the NIST process, but many will see the goal as more limited.

Quantum Cryptography

A complementary approach to communications security is provided by the physics-based techniques of quantum cryptography. These include QRNG for producing true random numbers (a potential benefit even in existing crypto systems) and QKD for secure key exchange immune to the computational threat posed by future quantum computers. Quantum cryptography can also offer some more subtle benefits, for example potential eavesdropping attacks can be detected in real-time allowing a quantum alarm function to be added to our cyber security armoury.

Gathering pace

Following early test networks in the US and Europe in 2003 and 2004, QKD has for years seemed to be on a slow burn in the West (mainly due to the practical limitations of early systems and the high cost of hardware and infrastructure). However, following the dramatic demonstration of QKD from space made by China’s Micius satellite in 2017, work on quantum networks has now accelerated around the world.

China – The undisputed leader in quantum cryptography deployment with a 2000km QKD backbone in operational use between Beijing and Shanghai and plans to extend this into a wide-area national network. Chinese satellite technology has been used to demonstrate space based QKD between Beijing and Vienna. China has major visions across quantum technology (see below).

Korea – SK Telecoms has acquired a strategic stake in leading commercial QKD equipment provider IDQ and has already deployed QKD within its backbone network (initially the major Seoul-Daejeon section) and QRNG in its 5G and LTE authentication centres. Quantum Communications is now a pillar in the Korean government’s Quantum ICT Roadmap.

UK – The Quantum Communications Hub is one of the four key pillars of the pioneering UKNQT programme, a key goal of which has been the development of the UK Quantum Network. A test network connecting Cambridge, London and the BT-led tech cluster at Adastral Park has been operational since Q1 2019. Later this year this will be connected to the metropolitan QKD network and quantum cluster in Bristol. Through RAL Space, the UK is collaborating with Singapore’s CQT on satellite based QKD. This and more advanced forms of quantum communication are set to be a focus in phase 2 of the UK’s quantum technology programme.

EU – Quantum communications is also a key pillar of the EU’s Quantum Technology Flagship. In addition the OPENQKD and QCI projects will prepare the way for the development of QKD in Europe at continental scale. In addition to a central QKD testbed in Geneva, links will be commissioned to other testbed networks, including in Cambridge (UK) , Madrid (Spain) and Poznan (Poland) using over 1000km of fibre links. This builds on network trials in Cambridge and Madrid last year and the long tradition of QKD in Europe dating back to the influential SECOQC network in Vienna. It will promote standardisation and the interoperability of equipment, including testing compatibility with satellite based schemes. Over 10 countries have also now signed up to support the QCI initiative to study the operational deployment of QKD in Europe.

US – The US DARPA Quantum Network in Cambridge Massachusetts in 2004 was the world’s first. US QKD activity has more recently been reinvigorated by commercial startups such as Quantum Xchange piloting commercial QKD installations. The evolving US NQI is likely to further increase the pace of development in this area.

Japan – Tokyo has boasted a QKD testbed network since 2010. Japan also has a satellite QKD project MIAC. Photonic and quantum technologies are seen as enablers for the realisation of the government’s major ‘Society 5.0’ programme. NICT, Toshiba, NEC, Zenmtech and leading Japanese universities are collaborating on a Quantum secure cloud (with medical and personal genome data being a particular target application).

Australia – Melbourne-based Telstra was involved in early quantum network tests. The Australian Department of Defence is investing through QuintessenceLabs to develop a sovereign QKD capability. This initiative sits alongside Australia’s strong presence across all areas of quantum technology.

Canada – Through the IQC, Canada is developing the Open QKD Network project. This is developing a layered framework for the incorporation of QKD into conventional communications systems. It is also actively pursuing satellite based QKD research.

Russia – Since 2014 a metropolitan QKD testbed has been operated in St Petersburg by ITMO Univ. This year a 160km Intercity link is due to be completed to KRNTU-KAI. Quantum communications is a pillar within the Quantum Technologies roadmap of the Russian Federation’s Digital Economy Program.

What is striking is the breadth and scale of the activity now going on worldwide. In 2016 the UK’s NCSC published advice cautioning business against QKD. Many will feel that things have moved on and it now looks embarrassing that the unamended advice is still listed on the NCSC website.

QKD still faces many limitations. The range of first generation commercial equipment struggles to reach 100km. This can be extended using trusted nodes though these are themselves both an overhead and a potential security vulnerability. In the end quantum repeaters are set to remove this constraint, but their development is still perhaps 10+ years away. This is one reason why satellite QKD is seen as an attractive way to extend the reach of such networks. Users adopting this technology also want to be reassured that the theoretical security of these devices is not undermined by side channel attacks on weaknesses in their implementation. Standard setting by recognised international bodies is therefore of particular importance.

Early movers

In reality neither PQC nor QKD are yet fully ready to meet all the world’s future requirements. Early movers in this market typically emphasise the need to understand specific needs and to adopt intermediate solutions accordingly. Future flexibility and agility can be just as important as the immediate strengthening of cyber defences.

Canadian academic Michael Mosca is perhaps the individual most prominently associated with the call to action for businesses and institutions to plan now for the future quantum threat. Together with fellow quantum cryptography expert Norbert Lütkenhaus he has founded evolutionQ, which specialises in risk assessment and quantum-safe policy development. The senior team includes David Jao an expert in maths-based cryptography, emphasising the balance of the advice they are able to offer.

ISARA, Post-Quantum and Qrypt are leading examples of companies active in helping businesses and institutions prepare for the early implementation of PQC solutions. ISARA have developed ‘agile’ digital certificates that aim to smooth migration to future quantum safe algorithms. It has partnered with Utimaco to produce a quantum-safe hardware security module aimed at the IoT market. More recently, ISARA alongside IDQ were recently selected to work with the leading defence group Thales. ISARA will provide quantum-safe algorithms while IDQ will provide QRNG technology. Traditional tech majors such as Microsoft and Atos are also active in this field, in parallel with their wider quantum technology involvement.

In terms of installed QKD equipment, QuantumCTek has a significant lead due to its close involvement with the large Chinese programme. Huawei has also been active in supporting research. In the West, Swiss-based IDQ is the longest established and leading commercial equipment provider. The rollout of its equipment in the core network of its strategic partner, SK Telecom, is set to be a major breakthrough for the business.

Quantum Xchange has an exclusive distribution agreement with IDQ in the US. This, combined with trusted node technology acquired from Battelle is at the heart of the point-to-multipoint QKD service it has been piloting over the Zayo dark fibre network on the US east coast (the initial target market has been linking Wall Street trading floors to New Jersey back offices). More recently Quantum Xchange has augmented their product suite with Phio TX. This is a great example of a hybrid solution that aims to lower the barrier to entry for clients with differing levels of security requirement. Phio TX uses out-of-band key delivery to provide a base level of security enhancement, while offering a seamless path for upgrade to full QKD security.

Leading encryption product vendors such as Adva and Senetas are already keen to emphasise the flexibility of their equipment to work as part of an agile environment. QuintessenceLabs emphasise the flexibility its key and policy management servers offer, together with the practical security enhancement that their QRNG products offer now, even when combined with conventional crypto solutions. QuintessenceLabs also plan to offer customers the future flexibility to move to QKD within their security stack.

Toshiba benefit from their long involvement with the Tokyo QKD network and more recently their equipment has been demonstrated on the UK Quantum Networks. The advanced twin field QKD demonstrated by Toshiba Research Europe has set new records for the range of conventional fibre based QKD.

One time pioneers MagicQ Technologies, who had for some time been quiet about quantum cryptography, are now again actively marketing a QKD solution called MagiQ QPN. Qubitekk has been targeting QKD applications in industrial control systems via its DataLoc key server.

Startups such as ArQit, InfiniQuant and SpeQtral are active in the fledgling quantum satellite market.

QRL , IOTA, HyperCash, StarkWare are early examples of blockchain projects that emphasise their quantum-safe credentials.

QKD and 5G

The recent demonstration of QKD on the UK’s 5G test network in Bristol [64] was as an opportunity to take stock of progress in this area within one of the world’s most advanced quantum technology programmes, the pioneering UKNQT.

Reza Nejabati (left), Rodrigo Tessinari, Emilio Hugues Salas, Anderson Bravalheri - High Performance Networks group, Univ. of Bristol

Reza Nejabati (left), Rodrigo Tessinari, Emilio Hugues Salas, Anderson Bravalheri – High Performance Networks group, Univ. of Bristol

The demonstration featured QKD working in an advanced 5G context – not just in the core network backbone, but also to secure data cached at edge locations in the logical network. It also featured the demonstrated fully meshed dynamic network switching. A QKD compatible ‘quantum’ ROADM is used to flexibly route channels under software control. This is particularly impressive as the underlying technology is DV QKD (from an IDQ system). This is arguably the most mature form of QKD currently available. In the absence of demonstrations such as this it has often been thought of as not possible to deploy in switched network environments. A feature normally thought of as an advantage for CV QKD.

The Bristol QET Labs team also demonstrated their latest steps towards realising one of their long term goals – practical handheld QKD. Their approach involves the use of pre-shared keys loaded onto a handheld device. Currently this is done by use of QR codes at a secure terminal. Their plans are to use the same software stack to support key transfer via optical docking.

John Rarity, Director of QET Labs, Univ. of Bristol

John Rarity, Director of QET Labs, Univ. of Bristol

Case Study: The Bristol quantum tech cluster is a great example of how very modest amounts of academic seed funding can, carefully steered, secure advantage for a targeted region [66]. The initial 5-year Engineering Photonic Quantum Technologies programme grant awarded to Univ. of Bristol in 2014 was just £5m. Crucially this allowed a cross-disciplinary group of academics to form around a common vision of where this technology was going. Supported by the wider UKNQT, this group was able to secure not just additional EU funding and wider academic collaboration but also involvement from business and investors. With a growing portfolio, QET Labs has been able to secure a world-class position in the quantum photonics, playing a major role within the UKNQT Quantum Communications Hub and with ambitious contributions in photonics based quantum simulation. One notable spinout, PsiQ, has now moved to the US, but many more remain, powered by a string of entrepreneurs coming out of its quantum engineering CDT and ground breaking QTEC programme. Many countries around the world are now seeking to emulate this type of development as part of their own quantum technology programmes. Success will mean finding the right niche. Early mover advantage will be key.

KETS Quantum Security, is a Bristol based startup that continues to make progress that promises to transform the sector. A key barrier to the commercial adoption of QKD has been the expensive kit required to implement practical protocols. KETS vision is to deliver a complete quantum encryption solution on a chip. Ultimately this promises to radically reduce size, cost and power requirements. Immediate applications are QRNG and QKD. KETS has demonstrated its technology in the lab and in trials with initial partners such as Airbus, BT and now Thales. KETS is targeting the availability of OEM modules in 2020 and commercial deployment in 2021.

Quantum standards

In such a complex field, recognised product and service standards are set to play an important part in reassuring enterprise customers that they are adopting safe and robust practices.

ETSI together with some ITU and ISO groups, and with input from the IETF have for some time been working on international standards in the area of quantum communication.

Side Channel Attacks – a crucial issues for QKD networks is engineering the system to reduce the risk that attacks on imperfections in its physical implementation will undermine the notional promise of perfect security. The difficulty of excluding such attacks in principle has led to the vision of certifying the security by common criteria, involving expert opinion and extensive testing. These efforts are being pursued in ISO and in ETSI (in the latter case in cooperation with the German BSI).

On a more general level, the TSAG of ITU has just approved a focus group dedicated to quantum information technology. This represents a consensus across China and major western participants. Momtchil Peev, a quantum expert working with Huawei comments “The ambition is to synchronize future-oriented standardization in the field of quantum information technology. Naturally the agendas are not very clearly harmonized yet and political friction is not to be neglected. Still it was impressive to see in a political, UN like environment, a high degree of agreement from countries as diverse as China, US, UK, Canada, Germany, France, Japan, Korea, Russia, Brazil and a multitude of developing nations from Africa and the Middle East on the importance of Quantum technology”. Presently each of China, US and Russia want to co-chair the group. It remains to be seen how effective this process can be.

China’s big vision

The recent ITU Workshop in Shanghai on Quantum Information Technology for Networks was a great opportunity to review progress from around the world [67]. However, what really stole the show was China’s continuing progress and aspirations in this field.

USTC built its first quantum test network in 2005 followed by a metro-network in 2016. It grabbed the attention of the world with the demonstration of QKD using the Micius satellite in 2017. This is not an accident, but the result of China’s now long established and growing investment in quantum technology. Startups are beginning to spin-out from these efforts notably QuantumQTek, China’s leading QKD equipment provider.

A 2000km QKD backbone link has been operational between Beijing-Heifei-Shanghai since 2018. Banks such as ICBC and CMBC have been early commercial adopters with applications in use including regulatory data transfer, main & backup datacentre transfers and secure email. The Xinhua news agency is also a user. Trials are also underway for use in the court system and between Chinese customs and the ERP systems of import/export companies. Research adapting QKD for power-grid control use is also progressing.

Jian-Wei Pan, USTC - China's 'Father of Quantum'

Jian-Wei Pan, USTC – China’s ‘Father of Quantum’

China plans to buildout the existing backbone into a true national wide-area quantum network by 2025. A Wuhan-Heifei link is already under construction and a Beijing-Guanzhuo link is in planning. Further links will connect all Chinese provinces for a total network length of 35,000km. Satellite integration is intended to extend coverage globally to embassies, companies and foreign institutions.

QuantumCTek have also partnered with ZTE in launching the AXON 7S, which they describe as the world’s first commercial mobile phone with ‘quantum security encryption’ (Fact Based Insight understands that this is based on pre-shared keys downloaded onto a microSD card).

Presenting the keynote address to the ITU Shanghai workshop, Jian-Wei Pan (USTC) demonstrated why he has earned the title of China’s ‘Father of Quantum’. Pan traces the history of quantum mechanics from its inception and the philosophical challenge it presents. He explains the many experimental tests of the theory, which have incidentally evolved closely alongside the techniques underpinning quantum cryptography. For those in the West who might be slow to trust China as an equipment supplier he points out that the basic science means that for techniques such as MDI QKD and advanced entanglement based QKD we don’t need to trust the manufacturer (we can test the security at the time of use).

The breadth of the vision that Pan paints is jaw dropping. He would like to crown China’s programme by testing entanglement distribution between the earth and the moon. As a technology driver, this neatly combines the efforts of both China’s space programme and quantum technology. It is also great science, promising to test quantum mechanics in a new domain. Intriguingly the moon is 1.28 light seconds from the earth, opening up the possibility that for the first time we could test superposition and entanglement with a conscious human observer in the loop. No other quantum programme worldwide has been able to settle on a mission with such potential to capture the public’s imagination.

Avoiding rival camps

Faced with this complex and rapidly evolving landscape, what should businesses concerned about their cyber security roadmap do? With which of these technologies and on what timescales should they be engaging? Investors in the sector face a similar challenge in terms of which projects they should back.

These questions have often been further complicated by the sometimes inadvertent bias of existing expert groups.

Groups tending to favour maths-based PQC

  • Mathematicians
  • Big tech companies run by computer scientists
  • Western intelligence agencies with traditionally strong cryptanalysis capabilities

Groups tending to see the merits of physics-based QKD

  • Physicists
  • Telco companies run by engineers
  • Governments more often on the receiving end of other’s maths-based cryptanalysis strength

Fact Based Insight believes a more balanced understanding of pros and cons is emerging.

Short term

Companies should already understand the security time horizons of their business data and key infrastructure investments and the spectrum of vulnerabilities they face. Businesses with long shelf life sensitive data or with plans for extensive investment in 5G or IoT technology should seek specialist support now. Likewise, investors in blockchain should understand the challenges and opportunities quantum technology brings.

Medium term

In the medium term PQC is set to provide a good solution for most users and to be available on a reasonable timeline to meet general requirements. However users with advanced needs will want to plan in advance how they smooth the cost of adopting and maintaining this technology. Some will have an opportunity to turn an accelerated transition into an advantage versus their competitors.

QRNG is a good addition to virtually any security stack and is set to be an increasingly cost effective addition.

There will also be situations where the sensitive nature of the data or infrastructure being protected justifies the cost of QKD as an additional and fully complementary layer of protection. Dustin Moody of NIST says “There are certainly use cases for QKD, but mostly for very high security areas (government and big companies in sensitive sectors). We don’t see QKD being widely deployed”. Others expect the number of applications of QKD to increase markedly as suppliers bring down costs and make the ease of deployment routine.

Fact Based Insight believes we are at last moving beyond the point of rival ideological camps talking past each other, to one where what matters is ‘does the business case add–up’.

Long term

For the long term, a central question is how pervasive will natively quantum communication networks become. This rests on a question about the future of quantum computing.

Some point to the relatively specific problems where we already know quantum computers will offer an advantage. For these a limited number of cloud-connected supercomputers with adjunct quantum processors would seem to serve the need. Fact Based Insight tends to see a pattern in such pronouncements

“I think there is a world market for maybe five computers.” Thomas Watson, IBM, 1943

“There is no reason for any individual to have a computer in his home.” Ken Olsen, DEC, 1977

“640K ought to be enough for anybody.” Bill Gates, Microsoft, 1981

“Breaking a 2048-bit certificate would take longer than the life of the universe” Internet, 2013

“Quantum computers won’t replace classical computers” 2019

There is an alternative view, that in the long term we will see a natively quantum internet connecting a vast global network of quantum processors, quantum sensors and quantum data stores. This is the vision to which the EU’s Quantum Flagship, through groups such as the Quantum Internet Alliance, is now working. Such a network would be the work of decades and would come with quantum security built-in. By then, Jian-Wei Pan will no doubt have an interesting proposal regarding Mars.

Actions for Business

Fact Based Insight believes that for most common applications, businesses should be happy to observe the NIST PQC process and be ready to adopt solutions from the suite of protocols it will recommend.

  • However for sensitive applications, some will need to move sooner. Businesses need to assess their exposure, particularly relative to others operating in their sector.
  • Is there an accepted standard in our industry for how long sensitive data must remain confidential, including where it is intercepted and stored by a third party for later decrypt?
  • Are competitors engaged in trials of quantum safe encryptions technologies? Are they making marketing claims on security?
  • How do these threats overlay with regulatory standards? Financial Services will be affected by this, and especially the Fintech segment. Healthcare is also a sector with sensitive issues to explore.
  • Are investments underway in long lived physical devices with a long expected lifecycle, such as Internet of Things deployments or smart vehicles? Oil & Gas, Automotive & Logistics and Aerospace & Defence are all sectors where businesses will find themselves impacted.

Businesses need to understand and assess their high level transition plans.

  • How long will it take for our organisation to transition to quantum safe security arrangements?
  • Are these matters being raised with key suppliers during procurement processes, particularly in terms of the availability of future upgrade paths (RFIs & RFPs)?
  • Where remote systems or embedded devices are being deployed, has consideration been given to their future upgrade to quantum safe operation, and
  • Is our business vulnerable to a ‘shock’ to public confidence in conventional e-commerce or data security and how would we respond? Even where our own plans are strong, could key employees respond quickly with the right messages to reassure customers and investors? Fintech companies and in particular companies with blockchain involvement should be prepared to offer ‘fire drill’ responses.
  • Do we understand any inadvertent bias provided by our advisers and expert teams across the ‘maths’ and ‘physics’ approaches to security?

Existing service providers and equipment manufacturers need to be ready for the threat of new entrants.

  • What new entrants are preparing products or services that might disrupt our existing value chain position?
  • Do our teams and our technology partners have access to the right balance of expertise across these new areas?
  • Are we ready to engage with our customers to ensure that we are seen as a reliable and value adding partner during this transition?

Investors should seek opportunities in this now rapidly developing field.

  • Large companies should consider establishing quantum-dedicated groups. Others may seek to buy-in expertise from established midsized quantum businesses to strengthen the leadership to their existing efforts.
  • A steady stream of startup opportunities are emerging as spinoffs from academia. National programmes are increasingly in place to offer a favourable environment for investment and co-working with these opportunities.
  • As leaders are now emerging from the NIST PQC standardisation process, expertise is likely to be scarce in leading protocols. Academic spinoff opportunities are also likely here. In some cases patent rights may apply.
David Shaw

About the Author

David Shaw has worked extensively in consulting, market analysis & advisory businesses across a wide range of sectors including Technology, Healthcare, Energy and Financial Services. He has held a number of senior executive roles in public and private companies. David studied Physics at Balliol College, Oxford and has a PhD in Particle Physics from UCL. He is a member of the Institute of Physics. Follow David on Twitter and LinkedIn