As scientists across the world express their excitement about the development of quantum technology, others are worried about the dangers it poses to today’s encryption and the potential benefits it could offer to cybercriminals.
Quantum computers have been widely discussed as they can essentially “simulate the quantum world,” from atoms to molecules. They utilize the principles of quantum mechanics to solve complex problems – ones too sophisticated for modern computers. In some way, they can even imitate the human brain, specifically certain functions, such as memory and decision-making.
However, sophisticated quantum technology – still likely decades away – also poses a variety of risks. As such, it might be able to break the encryption algorithms commonly used today, as well as cryptocurrencies, such as Bitcoin. In theory, quantum computers would be able to break 2048-bit RSA encryption in just under eight hours – a task that would take a supercomputer 300 trillion years.
It’s then not surprising that nation-states are all racing towards creating their own quantum computers, lured by the promises of technology that is only comparable to digital nuclear weapons. In order to understand how quantum computers work, we reached out to Denis Mandich, Co-Founder and CTO of Qrypt. Mandich drives the technology roadmap and secures the global expertise to protect against quantum computing threats. Previously, he served 20 years in the US Intelligence Community, working on singular, innovative technology essential to National Security.
We sat down together to discuss the future of quantum computing, the latest developments, as well as dangers and potentials promised by this new technology.
Let’s start off by discussing the state of today’s quantum computers. Are there any new developments in the industry?
Yeah, there are almost daily developments, different research groups that are focused on different techniques for creating qubits, which are the fundamental units of quantum computing, and also different ways of assembling them into larger quantum computers.
IBM's leading the charge on the biggest collection of qubits in a single computer, but there are other companies that are using many different techniques, including PSI Quantum, which didn't start with the premise of scaling from a smaller leader to a bigger one. They started with a million cubic machines in order to get that to work first and then scale from there. There is a lot of very exciting research. A lot of money is going into it, a lot of potential large market value for many people.
Talk us through the differences between classical and quantum encryption.
Classical encryption means you're just using a single algorithm, usually a hard math problem to encrypt data in the quantum version of it. We need to have that same mathematical problem or a physics problem that's associated with it, be incapable of being decrypted by a quantum computer.
A quantum computer works very differently than a classical computer, as it can solve certain classes of problems that are impossible for classical computers to ever tackle. One of the problems that they're really good at is the type of encryption that we use today. Post-quantum cryptography replaces one of those algorithms with a slightly harder math problem that we believe is quantum-safe or quantum secure. We don't really know because there's no proof of it. And then quantum cryptography takes that to the next level and goes from quantum-safe to something that's truly quantum secure.
There are different ways of doing that. The foundational piece of it is the ability to generate a random number from quantum sources, which is really hard for computers to achieve. Dice rolling and coin flips are not really random. They appear that way because you can't measure it closely enough to determine what the outcomes will be. But they're not random at all. So quantum measurement is really the only way to produce a random number that's good enough for cryptography. So those are called quantum number generators. Those are sources of random numbers only. They're the raw materials that you need for all crypto systems.
How do you then differentiate between quantum cryptography and post-quantum cryptography?
Post-quantum cryptography only has to deal with one thing, and that has to do with how I get the keys to the endpoints – asymmetric cryptography. All the public and private key pairs do is connect to people and then distribute the symmetric key. That symmetric key is called AES or advanced encryption standard. So if you can get an AES key to those endpoints that was generated from a quantum random number generator, then you’re quantum safe. That's an older technology, but it's proven to be absolutely secure between two endpoints, meaning a quantum computer cannot break it, provably. Whereas with a yes, this other symmetric key version, we only believe that it's secure against quantum computers, but we don't really know.
That leads to my next question. We talk a lot about quantum cryptography being seemingly unhackable, but how unhackable is it really?
Depends on how it's done. There's always a way to hack at the endpoint. At some point, you have to use those keys, that data on a cell phone or a computer. So there's nothing that's truly unhackable.
If you're only looking at the question of the key system itself, meaning the keys that you have received at those endpoints, then that's not hackable because you got them to the endpoint. You assume that those endpoints are who they say they are. That's authentication. And then you believe that they're not compromised either. So we're only talking about the data that's going over the wire in between. Is that hackable or unhackable? You've heard of “Harvest now decrypt later” [attacks where threat actors collect encrypted data from companies for later decryption with more sophisticated quantum computers.] If I capture that data as a man in the middle of the data center or a service provider, can I decrypt that data without having any access to the endpoints? That's really the question here.
Will quantum cryptography break classical encryption (for example, RSA encryption) and the cryptocurrencies as we know them?
Yeah, that's a really big question. So for all classical encryption, it is provably broken by large enough quantum computers, which makes it an engineering problem. The systems that we use, say the classical encryption systems that we use today, if we knew about Shor's algorithm, which is a technique that quantum computers use to break them, we wouldn't be using them today. We wouldn't be talking about that today.
We have to get off of these older systems because we know that one day quantum computers will be big enough. They'll be a cloud service. All of us will be able to use them at any time and decrypt anything we want. The algorithms are out there, they'll be on GitHub.
And then what does that really mean for lots of huge applications, especially cryptocurrencies? A great example is that all the cryptocurrency wallets are secured with, that asymmetric encryption system. And that's exactly the type of system that quantum computers are really good at breaking. So if I can guess what your private key is, and this has happened many times for lots of different reasons, then I can transfer all of your cryptocurrency to myself, and that's a valid transaction on the blockchain.
It's immutable, it can't be undone. I am effectively you if I can guess what your private key is, and that's what quantum computers can do. I always like to give the example of the Etherium band. All they did was guess private keys to see if there was any money in those wallets to simply transfer all of it to themselves. And as soon as the quantum computer comes online, I can use it to cure cancer, but they're going to use it to go steal Bitcoin. That's where the money is.
How can nation-states take advantage of or exploit quantum computers?
Nation-states have always been the largest first users of any new computing system. They had all the supercomputers. They did a lot of the fundamental operations research, studying the algorithms that are used for all of these encryption-breaking schemes.
That's not a secret here in the United States. We pay the government to do that, right? Our taxes go to fund the NSA and the CIA. So we expect that the first groups of users will be NSA or Chinese or Russian intelligence. But they'll just buy those cloud services, and they'll run their algorithms in the cloud. They don't even have to own these devices anymore. The NSA will probably buy a few dozen, which are then used to break the diplomatic channels. The difference with countries like China is that China uses that to make companies like Huawei and ZTE richer. In the United States, that's illegal. You can't steal information and data and give it to Google or Verizon to make them more wealthy. But it's not the same way in other countries, and that's how quantum computers will actually get used.
I recently heard this comparison between quantum computers and nuclear weapons, suggesting that although there are so many dangers associated with quantum computers, the advantages outshine the risks posed by them. What is your take on that?
Yeah, quantum computers are essential to many fields. Think about how much faster drug discovery and vaccines can be developed with a quantum computer compared to the amount of time it takes with a classical computer. Modeling atoms and molecules is almost impossible for classical computers without vast resources. Now you can develop things like new pharmaceuticals for curing cancer extremely quickly because you can model whole molecules and see if they work before actually building anything in the lab.
Nuclear weapons, the technology behind them, was created years, almost a generation before a nuclear weapon was actually built. But that's what the foundations of nuclear power are today. It's the most efficient power system that we have in the world. Sure, we don't know what to do with the nuclear waste and all that, but it's super safe, It's very efficient, and it doesn't pollute the atmosphere. It doesn't add greenhouse gases. So I think we're going to see a change in people's perceptions about this. It's not just going to be all the bad things that happen. They read all of our emails and all of our chats and all the data that they've been sitting on that they're eventually going to monetize and operationalize one day. That's all going to happen for sure. But there are a lot of huge advantages to a world with quantum computers where everyone has access to them. With all the discoveries, all the technologies, material science, more efficient financial networks, and logistics of moving vehicles around in a highly congested area like New York City, all these huge advantages will happen. That's why they're being built. That's why so much money is going into it.
And in this case, what are some of the developments that you are most excited about in the quantum sphere?
There're so many. It's just the potential to solve all these huge problems. In fundamental physics, I see a lot of modeling that can go on for really big quantum field theory problems that you just couldn't do with classical computers. There are only so many simulations you can do with bits. The quantum qubits outnumber them very quickly.
If you think about the power of a quantum computer, it grows exponentially. It's like every computing device we've ever made since the history of mankind and an abacus have about the same amount of power compared to a small, very small quantum computer. This is a very exciting time for not just computer science but for physics and chemistry and financial networks and infrastructure and all kinds of discovery fields. You saw the uptick in the adoption of GPT: how many people jumped on that? Millions at once and the fun that they can have with it, but also the problems that they could solve. And you saw other nefarious things happen, right? There were people that used it to ask questions like build me a hacking tool that is useful against this type of banking infrastructure and also provide me a list of all the banks in the world that have that vulnerability right now. It can do that very quickly. Of course, quantum computers can do the same thing. If I have the data, the network connections, a little bit of information about these systems. I can use a quantum computer to decrypt that traffic and immediately start transferring money from your bank to mine. There's nothing you can do about it.
Do we have to actively protect ourselves from the aftermath of the evolution of quantum computing?
You have to. Consider the Venona Project ran by the US government during the Cold War. They collected that data, knowing that they would find a flaw in the encryption systems one day. Not for decrypting it. Flaws in the key material lost in the software that implemented it, and lots of different techniques. And that's been extremely effective going back half a century. The difference today is that it's not just the US that's doing that for strategic weapons purposes or diplomatic negotiations and treaties purposes. It's the Chinese government that's doing it on an industrial scale that we've never seen before.
It's a national economic security issue for us today and a privacy issue that most people don't realize. The Chinese government would like a file, a personnel file on every single person in the United States. The way they do that is by collecting so much of that private data to find out what makes you tick, how they can target you, and see where you end up. All those things are super important in this collection scenario, and they're doing that today. When they operationalize that, it won't be good for any individual. So we really need to start thinking about it today because the data is being collected, and if they know that it's going to be useful to them even a tiny bit, it will be used.
So we really need to start transitioning to quantum security today long before the biggest quantum computers start coming online. It's a national security imperative for us. Major legislation passed last year, multiple executive orders, and national security memorandums. So indirectly, they kind of push the industry to help themselves and secure their own infrastructure by forcing anyone doing business with them to do the same. I think it's a positive development. It's just not happening fast enough for a lot of people. People don't realize that all the messages that you've ever sent are stored out there. And what did you put in there? Is it just cat pictures, or is it something sensitive about your medical condition or your relationship with other people, or your aspirations for a job? All these things are extremely important in the intelligence business. And I spent 20 years at the CIA. I know how that information is used, especially against terrorists. We've never seen it before on the scale used against individuals by a foreign adversary like China that has the resources and the knowledge to exploit it.
Qrypt is different from other quantum cryptography companies because most of them use that technology. I mentioned earlier quantum key distribution, which requires a sender and a receiver, a physical appliance on two endpoints to get that key material there. That key material still needs to go out to some kind of software package server or an endpoint, a client, what have you. In contrast, Qrypt has taken that model and flipped it on its head to make those quantum random number generators and natural resources available as a cloud service so they can reach any endpoint in the world. You could go down to your cell phone, it can go down to your data center connecting a data center across the world where you don't trust any of the traffic in between those data centers because it's routed through China. Let them collect all of it. It won't matter anymore. So what we do, what CRP does is simultaneously generate those keys, those quantum entropy-based keys at those endpoints, and then make the issue of who's listening in between irrelevant. We don't have to trust them anymore.
We're saying no one else should have access to your key material. You should be able to communicate the way you did 50 years ago with a simple phone call or chat in your room without having to think about anyone listening in on that phone call. And the only way to do that is by having a service like Qrypt provides.
The internet has now evolved into a gigantic data collection and surveillance entity, super useful for social media and for selling you stuff on Amazon, but not good for our privacy. And again, people don't understand how data is used today. We need our privacy back. And the only way to do that is by guaranteeing end-to-end encryption between any two endpoints and making that really easy to consume.
More from Cybernews:
Subscribe to our newsletter