Introduction to Quantum Computing and the Security Implications
5 November 2019
7th ETSI-IQC Quantum-Safe Cryptography Workshop
Michele Mosca
Computation in a quantum paradigm
E. Lucero, D. Mariantoni, and M. Mariantoni
New paradigm brings new possibilities
Designing new materials, drugs, etc.
Optimizing What else???Sensing and measuring
Secure communication
Quantum system:
019.0
000.0
242.0
121.0
401.0
000.0
000.0
875.0
Classical simulation:
Simulating quantum bits with classical bits
• Describing n qubits in a classical computer generally appears to require more than 2n bits of memory.
# qubits #classical numbers to store
3 8=23
4 16=24
10 1024=210Kilo
20 1048576=220Mega
30 1073741824=230Giga
40 1099511627776=240Tera
50 1125899906842624=250Peta
60 1152921504606846976=260Exa
70 1180591620717411303424=270Zetta
128 340282366920938463463374607431768211456=21283.4x1038
230 1725436586697640946858688965569256363112777243042596638790631055949824=223010100
Applications: studying materials and chemicals
Optimization for businesses, including cyber defence
How can we entrust information and tasks to untrusted systems???
CipherText(k,M) =
Message Mto be encrypted
Shared key k
Shared key k
DecryptedMessage M
• Symmetric encryption• Key Establishment
• Authentication
And more!!
• Secure multi-party computations• Securely outsourcing computations to untrusted
parties• Protect privacy AND retain security• Protect privacy AND achieve business functions
E.g. use “homomorphic encryption” for Anti-Money-Laundering
New feature:Eavesdropper detection
The ultimate key‐establishment tool
Quantum physics guarantees the mathematical security of the cryptographic key
•A quantum satellite in LEO can interconnect ground networks located anywhere on Earth.•Together with ground‐based repeaters, we will eventually have a “quantum internet”.
QL AQL B
Final Key
Network A Network B
Quantum communication in space is real
Dedicated quantum hardware in Space:• China (J.W. Pan)
– Entanglement Distribution over 1200 km ! (Science, 2017)– QKD from space to ground, (Nature 549, 43–47 (2017)– Teleportation (Nature 549, 70–73 (2017)– QKD between Bejing and Graz
• Japan (NICT) – 50 kg satellite: Nature Photonics 11, 502–508 (2017)
• Singapore (A. Ling)
– Correlated Photon Source onboard CubeSat (Phys. Rev. Applied 5, 054022, 2016)
Proof of concept demonstrations• Germany (G. Leuchs): Demonstration of quantum limited states sent from GEO
satellite to ground (Vol. 4, No. 6 Optica, 2017)• Italy (P. Villoresi): Demonstrating a quantum channel from space to ground,
(Phys. Rev. Lett. 115, 040502 (2015))• Canada (T.J.): Airborne demonstration of a quantum communication satellite
payload (QST, 2017)
Beijing and Vienna have a quantum conversationSeptember 2017, www.physicsworld.comhttp://english.cas.cn/newsroom/news/201709/t20170928_183577.shtml
Thanks to Thomas Jennewein for these slides.
Buildings in a City Centre
Satellites
Aircraft
ATMVehicles
ServiceProviders
Agencies
Computers
Handheld
WLAN
Quantum Internet – the Long Term VisionQubit distribution with moving systems: satellites, aircraft, vehicles, ships, handheld
QL A
Final Key
Distant Network
Thanks to Thomas Jennewein for these slides.
But… while in the classical paradigm
Encrypting is easy. Codebreaking is hard.
…in the quantum paradigm
Encrypting is easy. Codebreaking is easy!
Cryptography:RSA, DSA, DH, ECDH, ECDSA,…, SHA, AES
Secure web browsing, Auto-updates, VPN, Secure email, Blockchain, etc…
Cloud computing, payment systems, internet, IoT, eHealth, etc…
• User errors
• Corrupt users
• Admin errors
• Corrupt admin
• Platform implementation errors
• Platform design errors
• Cryptography implementation errors
• Fundamentally vulnerable cryptography
So many different vulnerabilities
• User errors
• Corrupt users
• Admin errors
• Corrupt admin
• Platform implementation errors• Platform design errors
•Crypto implementation errors•Fundamentally vulnerable
cryptography
Ranked, from bad to worse?
Do we need to worry now?Depends on*:• security shelf‐life (x years)• migration time (y years)• collapse time (z years)“Theorem”: If x + y > z, then worry.
y
time
xz
*M. Mosca: e‐Proceedings of 1st ETSI Quantum‐Safe Cryptography Workshop, 2013. Also http://eprint.iacr.org/2015/1075
4 threats
Loss of confidentiality and data integrity. (if x+y>z)
Critical infrastructures fail with no quick fix. (if y>z)
Rushing “Y” is expensive, disruptive, and leads to vulnerable implementations.
Loss of trust in the tools and institutions underpinning our digital economy.
Another milestone will be the achievement of quantum supremacy. It will signal that there has been great progress in our ability to build and operate quantum devices, and it will certainly receive the attention of news outlets. On the other hand, it will only be a relatively small step towards a cryptographically relevant quantum computer, which requires a much higher level of sophistication, specifically in relation to using error correction to achieve fault‐tolerance.
[the] claim will “likely [be] controversial”
https://globalriskinstitute.org/publications/quantum‐threat‐timeline/
Some (future?) milestones
“Quantum supremacy”
CNOT fault-tolerant CNOT
Critical Milestone:Scalable fault‐tolerant logical qubits
Logical layer Physical layer
=
Estimating ‘z’?
https://www.bsi.bund.de/DE/Publikationen/Studien/Quantencomputer/quantencomputer.html(first draft in 2018; updated version 1.1 in 2019)
https://www.nap.edu/catalog/25196/quantum‐computing‐progress‐and‐prospects (presented in Dec. 2018)
What is ‘z’?• Michele Mosca [Oxford, 1996]: “20 qubits in 20 years”
• Microsoft Research [October 2015]: ”Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade”.
• Michele Mosca ([NIST, April 2015], [ISACA, September 2015]): “1/7 chance of breaking RSA‐2048 by 2026, ½ chance by 2031”
• Michele Mosca [London, September 2017]: “1/6 chance within 10 years”
• Simon Benjamin [London, September 2017]: Speculates that if someone is willing to “go Manhattan project” then “maybe 6‐12 years”
• Michele Mosca [Seattle, November 2019]: 1/5 chance within 10 years
https://globalriskinstitute.org/publications/quantum‐threat‐timeline/
Quantum‐safe cryptography tool‐chest
conventional quantum‐safe cryptography a.k.a. Post‐Quantum Cryptography or Quantum Resistant Algorithms
quantum cryptography+
Both sets of cryptographic tools can work very well together in quantum-safe cryptographic ecosystem
http://www.idquantique.com/photon‐counting/clavis3‐qkd‐platform/
Courtesy of Qiang Zhang, USTC
“quantum-safe” = designed to be safe against quantum attacks
Very High
High
Medium
Low
Very Low
Low Medium High
Convenience
Risk
ITS signatures
QKD key agreement
OTP encryption
Post-quantum signatures
QKD key agreement
OTP encryption
Post-quantum signatures
QKD key agreement
AES encryption
Post-quantum signatures
Post-quantum key agreement
AES encryption
Risk vs convenience
Security is a choice
“Fault‐tolerant scalable qubit” = starting gun
“Quantum supremacy” = warning shot
We don’t get to call a “time‐out” if we’re not ready!
“Execution is 90% planning and 10% doing”
x
Quantum Risk Assessment (QRA) Methodology:
Phase 1- Identify and document assets, and their current cryptographic protection.
Phase 2- Research the state of emerging quantum technologies, and the timelines for availability of quantum computers.
Phase 3-Identify and document threat actors, and estimate their time to access quantum technology “z”.
Phase 4-Identify the lifetime of your assets “x”, and “y” the time required to migrate the organizations technical infrastructure to a quantum-safe state.
Phase 5- Determine quantum risk by calculating whether business assets will become vulnerable before the organization can move to protect them. (x + y > z ?)
Phase 6- Identify and prioritize the activities required to maintain awareness, and to migrate the organization’s technology to a quantum-safe state.
Ongoing work to develop standards and certifications for these tools.
https://csrc.nist.gov/CSRC/media/Projects/Post‐Quantum‐Cryptography/documents/asiacrypt‐2017‐moody‐pqc.pdf
openquantumsafe.org
Can test and prototype post‐quantum algorithms now
Other open source implementations:https://github.com/mupq/pqm4https://libpqcrypto.orghttps://github.com/safecrypto/libsafecryptoIndustry tool‐kits also available.
QKD Link Layer(QLL)
QKD Network Layer (QNL)
Key Mgmt. ServiceLayer(KMS)
Host Layer
OpenQKDNetwork.com
Can design QKD into systems now
Full protocol stack for QKD
Can design QKD into systems today as a key establishment alternative.
Also need to look at future platforms and tools
Historic opportunity
Dual short-term quantum track for business
Thank you!Comments, questions and feedback are very welcome.
Michele MoscaProfessor, Faculty of MathematicsCo‐Founder, Institute for Quantum Computing, University of Waterloo www.iqc.ca/[email protected]
CEO, evolutionQ Inc. @[email protected]
Co‐founder, softwareQ Inc. softwareq.ca