Quantum Security is National Security
By Andy Manoske, Principal Product Manager of Cryptography and Security Products at HashiCorp
Quantum computers will be one of the defining frontiers in computing over the next century. Utilizing the power of quantum mechanics to provide near-infinite parallelism to “divide and conquer” certain types of problems better than any traditional computer before them, quantum computers will likely herald many breakthroughs in areas such as AI, high finance, medical innovation, and pharmaceutical research due to their unique capabilities.
But they also pose potential threats to national security. The mathematical capabilities that allow quantum computers to search for novel chemical combinations for future cancer drugs and train AI large language models (LLMs) faster than conceivably possible with digital computers, similarly will enable unique types of codebreaking attacks against traditional encryption. Such attacks pose grave threats to the cryptography we use to identify parties on the internet and protect national secrets.
In response, the White House’s Office of Science and Technology Policy (OSTP) has worked to support a new version of the National Quantum Initiative Act: H.R.6227. This act, first introduced in 2018, defines the creation of an office to advise lawmakers on critical congressional committees on the impact that quantum computing will have on the United States’ economic, political, and military interests.
In the five years since H.R.6227 was introduced, shifts in computing such as the rise of AI in LLMs such as OpenAI’s GPT-4 have already heralded economic innovation and disruption. The arrival of stable, powerful quantum computing will be orders of magnitude more disruptive. And it is vital that lawmakers understand the risks, and benefits, that this landmark technology will bring.
What is Quantum Computing?
Quantum Computing (or QC) is a technology that leverages properties of quantum mechanics to dramatically improve a computer’s ability to solve specific types of problems. Like their traditional digital computing counterpart, QC allows for the creation of machines that can investigate and solve problems through logic. But in certain circumstances, QCs can solve problems that would be impossibly difficult for digital computers to solve — so much so that the universe would likely end before a result was found.
In digital computers, electrons move through circuits of gates that instrument logic and programming to compute a result known as a bit. Bits hold two states — either “on” or “off” — that reflect the result of computation. In QC, quantum mechanical processes are used to create quantum logic gates that operate on subatomic particles. The output of these quantum logic gates are qubits — the quantum version of a bit.
Unlike bits, qubits can hold multiple states at once thanks to superposition. Superposition is a principle of quantum mechanics that allows for some interactions to hold multiple states at once. Much like pressing some piano keys results in a sound that is a composition of multiple simultaneous notes, qubits can utilize superposition to hold more fundamental states than their digital counterparts.
If computation is modifying a deck of playing cards and drawing a result, digital computers return a single card. Quantum computers instead return a distribution of the probabilities of drawing every possible card in that deck. Programmers can then use statistics to compute some results infinitely faster than they could with a digital computer. Rather than drawing cards from a deck until you hit the Ace of Spades, a programmer can instantly compute when you would be most likely to draw that ace without touching the deck.
But there are drawbacks to quantum computing. The properties that make quantum computers so good at solving some problems also make them extremely difficult to develop and reliably use. While quantum computers already exist and are providing real value (for example: serving as infinite random number generators) they are comparatively slower than digital computers for most interactions and not powerful enough today to compute some of the novel solutions that enable world-changing disruption.
Major advances in physics and materials science are necessary to build stable quantum computers powerful enough to herald breakthroughs in computing. But given the rapid advance of both fields, computer scientists as a whole believe that the next generation of the field will be dominated by quantum computing.
Quantum codebreaking: a major risk to privacy and national security
Promoting the safe research and development of QC in the United States is vital for the country to remain macroeconomically competitive in the next generation of computing. But there are also major risks that this disruption brings, most notably within national security.
Cryptography is the area most imminently impacted by quantum computing. Nearly half of the encryption powering modern identity verification and the protection of secrets online is vulnerable to attacks that leverage quantum computers’ parallelization capabilities.
With a modern computer, a codebreaking attack to search for a 2048-bit RSA private key (such as those used to protect cryptocurrency wallets and encrypt private communication between users and websites) would take longer than the lifetime of our universe. But using a quantum computer and a technique known as Shor’s Algorithm, this attack could take minutes.
Shor’s Algorithm and other QC codebreaking methods are well known in intelligence and national security circles. They were researched decades ago and are still researched intently by government groups and defense contractors. US federal programs such as NIST’s Post Quantum Cryptography (NIST PQC) program have spent the last decade developing new cryptography resistant to known quantum code breaking techniques.
While drafts of this new post-quantum cryptography exist and are undergoing review and implementation in code across the public and private sector, there are no laws or regulations that exist to guide when and how they should be broadly deployed.
It is likely that NIST’s FIPS 140, a certification program to verify cryptographic security for military use cases across the US and many NATO countries, will eventually address QC defense. But for the private sector and many non-military government use cases, no such programs or initiatives to migrate to post-quantum cryptography exist.
Lawmakers in the US will likely have to create new rules and regulations to push tech companies (and the internet at large) to migrate quantum-vulnerable cryptography to new post-quantum counterparts.
Failure to do so means that the cryptography used to identify users and protect privacy online is rendered vulnerable to adversaries such as governments and major non-state cybercrime actors.
About the Author
Andrew “Andy” Manoske is the Principal Product Manager of Cryptography and Security Products at HashiCorp. Prior to HashiCorp, he led product management for security and defense technology such as AT&T Cybersecurity Open Threat Exchange (OTX), NetApp Storage Encryption, and Lockheed Martin BlackCloud.