'Quantum supremacy' demands prioritization of crypto protections
Connecting state and local government leaders
A combination of quantum key distribution and quantum resistant algorithms offers a defense-in-depth approach to the problems we face from quantum computers.
Finally, the U.S. government should encourage companies to manufacture QKD hardware domestically to minimize the supply chain risk. We must be able to trust that there are no backdoors or other vulnerabilities injected into products that U.S. companies rely on to secure data. That means keeping all the manufacture of the quantum components inside our country.
Last month, Google claimed it had built a quantum computer that took only 200 seconds to run a computation that would have taken today’s fastest supercomputer 10,000 years, thus reaching an important milestone known as “quantum supremacy.”
Researchers are predicting that quantum processing power will expand at “double exponential rate” compared to that of Moore’s Law, meaning quantum computers will likely be available before the five- to10-year range previously predicted. This is significant because quantum computers will easily be able to decrypt our strongest encryption algorithms, putting all of today’s most sensitive data at risk -- unless we have data protections in place that can withstand those quantum attacks.
To date, most of the security efforts have focused on creating stronger mathematical algorithms designed to be resistant to quantum attacks -- a field dubbed post-quantum cryptography. In the United States, the National Institute of Standards and Technology is spearheading much of the quantum defense efforts and supporting those efforts.
But there’s another technology -- one that doesn't depend on increasingly stronger algorithms -- quantum key distribution. QKD uses photon-based keys that cannot be intercepted or manipulated to enable unbreakable encryption. It can be deployed today and is in use in Europe, China and other countries. Because QKD is based on quantum mechanics, it’s not vulnerable to quantum computers like traditional cryptography is. The U.S. should develop and deploy both quantum-resistant algorithms (QRA) and QKD in tandem, given the serious risks we face with hastening advances in quantum computing.
Today’s data is at risk -- now
There is a misconception that because quantum computers aren’t yet available, there’s no real threat to our data. That’s just not true. China has been harvesting and stockpiling troves of data it has stolen from U.S. agencies and businesses for years. The hoard includes highly sensitive data about more than 21 million government workers and contractors that was stolen in the Office of Personnel Management breach four years ago. While that data was encrypted, once China has a quantum computer it will be child’s play for it to unlock the data and learn secrets that can be used to further compromise the U.S. government.
That data is a lost cause, but new and future data can be protected against quantum attacks with QKD. I’m not arguing for one post-quantum defense over the other; I’m saying there’s a purpose and place for both QKD and QRA. From a national security standpoint, the U.S. must support the strongest data protection available. Only a defense-in-depth approach, or a combination of both QKD and QRA, can adequately address the problems we face from quantum computers.
Defense efforts and attacks are ramping globally
Other countries aren’t wasting time developing their quantum crypto firepower. The E.U. is funding four Swiss organizations to test quantum communication infrastructure as part of an OPENQKD project. More pointedly, China is building a $10 billion quantum research lab scheduled to open next year, investing much more than the $1.2 billion allocated for quantum science and computing efforts in the U.S. under the National Quantum Initiative Act. China also is testing free-space laser QKD over satellite. Meanwhile, a consortium dubbed “AQuaSeC,” which includes British Telecom, Toshiba and the University of Cambridge among a dozen or so other organizations, has formed specifically to develop systems that integrate QKD and QRA. Other combined development efforts are happening in Europe, Japan and South Korea as well.
It’s in our best interest to act with urgency to protect our critical infrastructure against quantum attacks. A recent report showed Russian efforts to build out large-scale espionage capabilities, potentially targeting the 2020 U.S. presidential election. The nation’s electric grid is more at risk than ever to cyberattack, the Government Accountability Office warned recently. Concerns about China in particular have reached a critical point with the U.S. banning Huawei 5G equipment over supply chain security concerns.
More funding, domestic manufacturing
To help the U.S. gain the edge in quantum defense, Congress should increase the funding allocated for quantum research under the Quantum Initiative Act. The current allocation is $1.2 billion, which is not much considering clean-up costs for the OPM breach are expected to exceed $1 billion for identity management, credit monitoring and other remediation. Then there’s the immeasurable price of putting U.S. personnel in harm’s way.
Secondly, NIST should support QKD development and commercialization, like other governments are doing. Cryptographers within universities and major tech companies are working on QRA leaving startups to develop and deploy QKD, which means the U.S. will roll out at scale later than other countries.
Historically, the U.S. has been a world leader in research and development in aerospace, aviation, computing, encryption and security technologies, among others. Today, information is our most critical resource. We must prioritize technologies that will keep our sensitive data out of the hands of foreign powers that can weaponize it to cripple our government and industries and do irreparable harm to our economy.
Editor's note: This article was changed Nov. 25.