A quantum of menace
Quantum computers have opened up vistas of new drugs, innovative materials and artificial intelligence, but if harnessed to crack established encryption methods all computers would be vulnerable. German cryptographer Johannes Buchmann explains what may lie ahead.
brandeins: If a group of criminal hackers were to secretly develop a quantum computer, what would happen if they used it in an attack?
Johannes Buchmann: Quantum computers can find secret keys and forge security certificates. The gang might start by forging the signatures of software programs and penetrating the operating systems, software and apps of all computers and smartphones that rely on similar protection mechanisms and are connected to the internet. After that, it could either shut down the devices and demand a ransom, or it could secretly monitor and control them. As a next step, the criminals could crack all cryptographically secured internet communications – such as to your bank, or encrypted emails. A hacker could also pretend to be someone else. And thirdly, the owner of a quantum computer could decipher and read information encrypted in the past. That could do a lot of harm.
Could the attackers redirect payments to their own accounts?
Of course. Wherever payments are authorised using passwords, for example with online payment services like PayPal, this would be very simple. If the hackers wanted to do it repeatedly, they would only need to prevent the account holder from being informed of the payments by email, but that should not be a problem. After all, they would also have access to the mail servers and the user’s email program. Things are a little more complicated when money is transferred from a conventional bank account using a TAN [transaction authentication number]. But as the gang would be able to listen in on and redirect all its victim’s communications, it should manage to do this, too, with a little effort. The security of the rapidly evolving “internet of things” is also at risk, incidentally. Take self-driving vehicles: communication between them is currently being standardised and it is safeguarded using so-called elliptic-curve cryptography. Quantum computers would have no problems cracking this, allowing the hackers to control the cars remotely.
Is this like the scenario for a thriller? Or could it actually happen one day?
The underlying question is: could technology like this conceivably be developed in secret? The Swiss dramatist Friedrich Dürrenmatt examined that very question in his play The Physicists, written in 1961. The drama rejects the possibility, but the history of encryption technologies does contain some counterexamples. We now know that one of the British intelligence services was familiar with the basic principles of public-key cryptography in the late 1960s. Yet the technique was only officially developed in the late 1970s.
However, the scientific and commercial interest in such methods was nothing like as pronounced then as it is in quantum computers today. Research into the latter is being carried out all over the world, in government laboratories and by major IT manufacturers. A global network of experts is involved in research and development. In that sense, I think it extremely unlikely that a key step in the development of this technology could remain completely secret. This is made even more difficult by the fact that developing quantum computers requires large investments, which a criminal organisation, and even a major intelligence service, would scarcely be able to manage it on its own.
What would be a more realistic scenario?
We can expect quantum computers with significant computing power to become available in the foreseeable future, and they will be offered by respectable commercial companies. Google, IBM, Microsoft and Intel have all declared that developing such machines is a strategic corporate goal. For a long time, experts were unsure whether they were chasing a theoretical phantom and whether building an actual quantum computer would prove impossible in practice. However, advances made over the past two years are impressive.
I should point out that the IT manufacturers are not doing this to compromise cryptography but to develop new drugs, new materials and artificial intelligence. That is the real strength of quantum computers: being able to simulate the interactions between atoms and molecules on a microscopically small scale, because the principles of quantum mechanics are built into them. The fact that quantum computers are able to crack conventional cryptographic techniques is an unfortunate side effect, which will cause a headache to those same manufacturers as soon as the technology gets into the wrong hands. What is certain is that if quantum computers exist, hackers will have access to them. A realistic scenario is that the machines will get better year by year and that we will come under pressure to develop and introduce secure procedures.
What are quantum computers?
A classical computer encodes data into bits, which have only two states: 0 or 1. Quantum computers use quantum bits or qubits, which go beyond binary – either/or – states to shades of grey or ‘superpositions’ in between and take on several different intermediate states simultaneously. This is a key principle of quantum mechanics, which describes how tiny particles such as electrons behave when interacting with each other. Particles in a state of superposition have a seemingly magical property that is exploited by quantum computers: they are connected, even when thousands of kilometres apart. Thanks to this phenomenon, known as entanglement, and intermediate states, qubits can speed up certain calculations tremendously. This is true especially when quantum effects themselves are involved, such as when calculating or simulating events on a molecular level, for example when developing new vaccines.
Do they exist yet?
The basic framework of quantum mechanics was developed in the mid-1920s by scientists such as Werner Heisenberg, Erwin Schrödinger, Niels Bohr and John von Neumann. Their findings served as the scientific basis for the development of technologies such as X-ray machines, lasers, satellite communications and navigational devices.
Scientists have been seriously pursuing quantum computers for about two decades. So far, progress has been slower than hoped, and the prototypes are much more limited than conventional computers.
One problem among many is that in order to use a quantum computer effectively, the developers need to string together as many qubits as possible. However, even when a single qubit is involved, the state of superposition is a delicate matter. If several qubits are connected, the system often breaks down before the calculation can be completed. The German-Austrian quantum physicist Rainer Blatt compares the available quantum computers to the vacuum-tube computers of the 1940s. It is not even clear what the qubits of the future may be made of.
Nevertheless, some progress has been made in recent years. Almost all the major IT corporations are working on the problem and outdoing each other with press releases on the number of qubits featured in their latest models.Late last year, IBM made a 20-qubit quantum computer available to the public on the internet. In January, Intel presented a 49-qubit processor at the international Consumer Electronics Show (CES) in Las Vegas. China has announced it intends to open a huge research centre for quantum technologies within two years. No one knows when or whether high-performance quantum computers that can solve problems that defeat present-day supercomputers will become commercially available. On the other hand, no one knows what problems those might bring either. For now, the main thing that can be said of quantum computers is that they are an aspiration.
IBM recently presented a quantum processor with 50 quantum bits [qubits]. The Canadian D-Wave Systems has even presented a complex system of more than 2,000 qubits.
When do these start to become a threat?
The computers would need millions of qubits [see panel]. However, that is not to say this may not be possible in the foreseeable future. The Canadian mathematician and quantum scientist Michele Mosca has extrapolated available data and predicted that the risk of quantum computers compromising key methods by the year 2026 is one in seven. By 2031 the risk will have risen to 50%. Many scientists consider his study to be plausible.
How far have cryptographers got towards developing methods that cannot be cracked by such computers?
The first international conference on post-quantum cryptography was held 12 years ago. Since then, research institutes all over the world have been working on the problem. At the moment, the US National Institute of Standards and Technology (NIST) is working on a standardisation procedure for quantum-secure cryptography. By last November, researchers had submitted 70 procedures they considered to be quantum-secure. My colleagues and I in Darmstadt also made two proposals. So there are a number of promising candidates that could in principle solve the problem.
But there are two obstacles that need to be overcome – by cryptographers, standardisers and IT manufacturers. The first is time: can we develop the methods and incorporate them in the programs more quickly than the developers of quantum computers make advances with their machines? Our past experience has always been that it takes longer than one would like, but I remain optimistic, especially as the developers of quantum computers face bigger technical challenges than we do.
The second obstacle is more fundamental. When you develop a cryptographic method, you can never be 100% certain that it really is secure. Some clever brain somewhere in the world could come up with a mathematical or technical loophole we have overlooked. That, too, has happened in the past, but it was not as serious then, because the world did not rely on computers to the extent that it does today.
‘What is certain is, if there are quantum computers, hackers will have access’
That means that if you are wrong about quantum computers, the result could be something like a nuclear-core meltdown?
That is true, though I think the nuclear power station analogy is slightly misleading. I would prefer to use an aviation image: like in aircraft, we need surplus in the safety system, in other words multiple safeguards. If one safeguard fails, the second must come into effect – and maybe even a third. On top of this, the security architecture used in programs must be modular, so that when we realise that an encryption technique or a signature is no longer safe, we can replace that software module with another one relatively simply.
The advantage with software is that computers do not need to be brought into a hangar to replace a part. Nowadays that can be done remotely by means of an update. In that sense, quantum computers are a major threat to IT security, but if we work on safe procedures swiftly now, it is very likely that the threat will not result in a major catastrophe. The retrospective situation, however, is rather different.
These days, intelligence services are storing securely encrypted data they have intercepted or recorded. They do so hoping to be able to decrypt that data some day in the future. Quantum computers are one of their huge hopes in this respect. That data will definitely become decipherable eventually, all of it. And it won’t only be of interest to historians. There is probably a lot of stored data that will continue to be relevant; corporate secrets, for example.
How secure are new cryptocurrencies and payment systems such as bitcoin in this regard?
At the moment they are very secure, in purely technical terms. Attacking the bitcoin protection system would require a level of computing power that is difficult to imagine. If quantum computers sprung up overnight, however, all the safety offered by cryptocurrencies would be gone. The signatures would be no problem to crack either. For our hypothetical hackers, cryptomoney would perhaps be the most interesting target of all. But here, too, systems based on blockchains will remain secure if they are upgraded using quantum-secure cryptographic procedures. So they are involved in the same race against time as all other security systems.
Does a form of cryptography exist that will be safe for all time?
It is mathematically possible. And you can also use quantum communications technologies to exchange keys in ways that are 100% secure. We are in the middle of researching this, to provide long-term protection for hospital data in Japan, but it is very long-winded and for the moment it is just a niche market.