IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Quantum Computers: What Is Q-Day? And What’s the Solution?

Quantum computers hold the promise of amazing advances in numerous fields. So why are cybersecurity experts so worried about Q-Day? What must be done now to prepare?  

A digital 3D rendering of the inside of a quantum computer with electrical circuits in the chamber.
Shutterstock/Bartlomiej K. Wroblewski
As I was scrolling through my LinkedIn feed a few weeks back, I became captivated by a post from Michael McLaughlin, a cybersecurity expert who has been interviewed several times for this blog on various topics. Michael was highlighting an excellent article by Chuck Brooks in Forbes on the impact that Q-Day — the day that quantum computers will have the power to “break the Internet” — will have on the global cybersecurity industry.

Michael’s post began this way: “Think of China’s spy balloon as a giant vacuum sucking up all communications in its path. Encryption protects us, right? Wrong. The Chinese government is collecting as much data as possible — both encrypted and unencrypted — because of the coming era of quantum computing.”

Obviously, the spy balloon has been top of mind in the U.S. over the past few weeks for many people, and there are numerous stories popping up all over the world on the wider implications which go well beyond the scope of this blog.

But Michael goes on to highlight one dark side of the coming age of quantum computing: that encryption as we know it today will become obsolete. This of course will lead to many security issues, as Brooks points out very well in his Forbes article entitled “Quantum Tech Needed To Secure Critical Data From Quantum Decryption.”

The reactions, comments and shares that this topic received can be seen here, and I encourage you to take some time to read through Chuck Brooks’ article and the many comments on LinkedIn.



MORE QUESTIONS FOR MICHAEL MCLAUGHLIN


I reached out to Mr. McLaughlin again to ask a few more questions on the quantum computer topic:

Dan Lohrmann: When do you think Q-Day will actually arrive? Why? 

Michael McLaughlin: That is, quite literally, the trillion-dollar question. Q-Day is the point at which large quantum computers will be able to break encryption algorithms using multi-state qubits (quantum bits) to perform Shor’s algorithm. Most experts put the timeline between 5 and 20 years due to the challenge of factoring a 2048-bit key, which would render virtually all public key infrastructure vulnerable. Using traditional quantum factoring models, this would require several million qubits. To put the timeframe into perspective, late last year, IBM unveiled its latest quantum processor with its largest qubit count yet: 433. While this is triple the 127-qubit processor IBM unveiled in 2021, it is still a very long way off from being able to factor a 2048-bit integer.

However, earlier this year, Chinese researchers published a paper claiming to have developed a method that can break a 2048-bit using only 372 qubits. Though untested at that scale, the researchers were able to factor a 48-bit integer using only a 10 qubit quantum computer by combining classic lattice reduction factoring with a quantum approximate optimization algorithm.

There are a lot of unanswered questions surrounding the Chinese research paper, not the least of which being why would the Chinese government ever allow it to be published? However, if scalable (which is a very big “if” when dealing with quantum mechanics), this method could bring Q-Day to within one to two years.

DL: What are some practical steps that the public and private sectors should be taking now?

MM: Q-Day will give the owner of the large quantum computer the ability to break PKI (public key infrastructure) and other types of asymmetric encryption. Whether it is in one year or 10, companies need to understand two very important things.

First, on Q-Day, networks secured using traditional encryption methods will be vulnerable to compromise by a nation-state. Given the recent breaches attributed to Chinese cyber actors, such as Marriott-Starwood, Equifax and the Office of Personnel Management, it is clear that there exists a capable nation-state that is currently developing a quantum computer and motivated to steal massive amounts of data from private companies.

Second — and this is critically important — any data that has been compromised at any point leading up to Q-Day, whether encrypted or not, will become readable. Unless companies are securing their networks and data using quantum-resistant cryptography, they will be opening themselves and their customers up to compromise. This is everything from the blueprints for next-generation fighter jets to protected health information to financial information — each of which can carry significant penalties in the event of a breach.

To mitigate both of these eventualities, companies should be migrating their network architecture to quantum-resistant cryptography and methods. Fortunately, there are several commercial solutions that exist on the market today available for adoption. The best I have seen so far is SelectiveTRUST by KnectIQ. SelectiveTRUST prevents quantum decryption by using single-use symmetric encryption to secure data in motion and at rest.

Rather than a cost, companies need to look at these types of tools as an investment in their future without which they could be opening themselves up to untold liability.

FINAL THOUGHTS


On Sept. 13, 2022, the World Economic Forum (WEF) proclaimed:
  • Quantum computing will enable great innovations in the future, but it will be accompanied by risks.
  • The potential of quantum computing to break the security of common activities in our daily lives could have severe consequences.
  • Organizations should acknowledge the significant risks quantum computing poses and take steps to protect against them now.

And the article just reiterates (and explains) that same point. The time to act is 2023, but sadly most public- and private-sector organizations do not have this topic on their top 10 cybersecurity “to do” lists.

Has your your organization begun this process?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.