Quantum expert: 'Hack now, decrypt later' is here today

The Biden administration recently held a White House forum drawing leaders from many companies in the quantum computing sector to discuss the opportunities and potential societal impact posed by the rapid advance of quantum innovations.

The event was widely seen as a much-needed expression of awareness on the part of the U.S. regarding the vast potential of the technology, how the U.S. can maintain leadership in the sector, the technology’s broad applications and societal implications, and the concern that advancement in quantum-based attack methods eventually could wreak havoc by out-pacing current encryption schemes. (The same week as the forum, the U.S. Department of Homeland Security issued guidance about reducing risks amid the threat of quantum-based attacks.)

At the recent Sensors Converge event, Christian Bauer of Lawrence Berkeley National Lab eased some of the concern around that last point, saying that encryption technology is likely to continue to improve and stay ahead of the ability of emerging quantum techniques that could be used to break it.

Bauer’s forecast, while soothing, leaves room for the possibility that quantum-based attack already could be occurring now in the form of “hack now, decrypt later” attacks whose impacts are yet to be fully understood.

Fierce Electronics this week conducted an interview via email with Duncan Jones, head of quantum security for U.K.-based software and cybersecurity company Cambridge Quantum, in which Jones discussed the “hack now, decrypt later” threat and what governments worldwide need to do about it. A lightly edited version of that exchange follows:

FE: Regarding the White House forum, how does the U.S. government rate in understanding both the potential opportunities and threats posed by quantum technology?

DJ: The U.S. government has shown great awareness of the threats and opportunities presented by quantum computing, as evidenced by a swathe of announcements and activities in the last few years. The recent quantum forum is further evidence of this.

China and Russia are not so open about their intentions. However, we regularly see China demonstrating prowess in the field of quantum communications and cybersecurity, so it is clear they are approaching this as a strategic concern. The U.S. will need to continue to invest and explore the quantum space if they are to remain in a competitive position.

FE: In the long run, can quantum encryption stay ahead of quantum-based security attacks?

DJ: The danger facing companies and governments today is the risk of a "hack now, decrypt later" attack. This occurs when an attacker records encrypted data sent today, which is later decrypted on a quantum computer in the future. In this sense, quantum attacks have already begun. This is why it's important for companies to explore quantum-safe technology as soon as possible.

FE: What can governments do right now to better protect their citizens from the effects of quantum threats? 

DJ: Governments need to acknowledge the risk of "hack-now, decrypt-later" attacks and stop giving blanket advice that companies should wait before transitioning to quantum-safe algorithms. There are many ways to adopt quantum-safe algorithms today that will add value to existing systems.

Similarly, governments should be highlighting how quantum technology can enhance existing solutions. For instance, the generation of keys seeded from provably perfect entropy is possible today, and enhances existing solutions. This is the only approach to generating keys that is resistant to attack from a quantum adversary.

FE: Which sectors, data and devices will become most vulnerable to attack if not made quantum-safe today? What should individual companies be doing about this today?

DJ: Any company that transmits long-term sensitive data (such as health records) must seriously consider the threat of "hack now, decrypt later.” Companies running these systems should be exploring quantum-safe algorithms and key generation today.

Similarly, IoT devices should be transitioning to quantum-safe technology as soon as possible. This is because IoT devices will be deployed in the field for many years, and likely beyond the point where quantum computers can break their encryption. This applies to many critical sectors, like heavy industry and utilities.


RELATED: Cambridge Quantum open sources SDK