Q-Day
Before quantum hacking becomes a reality.
by 
By Angela SP Yap
Can you stop a hack that’s faster than you?
That is the cybersecurity threat that will confront every system in the world once quantum computing is a reality, which experts predict will occur within the next two to 10 years.
In the December 2021 issue of Banking Insight, our feature Quantum Computing: Finance’s Next Frontier explored the concept of quantum computing and how these breakthroughs are opening new (and profitable) possibilities in financial markets. Its current use cases include Goldman Sachs’ lightning-speed pricing of complex derivatives to the accurate simulation of market behaviour. We recommend that our readers revisit the article, which succinctly explains concepts such as ‘qubits’ and ‘superpositioning’, as an accompaniment to this piece.
Quantum Day, or Q-Day in cybersecurity circles, refers to the day when the power of quantum computers will be harnessed to ‘crack’ secure codes that transmit sensitive information, such as digital signatures or trading data. Luckily for us, time is on our side. Code breaking on a quantum machine requires qubits (quantum bits) in the thousands, and most quantum computers currently work around 50 qubits. This is changing rapidly as technology companies and governments race to the finish line.
IBM, whose current capacity is reportedly a 127-qubit processor, has announced a roadmap to produce a 4,158-qubit quantum processor called Kookaburra by 2025. Google’s Sycamore machine was in pole position until October 2021 when a team from the University of Science and Technology in China developed two machines, Jiuzhang 2 and Zuchongzhi 2.1, the former of which could compute calculations at least 100 trillion times faster than Sycamore.
China’s national research and development spend increased by 7% in 2021 with a reported USD10 billion already invested in the field. It also holds more quantum technology patents than even the US, which trails with a dismal USD1.2 billion budget earmarked over a five-year period under the National Quantum Initiative Act 2018 and has spent only USD900 million thus far for the fiscal year 2022.
Private sector players are also getting into the game albeit, with smaller budgets. Zapata Computing, a Massachusetts-based quantum software company, reports that in 2021 the sector is pulling in serious private-sector dollars with 28% of global enterprises allocating seven-figure budgets, a turning point from the USD100,000 research and development budgets of the past. Its First Annual Report on Enterprise Quantum Computing Adoption, comprised of 300 leaders (chief investments officers, chief technology officers, other vice-president-level and above executives) from companies with turnover exceeding USD250 million and USD1 million computing budgets.
Hacking, but on Steroids
Flush with investment dollars and with such grandiose machines already in the works, it is a bit surprising then that there hasn’t been more discussion on countering the havoc that will ensue once cybercriminals get their hands on such machines and quantum hacking begins.
What takes conventional supercomputers hundreds of years to compute could be accomplished in a matter of seconds once quantum computing is fully realised. Think of it as the digital-day version of the code-breaking Bombe machine created in the 1940s by mathematical genius Alan Turing, which did the impossible by decrypting the German’s Enigma code, securing vital intelligence for the British government. With quantum capabilities, the ability to crack existing codes will be in the milliseconds.
Already, 2022 is set to become the most lucrative ever for hackers who amassed USD3 billion in 125 hacks as at October, based on a tweet by blockchain intelligence firm Chainalysis. One of China’s top cryptographers, Prof Jintai Ding of Tsinghua University, predicted at a forum in December 2021 that USD3 trillion worth of cryptocurrency assets will soon be vulnerable to hacking by quantum computers.
There are two ways through which that will happen:
+ ‘Collect now, decrypt later’ strategies.
Although hackers have yet to acquire the know-how or tech infrastructure to decipher information that is currently encrypted, this does not prevent them from acquiring and storing such information in preparation for a time when quantum computers can reliably break these security algorithms.
+ Outdated cryptography.
Much of the sensitive data exchange over the internet by banks are based on public-key cryptography. The idea is that information can be securely transmitted through the internet using a public key (comprising numbers, alphabets, symbols) to encrypt and securely transmit the message, and a second private key (a different set of numbers, alphabets, symbols) that is known only by the intended recipient is used to ‘unlock’ the message and read it. There are numerous types of public-key-exchange algorithms – RSA, elliptic-curve, Digital Signature Standard – some of which the world is slowly transitioning away from as these encryptions become more easily deciphered by classical computers. However, the looming threat of quantum hacking means that these keys, public and private, can be cracked faster and en masse.
Cracking Stuff
In quantum-resistant encryption, researchers often refer to Shor’s Algorithm, named after Peter Shor, Professor of Applied Mathematics at Massachusetts Institute of Technology. It shows how a quantum computer should theoretically be able to break RSA (in use since the 1970s) and elliptic-curve keys, rendering current cryptographic systems vulnerable.
In his opinion piece, Q-Day Is Coming Sooner Than We Think, Arthur Herman, Senior Fellow at the Hudson Institute and Director of the Quantum Alliance Initiative, writes: “There’s a growing consensus that this quantum threat is real; there’s no agreement how long it will take before a quantum computer has the 4,000 or so stable qubits it will need to meet the requirements of Shor’s algorithm for cracking those encryption systems.
“The fact that the [US] National Institute of Standards and Technology (NIST) won’t have its quantum-resistant algorithm standards ready until 2024, and expects the rollout to space out for another five to 15 years, has helped to encourage complacency disguised as confidence. But new developments in quantum science suggest that this complacency is misplaced…it’s probably going to be here sooner than even experts thought.”
Indeed, the NIST’s track record in this respect has been dismal. In August 2022, one of the four encryption algorithms it considered to be ‘quantum resistant’ – or safe from decryption by quantum computers – was embarrassingly decrypted by researchers using a good ol’ Intel-chip laptop. The Belgians who cracked the code, Wouter Castryck and Thomas Decru, researchers at KU Leuven, made their code public together with details of the 2013 off-the-shelf laptop, and collected a nifty USD50,000 bounty from Microsoft, the company that developed the original encryption algorithm.
Pants Up
What measures can leaders take to pre-empt quantum hackers from targeting their companies? Boston Consulting Group, in its article Quantum Hacking is the Next Big Cybersecurity Threat. Here’s How Companies Should Prepare for ‘Y2Q’, recommend that companies should already cultivate what it calls ‘crypto agility’ in these four ways:
+ Escalate this to the board and top management. Companies must make cybersecurity a business priority. They must assign the responsibility for tracking developments in quantum computing to a team, led by a senior leader, such as the chief information officer or chief information security officer, that reports regularly to the board and top management. This will ensure that the focus is on corrective, not organisational, issues when quantum computing arrives. Doing this will be critical in sectors such as finance, where the risks are higher due to the nature of the business and its dependence on data. Some banks are already working with quantum computing companies on risk mitigation methods or have created a global organisation structure to deal with security in a post-quantum world.
+ Identify priorities and create roadmaps. Every company must map its years-to-quantum (Y2Q) risks by developing an inventory of connected assets, periodically evaluating the value of its data pools, and evaluating its exposure to new crypto standards. It must maintain a balance between the value of the data it has accumulated and the cost of protecting them, and develop a roadmap of its priorities.
+ Plan, pilot, and test crypto agility. Organisations must simulate Y2Q scenarios, such as the impact on their profit and loss, and develop countermeasures. They must conduct these exercises in coordination with their business units to ensure that the entire organisation has visibility into the challenge ab initio. In addition to developing pilots, executives must stress-test them to learn more about the problem, and gauge their crypto agility.
+ Collaborate with rivals and the ecosystem. Y2Q will not discriminate among companies, so leaders should adopt a collaborative approach to developing crypto agility, working with peers, and involving stakeholders such as academia, government, and digital start-ups. This approach will allow companies to share development costs; come to grips with the changing landscape faster; develop better Y2Q plans; and make credible policy recommendations. For example, in September 2021, 24 Japanese companies came together to form an industry council, Q Star, to understand, influence, and help businesses tackle the Y2Q problem.
The world is still some years away from a real advent in quantum computing, but when it arrives, it will be fast and it will be furious.
Just promise the world you won’t get caught with your pants down.
Angela SP Yap is a multi-award-winning social entrepreneur, author, and financial columnist. She is Director and Founder of Akasaa, a boutique content development and consulting firm. An ex-strategist with Deloitte and former corporate banker, she has also worked in international development with the UNDP and as an elected governor for Amnesty International Malaysia. Angela holds a BSc (Hons) Economics.