Why do we need quantum-resistant encryption?

This next edition of our Quantum Series, which highlights the key issues in the developing world of quantum computing, focuses in on quantum-proof encryption.

Earlier this year, the White House released a memorandum which laid out a goal for government departments to adopt quantum-resistant encryption to mitigate risks associated with the technology by 2035. Other regions also have similar initiatives on their agenda; the EU has a plan for the standardisation of quantum technologies, Canada has produced a quantum readiness strategy, and countries like China and Japan have started investing heavily in the technology.

Quantum strategy is clearly important to these governments, but because use of the technology is still not mainstream and is not yet capable of breaking public encryption methods, questions have been raised regarding why this has to happen now. Additionally, countries that have quantum recommendations in place, do not include advice for the financial services industry and where they should be positioning themselves.

Finextra spoke to experts on their view of why quantum-resistant encryption is important at this stage, and the role the technology can play in financial services.

Is quantum-resistant encryption needed now?

Quantum computing is certainly a sector with growth potential, but we are still a few years away from the technology being commonly used. This has raised questions around why quantum-resistant encryption is required today, to pre-empt the threat.

I spoke with Zygmunt Lozinski, Quantum Safe Networks at IBM Research, who said that in our current system, secure communication can happen through public and private key encryption, which are different, and therefore secure. This is a model the industry has been using for many years, but Lozinski argues that unfortunately, “a quantum computer breaks that model.”

Paddy McGuinness, former UK National Cyber Security Programme lead and Deputy National Security Adviser, further explained that: “Quantum computers represent a real and significant threat to existing encryption technology. They have the potential to break many of the encryption schemes currently in use because they can perform certain types of calculations much faster than classical computers. This is primarily due to two quantum algorithms: Shor's algorithm and Grover's algorithm. It's important to note that not all encryption algorithms are equally vulnerable to quantum attacks.”

Lozinski also mentioned that these risks around quantum encryption have been worked on by cryptographers since the late 1990s, who have been trying to come up with a system which is safe for both quantum computers and traditional computers, at the same time.

McGuinness added: “It's crucial to create a quantum-proof encryption strategy to protect sensitive data. Ensuring secure and robust encryption is deployed today before quantum computing becomes widespread is vital for maintaining privacy and security.”

The main concern here is security and privacy. Many conversations happen over encrypted networks and important information is transferred in this way. There are datasets that exist now and will hold importance in the future, and those sets are currently under standard encryption, which could be broken in the future. While this is a very future looking perspective, it is one that may become important before we realise.

What does quantum encryption look like?

Many countries are using different standards for their quantum-resistant encryption, but there are still some common themes such as using quantum-resistant algorithms, updating existing systems, ensuring interoperability, developing secure key distribution protocols, testing algorithms, and training professionals.

McGuinness pointed to two quantum cryptographic approaches that are being taken: “Some post-quantum cryptographic algorithms are being developed to withstand quantum attacks, including lattice-based cryptography, code-based cryptography, and hash-based cryptography.”

McGuinness also offered nine considerations:

• The ability to understand in detail and in real-time the nature of cryptography and encryption being used by an organisation. Only then will there be visibility to enact change and migration to the required future state
• Switching to quantum-resistant algorithms like lattice-based cryptography.
• Implementing Quantum Key Distribution (QKD) for secure key exchange.
• Updating software and hardware to support new algorithms.
• Ensuring interoperability with existing systems.
• Regular testing to confirm quantum-resistance.
• Ongoing monitoring and updates based on the latest research.
• Training IT professionals in quantum-safe practices.
• Managing higher initial costs for new technology.

He also said that: “As quantum computing evolves, more nations are likely to adopt quantum-safe standards.”

Lozinski added that if they have “personally identifiable information that’s based on public key encryption, you're going to need to update that re-encrypt the data.” He further added that it is likely that financial institutions will prioritise aspects like interbank security before moving to issues like card payments.

The laws and developments show that the fears around quantum-resistant encryption are real, and we are nearing a reality where security measures could be broken in coming years. Regulations are focusing on the securing of data and privacy, but how can banks and the financial services industry take this on board, and is it even possible for them to make changes at this point?

Can financial institutions keep up with quantum-resistant encryption?

Many governments are not looking at these recommendations from a financial services perspective at this point, but that does not mean that the financial service industry should not be taking these developments seriously.

The Canadian government has placed specific emphasis on the role of financial services within their research into quantum readiness. However, it is likely that as all governments' plans around quantum develop, the financial sector will be looking to them for guidance on how to protect their datasets.

McGuinness argued: “Whether financial institutions can keep up with quantum-proofing regulations depends on factors like the speed of quantum computing development, costs, product maturity, and expertise. However, there is a duty of care and a responsibility to both end-users and shareholders to ensure that appropriate measures are taken to protect the institution and its stakeholders from threats to encryption.”

McGuiness laid out further recommendations for the financial services industries:

• Stay updated on quantum computing developments.
• Work with governments, regulators, and industry peers to find solutions.
• Assess their quantum-related risk exposure.
• Create a quantum-proofing plan with a timeline and budget.
• Test quantum-safe products before adoption.
• Collaborate with expert vendors for implementation.

McGuinness added: “It will be a seismic undertaking for global enterprises to keep up with ever-changing regulations as encryption is ubiquitous today across systems within financial institutions. There will be significant opportunities for consulting firms to help these organisations prepare and keep pace with change.”

The uncertain timeline around quantum computing only makes preparation even more essential. Lozinski estimates it may be five to 10 years, which is a common estimate, but other experts are saying it could be sooner or longer. It is imperative that the protections are in place before quantum becomes a daily reality. Not securing databases could result in bad actors taking advantage of weaknesses in dangerous ways, which leaves financial institutions and customers extremely vulnerable.