Quantum computers aren’t some futuristic fantasy that you can couple with hoverboards and interstellar space travel, they’re being developed right now. Tech industry giants, including the likes of Google, Microsoft and IBM, believe quantum computing will become a reality in the next decade. In fact, it was only last year that a team of Chinese scientists developed the most powerful quantum computer in the world, capable of performing at least one task 100 trillion times faster than the world’s fastest supercomputers. Pretty impressive.
But, as with any new technology that has the potential to benefit society and improve existing systems, there’ll always be opportunistic cybercriminals primed to take advantage. With access to quantum technology, hackers could successfully breach even the toughest cybersecurity barriers in place today.
In other words, this spells a big problem for modern encryption standards. Public Key Infrastructure encryptions are literally everywhere – just think, your bank card, internet connection, car key right through to IoT devices. At the moment, classic computers can’t break PKI encryption, but a quantum computer will and it’s only a matter of time before they do! This could spell disaster for those that rely on blockchain networks, as it only takes one block to be compromised before the whole chain unravels.
What Are The Tech Experts Doing?
Although quantum technology is very much in its infancy, tech companies are already turning their hands to coming up with effective solutions to get cybersecurity quantum-ready – preparing to face the threat now to avoid being compromised in the future is the type of smart thinking we need. However, as with any breakthroughs, there’s understandably going to be some solutions that don’t get it quite right. And it’s these that I want to discuss here so that when the quantum threat does arrive, you’re not caught off guard with a solution that isn’t going to cut it.
In theory, quantum cryptography is one of the best ways to make a network unhackable. However, a big problem quantum cryptography faces is that it only works over short distances rendering it practically unusable. To send a secure quantum key a long distance you’d need to put multiple repeaters into a fibre line to boost the signal. Each one of these repeaters becomes a potential point of vulnerability, where the signal can be intercepted. So quantum cryptography developers like Terra Quantum have been trying to find a solution – and they recently published a breakthrough. Or, did they?
Terra Quantum claims its solution can run inside a standard optical fibre line, already in use today in telecoms networks, but the technical proposal is not quantum, it’s not secure and truly it’s not practical. Let me explain why…
First, we have to address that Terra Quantum’s proposal is technically not even QKD due to the amplifiers, it’s just photonics that need to be switched through regular digital devices. Secondly, the proposal notes that any losses noted in the transmission above the calculated losses are assumed to be from an eavesdropper, but there is in fact no way to determine the difference between an eavesdropper and any physical reason for attenuation (e.g. fibre imperfection, cable pressure, temperature changes etc). Thirdly, the architecture proposed cannot be quantum-safe because there’s no mention of encoding information in a quantum protocol which leaves it vulnerable to several very obvious methods of attack.
Then we also have to look at the practicalities of it. Keeping a stable QBER over short fibre distances is incredibly difficult when errors depend on physical interferences to the fibre, and whilst Terra Quantum seems to have given it a good go, they’re not there yet. Trying to separate environmentally-generated noise from an interceptor-generated noise is practically impossible, especially since the interceptor needs only a photon or two.
Whilst Terra Quantum’s claims might seem legitimate on the surface, I feel it’s important to share that none of the company’s papers or claims have been peer reviewed, none of its information verified and it’s been impossible to find any customer contracts to show that experts have reviewed the proposal. Then another thing, the solution was proposed by a group of Russian government employees that are now hiding their status. Make of that what you will, but I know I’ll be steering clear.
Okay, so back to the drawing board…
Elsewhere, another recent paper I came across was from Cambridge Quantum Computing (CQC), which discussed the implementation of a quantum-safe blockchain that was successfully demonstrated on the LACChain network and secured using CQC’s IronBridge quantum key generation platform. So far so good, right? Well, a problem I have with this paper is that it describes a system using mathematical so-called “Post Quantum Algorithms” as “Quantum-Safe” which is misleading. Anyone in the industry knows that no mathematical algorithm can ever be described as permanently secure against unlimited computational power. In fact, the only cryptosystems meeting that standard are AES-256, One Time Pad and Hashes.
The approach presented by CQC suggests defending the blockchain against the threat of quantum computing with two enhancements. Firstly, by updating it to use quantum-safe cryptographic algorithms, and secondly by using CQC’s IronBridge quantum key generation platform which it claims is the only source of unpredictable cryptographic keys in the world… The funny thing is, this approach is by no means new. Most modern blockchain can already add new signature schemes. Just think of Bitcoin and the Taproot upgrade that shifted the technology from ECDSA to a new non-quantum safe signature scheme known as Schnorr signatures to reduce multi-signatures to one signature and space within each block. And we also saw Corda introduce a new blockchain post-quantum signature algorithm back in 2018.
The inescapable conclusion is that using PQA signatures on a blockchain or DLT makes it completely unusable. The number of transactions in a block is significantly reduced and negatively impacted throughout, the processing power required for the PQA is substantially higher than symmetric alternatives, support for multi-signatures in PQA signature solutions is not currently supported and the entire endeavour is undermined in any case by the lack of provable medium term security.
Also, using post quantum algorithms for signatures as proposed by CQC would make key sizes HUGE and the additional processing power required to execute a post quantum signature algorithm would also be significant which is by no means sustainable.
What we’re left with from CQC is a hybrid approach that tries to solve the problem of PQA signature bloat and retro-fit, but falls back on both the security of PQA signatures and the PQC encryption to securely transmit data to and from blockchain nodes. It’s a shame as there could have been real promise here, but it’s just not going to work as it is.
What Can You Do?
Thankfully there are some companies that are developing practical solutions to get us quantum-ready and keep us protected now and in the future that I recommend you look into sooner rather than later. The quantum shift is coming, so you better be ready.