Money’s quantum time bomb | Financial Times

Most people are blissfully unaware of it, but an uneasy balance was struck in the early 2000s following the conclusion of the Crypto Wars. After many years of fighting the ability to export secure encryption, US officials finally capitulated on restrictions in 2000, opening the door to a much larger share of the world being able to benefit from secure encryption protocols. While many saw this as too much of a concession to terrorists and criminal organisations, privacy advocates argued the benefits of secure communications for all outweighed the risks.

With quantum computing around the corner, however, some believe the power balance struck in the 2000s could be on the verge of breakdown due to the technology’s potential to break current encryption standards. This time, they say, the consequences could be far graver than anything in the past because of the scale of economic value and infrastructure that has been linked in the interim to secure encryption.

But others think the threat may be being overhyped by those who wish to profit from selling quantum security or by those who have an interest in getting institutions to migrate to platforms they control and can exploit.

In the latest issue of the European Cybersecurity Journal, Jaya Baloo, the vice chair of the Quantum Flagship initiative, an EU-funded research initiative, argued that the impact of quantum computing has the potential to be bigger than the computing revolution. This is why, she says, quantum secure encryption must be rolled out well in advance to fend off any adverse effects.

But rather than focus on building more secure systems, Baloo also noted there are still many officials lobbying to weaken existing encryption regimes via backdoors and system overrides in the name of national security and fighting crime.

Baloo compared this to the arguments made during the Vietnam war that the best way to save a village was to burn it down:

We’re looking at the same absurd situation when it comes to encryption. People with noble ends — stopping crime, terrorism, child pornography, and human trafficking — are proposing means to those ends — weakening encryption with backdoors — that would in fact destroy the very end goal of security and privacy for everyone.

As it stands, banks are probably the most ahead when it comes to fending off quantum decryption risk. Many have discreetly begun assembling teams to think hard about moving — if not already moving — their systems to quantum secure levels. Much of this activity is being done in the shadows because of the downside of accidentally signalling to would-be attackers (especially state-level ones) how insecure one’s system currently is. Nobody wants to let the proverbial quantum security cat out of the bag since doing so would invite a perpetual arms-race between attackers and defenders, with encryption having to be continuously adapted to new threats.

Even so, this scenario may eventually become unavoidable. Amit Katwala, the author of Quantum Computing, how it works and why it could change the world, told FT Alphaville that while quantum is likely to break certain types of encryption eventually, there’s a good chance it will be contained in counter-encryption upgrades. “By the time these devices are ready to break those types of encryption, there will be new types of encryption in place that will be harder for them to break.”

A digital asset nightmare?

Not all in the crypto security world are convinced by the urgency of the matter. In some quarters, an active debate is being had about whether quantum computing will ever be strong enough to break standard encryption protocols. The question is of particularly relevance to those active in the cryptocurrency sphere, since so much of the sector depends on secure cryptography to retain its value. Opinions, however, remain hugely divided.

Among those who see it as a big problem are the founders of Arqit, a British network security company that claims to have solved some key problems in the quantum security field.

Stephen Homes, Arqit’s chief product officer, argues in a new paper co-authored with Liqun Chen from the University of Surrey that quantum computers could in theory use Shor’s algorithm, a number crunching technique, to break Elliptic Curve Digital Signature Algorithm (ECDSA) signatures, which many cryptocurrencies depend on.

To fend off quantum attacks, the paper outlines, cryptocurrencies like bitcoin will have to adapt in ways that would make usability increasingly cumbersome for users. Keeping on top of the threat, they say, “requires a significant change in user behaviour and a cryptocurrency becomes increasingly less usable as each additional protection is added.”

To achieve user-friendly security, the authors add, cryptocurrencies would have to migrate to quantum safe digital signature schemes. But doing so would require a hard fork, which is a notoriously complex process that involves high levels of community consensus to ensure successful implementation.

One other option, Holmes and Chen note, is migrating one cryptocurrency to a new cryptocurrency platform designed specifically to be quantum resistant. “This could be achieved relatively easily through an exchange process as a cryptocurrency is becoming more at risk to the ever increasing performance of quantum computers,” they say.

But many top-level bitcoin developers and experts remain sceptical. Some argue there’s no clear indication that quantum computing will ever be strong enough to break either ECDSA or the Sha-256 secure hashing algorithm that underpins bitcoin.

Stepan Snigirev, a former quantum physicist now involved in the crypto space, told FT Alphaville that it is unlikely that quantum computers will become a threat to bitcoin in the next 20 years. As he noted:

In order to break elliptic curve cryptography, one needs ~10 thousand physical qubits and their quantum state should survive several million operations.

The current state of the art Quantum Computers are tiny and very noisy – 20 qubits with ~100 operations is what you can expect today.

Optimistically one can expect ~10x improvement in both parameters every 5 years. Or maybe in 3 years if you have unlimited funding.

So these simple estimates give us about 15-20 years to develop and deploy quantum-safe cryptography.

Others in the community go further than that. They claim the true agenda of those circulating fear, uncertainty and doubt (FUD) about bitcoin’s resilience to quantum is to sabotage trust in the novel financial system, since it poses such a threat to incumbent powers. A counter-narrative that might best be described as “quantum denial” has thus appeared in some quarters too.

The views of those developing quantum computers sit somewhere in the middle.

“Certainly quantum computing is not a hoax,” Dr Kuan Yen Tan, chief technology officer of IQM Quantum Computers, told FT Alphaville. “There is of course lots of hype around, but some of that is very good because quantum has great potential. We think it is going to eventually change everything because it is like a new force of nature that we are taking into use.”

His colleague Prof. Mikko Möttönen of Aalto University and chief scientist at IQM however caveated that “for quantum computers to become a security threat, in the sense that you define, you would need something called quantum error correction. So you would need a machine that makes almost no errors at all . . . and that kind of machine is beyond 10 years from now.”

A quantum security solution for the quantum threat?

Irrespective of how great the quantum threat really is, efforts to provide the market with pre-emptive solutions are coming.

Holmes’ company, Arqit, is among those looking to cash in. In recent months Arqit has come to market claiming it has figured out how to commercialise symmetric key encryption, a much stronger method of encryption that has until now been viewed as impossible to scale.

It works on the basis that if two counterparts can access the same genuinely random number that only they share, they can encrypt their communications in a way that is most likely to be quantum secure. The method is most famous for protecting high security assets like the US nuclear codes, using the nuclear football. But it also comes with a big disadvantage: in most circumstances it calls for the physical exchange of passwords between two parties, meaning it is no good for encryption between distant parties that never have the chance to meet in person.

But Arqit’s CEO David Williams says the company — which consists of a plethora of former GCHQ code crackers and former British and US military types — has solved the trickiest part of the problem by using another quantum process known as quantum key distribution (QKD).

At the heart of the solution is a mechanism that draws on the spooky properties of quantum states to help distribute the keys securely over distance. The quantum properties ensure that if a message is intercepted it disappears before it can be read.

“If you try and read quantum information, you break it, and it doesn’t get used,” says Williams, while pointing out that the downside of quantum key distribution is that its resistance to hacking is also what makes it highly sensitive to more benign forms of interference it the real world. “It unfortunately only lasts a few dozens of kilometres because the quantum information bumps into glass molecules and dies,” says Williams.

Arqit solves this problem by using satellites to distribute the keys to terrestrial receivers, a process which extends the transmissibility of the codes by many hundreds of kilometres. It also claims to have found a way to branch off that security and offer it as a service to mass-market telecoms providers, ensuring everyone’s personal computers and mobiles can benefit from QKD.

Arqit, however, is not the only venture to claim to have solved QKD using satellites. In 2016, China launched a quantum communications satellite known as Micius, that was also set to transmit encrypted keys from space.

Xinhua reported at the time that the satellite was “designed to distribute keys between relay stations on two different continents using high-speed coherent lasers” and that “as a quantum photon cannot be separated or duplicated, it becomes ‘impossible to wiretap, intercept or crack the information transmitted through it.””

But Williams claims Arqit, which fetched a $1.4bn valuation on Nasdaq in early May via a merger with Spac, is far ahead of the Chinese effort. He says Micius unlike Arqit has not yet solved the “global versus trustless” conundrum, which allows for the quantum encryption to be distributed beyond its end point on the ground.

Solving this means the technology can be applied not just to direct communications but much more broadly, including to protect new blockchain-based financial systems from quantum attack.

“Our customer announcement will be about a central bank digital currency, which we think is the best legitimate regulated use of blockchain technology, but only works if it is quantum safe,” he told FT Alphaville.

The idea central banks may be inclined to draw on quantum properties to secure their currencies is certainly intriguing. One of the big challenges facing CBDC issuance, after all, is how they will be able to maintain users’ privacy while simultaneously complying with their own Know-Your-Customer and Anti-Money-Laundering rules, which require active supervision and monitoring of all transactions.

As it stands the two requirements are paradoxical. From a users’ perspective, siding more firmly with one or the other requirement also risks alienating users either way, whether that’s on privacy grounds or on stability and risk grounds. In that context, being able to say “we’ve solved this impossible problem with quantum” seems an awfully convenient thing to be able to promote.

Such assurances, however, are unlikely to satisfy the eternally distrustful crypto community. One high-level cryptographer source told FT Alphaville that even if QKD has been achieved at scale, it doesn’t mean the wider system is necessarily unhackable. If the attacker controls the endpoint in a QKD pair, they said, it is possible they could see the key being generated and that would then give them access.

“That’s how governments will backdoor it,” they noted. “They will be using a keyed random number generator, so the question is: how do you audit the independence of the random number generator? And the answer is you can’t.”

For now at least we guess that means the paranoia in the sector is unlikely to be abated.