Most of us remember Y2K. The global Y2K project aimed to replace the two-digit year codes with four-digit codes by December 31, 1999, to ensure that computers didn’t think the year was 1900 and bring the world to a halt. We successfully navigated the problem. At the tick of 00:00:01 on January 1, 2000, the world functioned as usual.
The anticlimactic outcome of the “millennium bug” was in part due to pre-emptive measures fuelled by government spending to avoid calamity. According to BlackBerry, the U.S. spent upwards of $100 billion in the preface of Y2K.
Why should we reminisce about Y2K?
With the advent and rapid developments of quantum computers, the world is staring at a problem of similar magnitude. It is called Y2Q (Years to Quantum). It is the year when quantum computers will break public-key encryption and completely expose our internet.
In fact, the Cloud Security Alliance has created a Y2Q countdown clock, arbitrarily specifying April 14, 2030, as the deadline by which the world must upgrade its IT infrastructure to meet the Y2Q threat.
Y2K and Y2Q differ, of course: Y2Q’s timing is unknown, but its impact imaginable, while Y2K’s timing was known although its impact wasn’t.
What is the expected impact of Y2Q?
Many large corporations such as Yahoo! And LinkedIn have been the victims of the biggest data breaches in the 21st century, with the number of those affected ranging from 117 million executives (LinkedIn in 2012) to as many as 3 billion users (Yahoo in 2013). If such mega virtual break-ins sound scary, they are merely the prologue.
Since the 1970s, the RSA cryptosystem, which uses very large prime numbers to create public keys that serve as the basis of the security protocol for data communicated on the internet, has proven to be relatively effective. Although Peter Shor of Bell Labs published a paper in 1994 showing that a quantum algorithm could crack the RSA cryptosystem, machines that can run such an algorithm are yet to be developed. It has therefore been possible to deploy bigger public keys faster than computers have speeded up, ensuring that the RSA cryptosystem continues to work.
However, who said that Shor’s algorithm is the way to crack encryption algorithms?
In 2019, Chinese researchers turned the integer factorization problem into an optimization task. They used the D-Wave 2000Q quantum annealer, a quantum machine specialised in optimization problems, to factor the integer 376289 with just 94 qubits. Further optimizations allowed the researchers to factorise the much larger number 1005973 with only 89 qubits. A very recent global survey of security professionals carried out by Dimensional Research shows that of the surveyed 614 security professionals, 61 percent think that the quantum attacks will neutralise current encryption technology within just 2 years. 28 percent think that current encryption technologies will be compromised within 3-5 years.
Y2Q will arrive sooner than you think. If you aren’t ready to ride it, get ready to be swept away!
Preparing for Y2Q
One cannot technically wait for the day when quantum computers break encryption algorithms that enable e-commerce, data security, and secure communications. Adversaries are already preparing for Y2Q by employing ‘harvest now, decrypt later’ strategies.
It is time that organisations implement a strong quantum security strategy to protect themselves and their customers from quantum attacks.
Three kinds of defences are available against quantum attacks:
Today’s cryptographic systems and algorithms use software-based random number generators called pseudo-random number generators. PRNGs are typically used to generate a sequence of random numbers to support cryptographic operations such as generating seeds or encryption keys. Given the deterministic nature of algorithmic PRNGs, random numbers generated by a PRNG are technically not random. It makes cryptographic systems or services that rely on PRNGs vulnerable to quantum attacks.
To address this vulnerability, organisations should start replacing all PRNGs with Quantum Random Number Generators as soon as possible. Instead of using a deterministic algorithm, a QRNG can generate truly random numbers by measuring and digitising a quantum process, which, by nature, is non-deterministic.
QRNG solutions are already commercially available from several vendors in various form factors, such as rack-mounted appliances, PCI cards, and chips.
Post-quantum cryptography will likely be the most feasible option for businesses; it will require fewer changes in the computing infrastructure while replacing existing encryption algorithms. However, the transition will be difficult for businesses that have to learn to navigate a heterogeneous protocol landscape. The process takes time and requires frequent software upgrades.
The best way to tackle the Y2Q problem is to develop ‘crypto-agility’, the ability to switch rapidly between cryptographic standards, implement the best solutions available at any point, and be prepared for more changes in the future. Only crypto-agility can help companies ease the transition by protecting against quantum attacks, minimising their impact, and helping faster recovery. It will also enable companies to minimise the costs of tackling the problem, which will extend from the operational losses caused by cybersecurity issues to investments in the replacement of vulnerable equipment and protocol upgrades, which could all add up to hundreds of billions of dollars across industries.
It will not be easy to deal with cybersecurity once quantum computers see the light of day. You have no choice but to start thinking about how to take on an inevitable threat. If you act decisively and early, you will find ways to survive the Y2Q problem. However, remember that the quantum clock is already ticking.
QNu Labs has a range of quantum-secured products to dodge the Y2Q scenario.