The wonderous expansion of quantum computing battles its dark side

Quantum computing is the single most transformational technology in a generation, arguably far more than AI, the cloud and even the internet. It has the potential to solve entire classes of important and lucrative market problems that are otherwise technologically impossible. Quantum computing power is almost incomprehensible – just a few hundred logical qubits can outperform any classical computer, even if every atom in the universe was used for computation. The common fallacy is comparing them to fusion energy, which is always five to 10 years away. The difference is fundamental because electricity generation is a long-solved problem, and there is no market reason for fusion energy; it will be cheaper and easier to burn the black stuff from the ground for the next few hundred years. (Sorry, green energy friends.) Companies with access to large quantum computers have an insurmountable market advantage. Without them, there will be no competitors because those companies will cease to exist.

Flaws in the Equation

On the dark side, quantum computers are capable of breaking modern communications security by brute-force-attack on the underlying algorithms. The basis for virtually all global data networks relies on Public Key Infrastructure (PKI) using the same 1970s cryptographic architecture. In a very real sense, our digital lives are built on a house of cards because all our cybersecurity tools also rely on the same algorithms to monitor and manage our networks. The core problem is that we’ve been using this quantum-broken math for everything for decades that performs only a single action: distribute encryption keys, point-to-point, with no margin for error as the single point of failure for our collective security.

Any flaw in the chain is tantamount to no security at all. There is no redundancy, resiliency, or leveraging of modern networks and technologies like the cloud and globally distributed data centers. Sure, it is easy in principle, but complex to deploy and manage, often done poorly and thus continuously exploited. This dated infrastructure was designed for a bygone era; before the internet and anyone could remotely access data from anywhere in the world. The bill has come due.

Post-Quantum Cryptography

That being the case, NIST organized a process to replace these now archaic and obsolete key distribution algorithms with post-quantum cryptography (PQC). This was meant to address the “harvest now, decrypt later” problem, where encrypted data is collected and stored for later decryption. This tried-and-true powerful method was successfully used throughout the Cold War by all sides. While PQC is believed to be quantum-safe, there is again no mathematical proof, which NIST overtly acknowledges. Consequently, it recommends “crypto-agility” – the ability to replace the new PQC algorithms easily and quickly if they fail or a weakness is discovered. It is essential everyone transition to PQC, despite the unknowns, because the current algorithms are provably known to be broken and insecure. However, the central problem remains – any PQC encrypted data today could be exploited tomorrow because keys are being distributed like electronic mail.

In the 1980 and 1990s, physicists came up with a solution called Quantum Key Distribution (QKD) to use the properties of quantum mechanics to get keys to multiple endpoints without relying on unproven mathematical assumptions. While the design has inviolable guarantees not based on a vote of confidence from a quorum of acolytes, there are numerous physical limitations based on distance and deployment architecture. While an excellent solution, it is an impractical basis for a global quantum-secure internet because the quantum channel still relies on the classical internet to get key agreements between any two users. However, it does achieve two important goals: keys are truly random because they are made from quantum entropy sources, and they are generated separately from the data. These points solve the “harvest now, decrypt later” problem plaguing the internet today.

The Migration to Quantum-Safe Encryption

Today, more powerful tools leverage these technologies to eliminate key transmission altogether. First, encryption keys must be provably random, and the only known source in science is quantum entropy. Quantum Random Number Generators (QRNGs) are now available as Entropy-as-a-Service (EaaS) via the cloud. This is essential because predictable and duplicate keys reduce the security of any algorithm, often to nil. It is remarkable how common this simple flaw is discovered and exploited without going through the trouble and risk of hacking a network. Second, the quantum random downloaded from the cloud must not be used directly for keys, nor should a single source be trusted – it must be used as the raw materials at the endpoint to generate a key, eliminating key distribution entirely. The process must also be reproducible at multiple endpoints so many users can replicate the same key to communicate in secret. Leveraging existing commercial global fiber infrastructure and data centers instead of building new dedicated systems like those essential for QKD is the final requirement. This will ensure widespread rapid adoption, vice expensive investment, and time-consuming construction.

In 2023, the U.S. government issued multiple mandates and legislation to transition from classical to quantum-safe encryption. This step is a national economic security imperative when so much intellectual property is already on foreign servers, awaiting exploitation, operationalization, and ultimately monetization. Protecting the U.S. from foreign attacks will be a colossal effort but essential to restoring order to global data and business networks and preventing further damage to privacy and the economy.