China has announced its intent to achieve quantum supremacy by recently unveiling its fastest quantum computer yet which, if applied to specific tasks, can compute ten billion times faster than the quantum computer developed by Google. But does it pose a threat to the security of the personal data of billions?
Earlier this month, Chinese state-run papers claimed that a group of scientists at the University of Science and Technology of China in Hefei had achieved 'quantum computational advantage' or quantum supremacy by using a prototype quantum computer, dubbed Jiuzhang, to perform a Gaussian boson sampling (GBS) computation in just 200 seconds.
According to Xinhuanet, Jiuzhang's quantum computing system can implement large-scale GBS 100 trillion times faster than the world's fastest existing supercomputer and is capable of processing 10 billion times faster than Google's quantum computer that was unveiled last year.
Roger Grimes, a data-driven defense evangelist at KnowBe4, told TEISS that China becoming the first nation to achieve quantum supremacy should hardly be surprising, considering China pours tens of billions of dollars on quantum technologies and these are mostly spent on quantum networking improvements and quantum satellite experiments.
It is not about the billions of dollars being spent on quantum technologies as much as it is about the culture. "Quantum scientists are treated like pseudo-celebrities and rock stars in China. They make national and international magazine covers. Compare that to here in the US where the average citizen can’t really tell you what quantum is or means for our future. Sadly, the vast majority of companies aren’t preparing appropriately right now for what needs to be done," said Grimes.
What if state-sponsored actors try to leverage China's quantum supremacy to break encryption controls in banking services, critical infrastructure systems, and messaging platforms?
Grimes fears that if the West does not quickly wake up about the possibilities of quantum technologies, China could leave them far behind in technology advancements. "Besides the daunting technological hurdles that need to be addressed, the foremost challenge is simply increasing general awareness about not only the advances in quantum computing but also the coming threats, like when quantum computers break most traditional public-key crypto, which breaks 90% of existing Internet and online banking security."
The possibility of quantum computing enabling malicious actors to break public-key cryptography and compromise the integrity of Internet protocols like HTTPS (TLS) required for secure browsing, online banking, and online shopping was recently echoed by the European Data Protection Supervisor.
Earlier this year, a report published by the Technology and Privacy Unit of the European Data Protection Supervisor (EDPS) highlighted concerns about malicious actors and entities using superior computing capabilities afforded by quantum computing to break public-key cryptography systems as well as symmetric cryptography systems such as AES, thereby compromising the integrity of HTTPS that uses asymmetric and symmetric cryptography together.
"Quantum computing can break many of today’s classical cryptography and as such harm severely IT security. The risk extends to the core internet security protocols. Nearly all of today’s systems that demand security, privacy or trust, would be affected," the report warned.
While public-key cryptography relies on the use of cryptographic protocols based on algorithms such as RSA that requires two separate keys- a private and a public key, a sufficiently powerful quantum computer can enable adversaries to carry out the decryption without prior knowledge of the private key, thereby defeating the very purpose of encryption.
Malicious actors could also use increasing computing power afforded by Quantum computing to carry out retrospective decryption of data from the past by exploiting the existing use of short key lengths in today's classic computers to encrypt data.
"Security experts regularly call out for an increase of key lengths to keep data secure for a given period. Some governments’ secret services are reported to collect data purposefully for future retrospective decryption. Quantum computers though follow different laws and would allow retrospective decryption in many cases much earlier," the report said.
The European Data Protection Supervisor also said via the report that in order to prevent the decryption of sensitive data using the power of Quantum computing by adversaries, organisations must start work on the development of post-quantum cryptography whose security will be unaffected by quantum computers.
However, according to Tom Van de Wiele, principal consultant at F-Secure, while quantum computers are part of the next technological arms race where many nations will vie for quantum supremacy, when it comes to cryptography, the bigger milestones and use cases are still far away from actual multipurpose implementations of being able to crack or decrypt anything that is using encryption and available on the market today.
Even if countries start using quantum computers for offensive purposes (e.g. being able to steal credentials and information from encrypted communication, create custom cryptographic certificates, injection or tampering of information in transit, etc), algorithms and ways of securing information are being designed and tested as part of what is called post-quantum cryptography: methods of encrypting information that are resilient or less affected by quantum computers.
"Whether quantum computers can be leveraged for pure offense rather than passive surveillance and cipher cracking remains to be seen. The technology and cryptography we have in use today can hopefully buy us enough time to come up with a viable and long-term defense strategy against whatever will come out of the world of quantum computers. That also means leveraging quantum mechanics on the defensive side for information integrity and detecting surveillance as part of this brave new quantum world," he added.