Quantum Disruption for Defensive and Offensive Cybersecurity

Author: Balaji Swaminathan M., CISA, AWS, AZURE CERTIFIED, CISSP
Date Published: 6 July 2022

Since the idea of applying the principles of quantum physics to classical computing originated in the early 1980s,¹ many prototypes, simulations and research efforts have been carried out in attempts to put the idea into practice. Solving complex problems in the most efficient and optimized ways has always been the primary focus of computing. Classical computers, for the most part, take more time and power to solve complex problems. Enter quantum computing, which addresses complex problems in a short amount of time using specialized algorithms that are specifically designed to utilize the potential of a quantum computing infrastructure.

It is worth exploring the core principles and necessity of quantum computing, its impact on and applications for emerging technologies focusing on cybersecurity, and the considerations and approaches toward adopting quantum computing as a paradigm shift.

The Quantum Factor in Computing

Classical computers are based on the operations of binary bits, whereas a quantum computing environment is based on the operation of quantum bits (qubits). Qubits are the physical representation and the basic unit of quantum information, and they are usually composed of electrons or photons. In short, a quantum computing infrastructure works by controlling the state and behavior of such quantum information (i.e., atomic particles) and, in such an infrastructure, the classic binary bits are represented and analyzed with their quantum version.

But in what ways are qubits different and superior to classical bits in terms of computing? The answer lies in the special properties that the qubits possess as they operate in the quantum space.

A classical or regular computing bit exists in a dual state (e.g., on or off, 1 or 0, open or closed) at any point in time.

A qubit is much more flexible because it possesses unique properties such as:

Superposition—A property by which a qubit possesses the probability of being in more than one state or a combination of states at any point in time. For example, a 5-bit classical datum can be in one of 32 states (2^5) or a combination of them at any point in time, while an equivalent qubit can be in all 32 states at once during the computation as long as it is unobserved and not measured. This probability allows for uncertainty in a qubit’s state, which leads to many combinations of states it can possess at any one time. For example:
- Classical 2 bits—Either 00 or 01 or 10 or 11 for both bits (i.e., one possible combination at a time)
- Quantum 2 bits—00 and 01 and 10 and 11 (i.e., four possible combinations at all times)
Entanglement—The property by which a connection or link between qubits can be established to operate on one or more common logic or use case, either by making them a pair (think of a pair of eyes processing light from objects and providing a unified three-dimensional view) or a connected ecosystem (think of neurons transmitting signals to each other to detect and respond to the senses). With the qubits coupled or linked, a state change in one affects the other. In other words, every entangled qubit will be impacted by a change in the other paired qubit. This cause-and-effect relationship means that by measuring the state of one entangled qubit, the state of its peers can be enumerated (figure 1).

The How of Quantum Computing

As its name implies, a quantum computing ecosystem begins by initializing and setting up qubits. These qubits are put into superpositions, which are then connected or entangled by the quantum gates (the quantum equivalent of classical logic gates).

But how does the superposition and entanglement of the qubits help with the actual computing? The answer lies in the manner by which such superpositioned and entangled qubits are controlled by interference.

The position and state of qubits are represented by wave functions, which are mathematical descriptions of the qubits. The representation of all entangled and superpositioned qubits is the sum of the individual wave function of each qubit, which amounts to an overall wavefunction, which describes the state of the quantum computer as a whole. As these qubits are entangled, their waves can interfere with each other (either amplifying or degrading each other), which is considered the interference phenomenon. By defining the required quantum algorithms, the states of the superpositioned and entangled qubits and their signals can be amplified or degraded based on certain requirements.

The Need for Quantum Computing

Because the quantum mode of computing uses the properties of qubits, a quantum computing environment sets up qubits and applies logic operations to entangle the superpositioned bits and control them through interference.

This type of computing ecosystem manipulates the signals (the signals are the wave functions [i.e., the qubits]), which, in turn, manipulates the probabilities of obtaining the right and wrong answers. In other words, by amplifying the required signals or by degrading the unwanted signals, the probability of getting the correct answer can be increased and the probability of getting the incorrect answer can be decreased or reduced to zero.

The answers represent the required states of the qubits and because the qubits are the quantum version of the classical binary bits, they will be measured in the output. There may appear to be many combinations and superpositions during run time or processing, but only one answer or result will be available at the end. When the output is measured after processing, the likelihood of measuring the correct answer should be maximized.

By cleverly manipulating the superposition and entanglement of the qubits using the quantum algorithms via interference, the probability of getting the right answer is increased in an optimized, effective manner in much less time than the same exercise can be performed by a classical computer, because all possible solutions are worked out in parallel. This is the core benefit that calls for a quantum computing ecosystem.

A simplified depiction of quantum properties and working modes is illustrated in figure 2.

The Attack and Defense Approach in Quantum Cybersecurity

The security of every data transfer depends on the transit encryption (i.e., encryption of the data in transit), which, in turn, is dependent on asymmetric cryptography to create a secure tunnel using algorithms such as RSA.²

The core of such algorithms relies on the fact that the prime factors of a larger number (used to generate the private and public keys) cannot be obtained easily. In other words, because the prime numbers are divisible only by themselves and one, it is difficult to factorize the product of two prime numbers. Using this core concept, a quantum computing solution can be implemented both to attack and defend any cryptographic material via quantum cryptography.

Quantum cryptography uses the principles and properties of qubits to:

Encrypt data and transmit them securely to prevent compromise
Decrypt the information that was encrypted either with quantum or classical cryptography
Detect the presence of an intruder attempting to obtain the key or decrypt the data in transit

Offensive Cryptography as a Quantum Attack Approach

Enumerating the prime factors of the large number, represented by n, will break the encryption and is the most difficult part as well as the single point of failure for secure communication.

Running such factor derivation even on a supercomputer is not an impossibility, but to do so would be time consuming and likely unsuccessful. Using a quantum computer would be a faster approach and have a greater likelihood of success. This poses a great and immediate threat to security as the prime factors of the large number are enumerated.

Using this core concept, a quantum computing solution can be implemented both to attack and defend any cryptographic material via quantum cryptography.

This possibility emerges from Shor’s algorithm, which is a quantum algorithm designed specifically to find the prime factors of n using the superposition property of the qubits.³ In a quantum computing environment, Shor’s algorithm could break the encryption provided by the RSA algorithm.

The standard method or algorithm is to guess a number (one of the two prime factors), check for correctness and repeat until the correct factors are obtained. This process is nonscalable and time consuming because as the number of bits increases, the processing time increases exponentially.

Shor’s algorithm guesses a number that could share a factor with the target number and continues to transform its guess until it moves closer to the actual factor. The algorithm is much faster and more effective when run on a quantum computer. In a classical computing environment, this may be more attainable using simple numbers, but for large numbers it can be challenging to find a shared factor with n.

The objective of Shor’s algorithm is to compute the quantum factorization of n and find the prime factors represented by x and y. As these two prime factors (x, y) do not share common factors, the Shor’s algorithm uses the following formula:

A^p = m.N+1, where A represents the sample guess for one of the prime factors that needs to be transformed, P represents the power value guess that needs to be transformed, M represents the number of times that N needs to be multiplied by itself and N represents the larger number.

The formula can also be written as:

(A^P/2+1) X (A^P/2-1) = m.N, where A^P/2+1 represents x and A^P/2-1 represents y (x and y are the two prime factors that are multiplied to obtain n with a variable m).

For example, assume the initial guess (A) is 7 and compute m.N:

Guess 1: 7² = 3X15+4 = 49

Guess 2: 7³ = 22X15+13 = 343

Guess 3: 7⁴ = 160X15+1 = 2401 (this satisfies the m.N +1 condition)

Rearranging this results in:

(7^(4/2) + 1) * (7^(4/2)) -1) = 160 * 15 = 2400

50 * 49 = 2400 (The factors of the larger number are 50 [x] and 49 [y])

Note that x and y may be the factors of n or, in most cases, the multiples of the factors of n (m multiplied by n), rather than the actual factors themselves. X and y are the final and improved guesses that Shor’s algorithm enumerates, and the calculation works for any pair of numbers that do not share a common factor.

Finding p for large numbers is time consuming and not scalable using a classical computer. This is where quantum operations can be beneficial. In the case of the quantum algorithms, all guess calculations are performed at once via superpositions of all the guessed values (i.e., qubits), while interference is used to degrade the qubit waves to reduce the probability of wrong answers. In most cases, the output will be the right answer.

So, to find the p in A^p = m.N+1, a quantum computer:

Computes A^p and determines whether it is larger or smaller than m.N
Stores p as a superposition and the difference from m.N (bigger or smaller)
Repeats for all values of superposition (with a period of p) and determines by how much each superposition is greater than m.N

Due to the nature of quantum particles and qubits, a superposition state cannot be measured. But by this way, all non-p answers (i.e., qubit waves) must be negatively interfered (i.e., degradation of the non-p qubit waves) and cancelled out, leaving the only possible answer, p.

In the case of the quantum algorithms, all guess calculations are performed at once via superpositions of all the guessed values.

Though such a quantum computer is not available as of the time of this writing, at least for higher numbers, future quantum computers will compute complex problems with ease, which poses a serious threat to the entire cryptographic landscape.

To be proactive and to counter threats using quantum computing, quantum principles can be leveraged to defend against quantum-level attacks.

Defensive Cryptography, a Quantum Preventive Approach

The three important factors that constitute a cryptographic operation are a key, a key exchange method and an algorithm. Although the algorithm cannot be directly attacked in real time, the key and key exchange method can be, as explained:

Keys–The key material is typically generated out of pseudo-random numbers. The lesser the entropy or randomization in churning out the keys, the greater the probability to predict the random numbers (i.e., prime factors) more quickly. To address this, quantum random number generators, which produce nearly a billion random numbers per second, are required.
These are typically constructed as a Payment Card Industry (PCI) card or network device⁴^,⁵ that is plugged into a quantum computer and uses quantum optics (where photons are used to simulate qubits) to generate quantum-level randomness. The idea is to scale up a quantum-level computing infrastructure to counter attacks by or from another quantum ecosystem that attempts to break the encryption through factorization.
Key exchange–The existing key exchange mechanisms, through wired or wireless mediums, will be severely threatened by quantum computers. Based on the packet captures, man-in-the-middle (MitM) attacks or sniffing off the line, the obtained data can be superpositioned and have a higher probability of being cracked by the aforementioned techniques. To counter this, the same quantum principles are applied to transmit the keys or key material by what is referred to as quantum key distribution (QKD). It uses the quantum optic particles (i.e., photons) to transmit the data over fiber optic links. The random number generated by the quantum random generators will be encoded into a string of separate but entangled photons and sent via the optical channels for secure key communication. This process is extremely secure because any sniffing (detecting and observing packet data flowing across a network) or intrusion (intercepting and modifying the data in transit) during the QKD transmission can be detected. Due to the special and delicate nature of photons, any eavesdropper attempting to read or copy them will change the photons’ state because they are entangled—reading activity within one qubit photon is reflected onto the other connected qubit photon. This change in the state of the photons will be detected by the receiver, alerting them that the key exchange has been captured, sniffed or tampered with and must be discarded. However, there is a limitation for QKD in terms of the distance the photons can travel. The current QKD over fiber channels has been tested within 100 kilometers, and additional tests are being carried out via satellite to expand this to 1,000 kilometers or more. Such a QKD-bound ecosystem, referred to as a quantum communication network, has already been launched in the United States.⁶

These methods of protecting the keys and key exchange are collectively termed as postquantum cryptography, which is more resistant to quantum computers. Such methods typically involve creating a problem or puzzle that even a powerful quantum computer would find difficult to solve. The US National Institute of Standards and Technology (NIST) is expected to release postquantum cryptography standards by the end of 2024 when the postquantum algorithms are available.⁷

The security community must be proactive and practice adopting quantum defensive cryptography via post-quantum encryption to defend against offensive cryptography via quantum attacks.

Today’s quantum computers may not be able to run Shor’s algorithm for larger numbers, but it is worth noting that all the cryptographic material being used and stored now will be compromised and broken in the next five to 10 years when such sophisticated quantum computers are expected to be available. Therefore, the security community must be proactive and practice adopting quantum defensive cryptography via post-quantum encryption to defend against offensive cryptography via quantum attacks.

Applying Quantum Computing for Advanced Security Technologies and Trends

Armed with the aforementioned principles and methodologies, practitioners may be able to use quantum computing for other niche security applications in the near future, including:

Security analytics and anomaly detection—Security analytics help identify suspicious patterns within a system’s network and related user activity to detect potential threats. Suspicious patterns are considered anything that could indicate a possible security threat, such as increased data transfer from a particular user device, logon during irregular hours, and continuous or widespread sensitive data access. While machine learning (ML) technologies are already in place to construct learning models to create a baseline to determine whether activities and behavior are benign or malicious, quantum computing properties can be applied for greater enhancement. Quantum computers are able to analyze extremely large data sets and simulate complex models using the qubits’ properties, optimizing problem solving and enhancing machine learning. This could provide an advantage for analyzing real-time event data and security logs across the computing environment, with a reduction in false positives (i.e., an alarm is raised, but there is no real threat). All event data could be superpositioned, and quantum algorithms could be developed to leverage the interference property to maximize the probability of obtaining the correct answer.
Internet of Things (IoT) security—With all the existing smart technologies, many physical, real-world objects (e.g., connected vehicles, medical devices, power equipment) are embedded with sensors, and the computing happens on either a centralized platform (e.g., cloud computing) for unified management or at the edge of the device itself (e.g., fog computing) to reduce overhead in the data transfer and offload certain tasks from centralized computing. The interconnectivity with an IoT ecosystem is so vast and decentralized that it requires tamper-proof communication of the signals for controlled and timely security management. A secure quantum network leveraging QKD and quantum optics for data transfer with the entangled qubits (as photons) to connect separate IoT components physically and geographically can be used to achieve this objective.
Blockchain security—The primary security objective of the distributed and decentralized architecture of storing transactions or information by blockchain is to ensure that data tampering or compromise are extremely difficult, if not impossible. Blockchain, in turn, uses public key cryptography, which leverages the key pairs and, therefore, is vulnerable to quantum attacks. Postquantum cryptographic techniques could aid in generating quantum randomness for the key material in authenticating, signing, encrypting and decrypting the ledger transactions to withstand quantum-level attacks.
Artificial intelligence (AI) and ML-powered purple teaming—A combination of blue team (an engineering and defensive approach) and red team (a validation and offensive approach), purple teaming activities are being adopted by organizations to continuously build and test security controls and infrastructure. Both sets of activities feed into each other for continuous and improved defense. Deep learning models are already being used in advanced cases to continuously improve the red team’s ability to learn about and create new models to simulate attack adversaries (i.e., test cases) and the blue team’s ability to learn and adapt to the new models to parse and segregate malicious requests or events from normal events. Current AI and ML algorithms can be highly optimized with great speed by running them on quantum computers. This reduces the time taken to analyze large-scale data sets; hence, the learning curve for the AI models can be reduced, which effectively improves and transforms overall AI capabilities.

Challenges and Considerations for Adopting Quantum Computing

It is vital to understand the challenges in implementing a quantum computing ecosystem and the requirements and controls needed to adopt quantum computing as a technology disruptor. Some of the key challenges and considerations include:

State isolation—Qubits are typically represented and controlled as microwave signals via logic gates to modify their state and entangle them. Disturbing or removing a qubit’s state impacts the quantum states required for computation. Hence, they are very sensitive to disturbances and, therefore, the quantum computing system as a whole requires careful isolation from its surroundings.
Randomness—The maximum number of possible qubits is required to analyze all possible answer options, which would then be leveraged by interference for removing errors and increasing the probability of getting the correct answer. This calls for extreme randomness as a core prerequisite, which cannot be offered by the existing random generator solutions or algorithms. True quantum-level randomness is required, which then feeds into the quantum engine for computation. It is similar to using the same technology as a coupler: A generator churns out random numbers in the quantum space and a computer operates on the quantum numbers (qubits) in a quantum space.
Speed vs. optimization—It is true that quantum computers can solve complex problems more quickly than classical or even super computers, but they are not specifically made for and should not be adopted solely for the sake of fast calculations. They are more useful for calculations or operations where all quantum superpositions must be made available to the user at the same time. Hence, the core specialty and advantage of quantum computing lies more in the number, efficiency and effectiveness of the operations being performed than simply speed.
QKD authentication—Though QKD transmission over long-distance fiber optic channels is being tested, QKD by itself does not authenticate the source of the key transmission at this time, which is a major concern. This could be augmented by employing other authentication and antispoofing mechanisms integrated to QKD or by waiting for similar inherent features within the QKD system itself to become capable of achieving this.
Algorithm validation—The quantum algorithms to be used in postquantum cryptography require rigorous testing and validation to ensure that they are resilient to quantum attacks. This requires a large quantum computing setup, and currently there is no setup big enough to test the algorithms. Developments are being made and testing methods would need to be improved to ensure the security of a quantum-resistant algorithm. This does not and should not hinder the development of such algorithms in the meantime as a means of being proactive and to capitalize on such an infrastructure immediately once available.

It is vital to understand the challenges in implementing a quantum computing ecosystem and the requirements and controls needed to adopt quantum computing as a technology disruptor.

Although research into quantum cryptography continues to evolve in an attempt to address these challenges, it is clear that quantum-proof cryptography and quantum-secure networks are the way forward to safeguard vast, diversified and decentralized data and networks.

When such mechanisms are put into practice, all new key pairs will be secured and, more important, data new and old will be reencrypted to defend against threats from quantum attacks.

Conclusion

Organizations must evolve from traditional data analysis and analytics to identify new and optimized ways to solve problems. This will lead to new business models, which, in turn, will have even greater reliance on advanced computing methodologies. Quantum-driven business models and workflows supplemented with traditional computing and AI will revolutionize the technology shift in the decades to come.

As research of and advancements in quantum computing continue, tapping into its potential and preparing for the transition is key for organizations. This will ensure readiness of people, processes and budgets once quantum technology and related products are available for general consumption. Though it will be some time before quantum products are made commercially available and viable on a larger scale, enterprises should prepare to adopt the technology by leveraging quantum simulations and devising algorithms and prototypes that leverage the full potential of a quantum ecosystem.

Quantum-driven business models and workflows supplemented with traditional computing and AI will revolutionize the technology shift in the decades to come.

Endnotes

¹ Feynman, R.; “Simulating Physics With Computers,” International Journal of Theoretical Physics, vol. 21, 7 May 1981, http://physics.whu.edu.cn/dfiles/wenjian/1_00_QIC_Feynman.pdf
² Rivest, R. L.; A. Shamir; L. Adleman; “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, vol. 21, iss. 2, February 1978, https://people.csail.mit.edu/rivest/Rsapaper.pdf
³ Shor, P.; “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” 1996, https://arxiv.org/abs/quant-ph/9508027
⁴ ID Quantique (IDQ), “Quantis QRNG PCIe andUSB Legacy,” https://www.idquantique.com/random-number-generation/products/quantis-random-number-generator
⁵ ID Quantique (IDQ), “Quantis Appliance 2.0,” https://www.idquantique.com/random-number-generation/products/quantis-rng-appliance
⁶ Quantum Xchange, “Quantum Xchange Launches ‘Phio’ the First Commercial QKD Network for Quantum Communications in the U.S.,” https://quantumxc.com/blog/quantum-launches-phio/
⁷ National Institute of Standards and Technology (NIST), “Post-Quantum Cryptography,” USA, https://csrc.nist.gov/Projects/post-quantum-cryptography

BALAJI SWAMINATHAN M. | CISA, AWS, AZURE CERTIFIED, CISSP

Is a principal security architect managing the delivery of cybersecurity services and new service rollouts aligning with customer requirements. He can be reached at https://www.linkedin.com/in/balaji-swaminathan-m-a753416a/.