Quantinuum's Duncan Jones on quantum-safe encryption

Last year’s merger of Honeywell Quantum Solutions and Cambridge Quantum Computing resulted in a new pure-play quantum technology firm called Quantinuum. The deal came at a time of rising concerns about the security threat posed by quantum computers. Duncan Jones, Head of Cybersecuirty at Quantinuum, recently spoke with Fierce Electronics about how the company’s first product addresses those concerns, and the future of quantum-safe encryption. 

What follows is an edited portion of that interview:

Fierce Electronics: Tell us more about Quantinuum’s Quantum Origin product. It uses quantum computing to address the quantum threat, right?

Duncan Jones: Quantum Origin’s purpose is to help companies today strengthen their cybersecurity systems by generating for them cryptographic keys that are as close as possible to being strongest cryptographic keys in the world. You don't have to look around the world too much right now to reel in horror at the growing sense of doom in cybersecurity, and the fact that sophisticated, state-funded attacks are just commonplace. We're in a position where the world has never been more in need of a foundation for protection. There was also the element that this is a product derived from a quantum computer, and while quantum computers are rapidly advancing, and we're very pleased with the trajectory we're on, obviously, to be able to deliver something that can only be done in the quantum realm today, you are limited with your options. There are many interesting use cases that are going to be coming online in the coming months. We're very close on a number of fronts, but it just happens that with cybersecurity we don't need quantum computers to get any better ro be able to do this. In fact, if they get better, our products get better. So it was partly just a matter of readiness as well. We can bring a tangible quantum product to market.

FE: Are cyber threats emerging in the midst of the Russia-Ukraine War adding to this “sense of doom” you described?

DJ: I think if you look at what the U.S. government is saying, for example, its advice on cybersecurity over the past 12 plus months has been a flurry of advisory notices and memos and that are really drawing attention to the need to take cybersecurity more seriously. And we've seen some high profile incidents in the last couple of years [like] what happened with Solar Winds or the Colonial Pipeline, as early evidence that we will see genuine disruption to our daily lives as a result of cyber warfare in the years to come. And I think the situation that's unfolding now is simply another reminder that threats need to be taken seriously. It's been commented in a number of places that wars are not just physical affairs anymore; they are cyber affairs as well. What's interesting about the events of the moment is that it's hard to separate what is directly state-sponsored and instigated versus what is also just being instigated by people on both sides of this equation who have the skills to potentially disrupt business operations around the world. I think this is one of the reasons why products like Quantum Origin have quite a broad appeal is because you never know if you're going to be impacted by some of these threats. You may perceive for some reason that your company is not typically a victim of these sorts of things, but the nature of cyber warfare can be quite indiscriminate.

FE: At the same time as we think about current threats, like potentially those from Russia and China, we have to think about the role of quantum technology as an emerging threat as well, right?

DJ: Most people we speak to are thinking about the threat of quantum [being used to break encryption], and beginning to make plans to be quantum-safe in some respect. I think most of those plans are in their infancy. I think there is potentially a need for more people to act faster on this topic. I have a lot of sympathy for CISOs and others because they have a lot of burning fires to deal with. But this particular threat is quite existential. Even though most people would argue it's five or 10 years away, it will be a big deal when it arrives if you're not ready. Quantum Origin is to some extent the other side of the coin. Quantum is a boogeyman for cyber, but it's also going to help us as well. Quantum Origin is not directly a response to the quantum threat. But it's something you can add into existing systems to make them resistant [and that can be used] to generate new quantum safe keys if you want. We support those algorithms, or candidate algorithms that NIST [National Institute of Standards and technology] is standardizing. 

FE: NIST is close to unveiling a final group of encryption algorithm standards, possibly within days or weeks. How important will those be?

DJ: This particular standardization process has been running since 2016, and there has already been quite a lot of evaluation. We are down now to seven–it's debatable whether one of the most of them in the race [a reference to the recently-hacked Rainbow signature, which Jones wrote about in February]--but about seven algorithms. And we're expecting a number of those algorithms to be selected so there won't ‘one ring to rule them all’. We’re expecting to hear some more news on that this year, but I think the standardization is really important because right now, companies may say one of the reasons not to explore this topic is because there are not standards in place. Now I don't think that is a valid reason to not explore the topic, but it's an easy get-out clause. So I'm excited for the moment when they arrive because suddenly that excuse is taken off the table. A lot of attention is going to be thrown on CISOs and similar roles to ask ‘Well, what do you do about it?” Day one after those standards arrive there's going to be a knock on the door from the CEO asking, ‘I've just heard that this thing has happened. You know, where are we at with that?’ So I think it's a good idea for people to be exploring things way ahead of standardization.

FE: You made a reference there to Rainbow, I believe. Do you think that algorithm will make the final cut?

DJ: I would be surprised if Rainbow is selected as one of the preferred candidates in the NIST process. The recent attack has meant Rainbow is even less desirable than before, with larger key sizes needed to meet the same required security levels. One must also consider whether incremental improvements in the attack would require yet another change in parameters in the next few years, with even larger key requirements.

FE: When we have standards and more quantum-safe protection implemented, will we still need programs like Zero Trust and other cybersecurity measures?

DJ: Cybersecurity is all about having all these layers that stop people from attacking you. So, just because we have solved one of those layers, doesn't mean the other layers aren't so important. You've always got other things to be thinking about. But at least if you can take some risks off the table. 

FE: And how will things be for users and for developers of products that need to be secured?

DJ: For 99% of the world population nothing apparently changes because we'll just carry on using the products and services that we do today, as much of what we're talking about is invisible under the covers. You and I are not particularly aware of encryption protecting this Zoom call. For the people who build these products, they will have to go through a transitional phase that will not be straightforward. These algorithms are not necessarily drop-in replacements. So they're part of the reason why we need to experiment–in order to understand the impact of shifting from something we've used for many years to something different. We have to really kind of tear out the guts of what we're doing today and change it for something else. But in another sense, it's just business as usual. 

FE: So how will quantum-safe encryption really demonstrate its value?

DJ: We are always learning about how some advanced new attack could make something obsolete that was previously considered secure. A large scale example of that is we all felt that the encryption systems we use today were fine, and actually we decided they're not going to be when quantum computers become large enough to break them. Where products like quantum origin will start to really show their values and one of the reasons why encryption algorithms come and go is because they are based on assumptions of how efficient attacks are. There was a very popular hash algorithm called MD5 that was publicly broken about 10 years ago as the attacks against it got more and more sophisticated to the point where that thing is basically worthless. People’s ability to attack it just got better. Products like Quantum Origin are fundamentally different because the keys we generate are unpredictable regardless of what you throw at it. It's just unpredictable because it's unpredictable, because that's the way quantum physics works. And so I think we'll start to see more adoption of these sorts of solutions. Nothing is perfectly secure, but we remove a lot of the bits that could be broken by advances in attacks and computing power, and replace them with things that are secure because the laws of physics say that's how it works.

FE: And how will quantum computing evolve into a bigger, more viable market? Will there be a moment of sudden breakthrough?

DJ: We're going to see over the next decade incremental improvements in what quantum computers can deliver and how they will begin to genuinely deliver value you cannot achieve classically or perhaps you can achieve more efficiently on a quantum computer. For example, machine learning is an area where we're expecting this in the very near future, that parts of these problems will be more effectively solved with quantum computing. There also will be a hybrid of some classical computing stuff where a critical nugget of a solution is provided by tapping into the power of a quantum computer. That is likely to be the way that a lot of quantum markets will come to life.