Cyber security: new skills for the dawn of the quantum era
12:00 Tuesday, 27 July 2021
UK Cyber Security Council
Quantum computing is a term that we hear more and more as both a benefit to technology and a threat to cyber security. Technical articles trumpet the quantum computers that are beginning to be built, and proclaim that they are solving problems faster – in some cases many orders of magnitude faster – than established architectures.
Radical developments in computer architecture happen infrequently, but they do happen. A major breakthrough in the 1980s was the introduction of parallelism – where several processors each took a part of a problem and processed their parts concurrently – which multiplied the speed of processing and reduced execution times to a fraction of what a single processor could achieve.
Quantum computing lifts a legacy restriction too, but in this case it is to move computers away from using transistors (which are basically switches that can either be on or off) to using “qubits”; as Wired describes qubits: “Rather than just being on or off, qubits can also be in what’s called ‘superposition’ – where they’re both on and off at the same time, or somewhere on a spectrum between the two”.
As with the move from linear (single-processor) to parallel computing, the predicted speed-up with a move to quantum computing is also stratospheric, but the real-world examples of quantum computers produced thus far are far from verifiable. For example, Google has claimed that in an experiment its 54-qubit quantum processor solved, in a little over three minutes, a problem that would take 10,000 years on a one-million-CPU traditional machine, though IBM disagrees and has claimed that a traditional computer would have produced a more reliable solution in just a couple of days. Even despite the argument, though, a speed-up from two days to three minutes is a promising change.
Let's work, then, on the premise that quantum computing will become a reality and that speed-ups will be significant. The limited evidence so far suggests that this will be the case – although just as computers took years – decades even – from circuit boards containing a handful of transistors to microprocessors with (in the case of, say, an Intel i7) three billion, so our quantum processors’ qubit counts will take time to go from tens of today to the millions that will be required for a practical quantum processor.
It is accepted that traditional encryption algorithms will be relatively straightforward to break using a quantum computer. After all, one of the earliest quantum algorithms was designed to derive the factors of a number, which is precisely the technique required to break algorithms such as the AES family which depend on the difficulty of finding the prime factors of a number. Hence, if a move to a quantum computer takes an intractable problem (deducing the prime factors of a number and hence cracking an encryption algorithm) to one that takes only a few hours or days to solve, encryption algorithms become, effectively, useless.
We therefore need to devise algorithms that combine a simple encryption algorithm (one that can be computed on a relatively low-speed processor in a short time) with an extraordinarily high amount of computation requirement to forcibly reverse it. In reality we may not even have to devise new algorithms, because there are some algorithms that have existed for years that are being considered for so-called “post-quantum” encryption techniques. Examples are the McEliece and Merkel approaches, both of which avoid attacks using high-speed prime factorisation.
Enough talk of algorithms, though. There is an equally important – maybe even more important – new development with a move to quantum computers: the programming languages that we use to write software on these new systems, and the techniques we use to design algorithms.
We mentioned earlier the introduction of parallel processing systems: it was impossible to exploit parallel processing without learning new techniques, because most people had been taught (or had taught themselves) to program in a world where things happened one after the other and in an implied order. Things like race conditions can’t exist on a traditional one-processor system, for example, so we had new things to learn. And the advent of parallel processing also brought with it new languages – such as Occam, a parallel-programming language devised by Inmos, the makers of one of the first microprocessors designed specifically for parallel computing.
And so with quantum computing, we will need new skills. We will need to learn new techniques and languages. We've grown up writing code in the knowledge that something is either 'on' or 'off', so our minds will need to be educated: first, in how to think in a quantum fashion, and then we will have to learn the new languages that will enable us to implement the algorithms we design using that new thought process.
It is worth noting, of course, that practical quantum computers are not yet mainstream, and that estimates of them becoming so vary from 2023 to the late 2020s or sometime in the 2030s. And, as with any new technology, the price will be high in the early years. Just as with any other aspect of computing, we can expect that the emerging quantum computer implementations will become available as everyday cloud services – and in fact the likes of Amazon, IBM and Rigetti are already making quantum tech available for use.
Bear in mind, too, that even if one’s budget doesn’t stretch to renting bleeding-edge quantum services, researchers in quantum computing - and the attackers seeking to break quantum-resistant encryption algorithms - do not need to wait until the technology becomes affordable. Quantum computer simulators are now available and affordable, and so the platforms exist for people to learn quantum design and programming techniques, experiment with them, and prepare for the time when they can drop their code on real quantum computers.
As cyber security practitioners, we, in turn, need to learn about quantum computing – how to design in a quantum world and how to implement the code that comes from those designs – not just so we can implement our own quantum systems but also so we can understand what the attackers can write and how they can write it.