The Quantum Threat to Cyber Security

anada’s cyber security strategy, National Cyber Security Strategy: Canada’s Vision for Security and Prosperity in the Digital Age (June 2018), stresses the need to prepare for increasingly sophisticated threats to the cyber systems that our critical infrastructure and democratic institutions rely on. The strategy commits the government — in this context, its cyber security efforts — to “focus on emerging areas of Canadian excellence, such as quantum computing” (Public Safety Canada 2018, 24).  

Many people have heard of quantum computing, know that it’s coming and are aware that it will bring an almost unimaginable speed-up in the ability of computers to perform many kinds of calculations. This will allow wonderful advances in, for example, our ability to discover new materials and design new life-saving drugs. Unfortunately, powerful quantum computers will also enable the hacking of today’s “unbreakable” encryption in minutes.  

As things stand, the encryption that underpins the security of society’s critical infrastructure is at serious risk of being undermined by quantum computers within the next eight to 15 years. This is the “quantum threat” — that Canada’s national security and economic prosperity will be jeopardized as government, communications, transportation, banking, energy and other critical systems become vulnerable to hostile actions because our cryptography is no longer strong enough to protect us. Even now, bad actors are able to copy and store encrypted data until a quantum computer is available to decrypt it.

This essay outlines how achieving a quantum-safe Canada is a natural cornerstone of a national strategy to protect Canadians and the economy from cyber attacks while also reaping the economic benefits of those efforts.

There is growing recognition of the need for society to prepare for increasingly sophisticated threats to the cyber systems that our critical infrastructure and democratic institutions rely on. Doing so will require substantial investments in cyber security tools, services and skills, including those necessary to address the quantum threat.  

At the same time, cyber security is not only a means of protection but also an important source of innovation that will help ensure competitiveness. There are calls for governments to focus efforts on supporting emerging areas of local, regional or national excellence. In Canada, these areas clearly include quantum computing.  

Canada must respond proactively to the quantum threat and implement the elements that will enable an orderly and timely transition to cryptography that is designed to resist quantum attacks (i.e., “quantum-safe” cryptography). Otherwise, our security and economic prosperity will be jeopardized as government and other critical infrastructure systems become vulnerable to hostile actions because of weak cryptography.  

The most common forms of cryptography — those used in widely deployed “public-key infrastructure” (PKI)¹  — happen to be based on mathematical problems that are the most vulnerable to ready solution by a full quantum computer. This is a source of great concern, as PKI applications have universal importance by providing assurances such as key agreement (so that only the intended parties have access to a specific communication or transaction) and authentication (so that each party to a transaction knows that the other parties are who they say they are and that messages are legitimate). Without such assurances, there will be no trust and few transactions online, whether they involve humans or the devices that make up the Internet of Things.  

The challenge is that a replacement suite of mature, tested quantum-safe cryptographic algorithms are not yet available. Nor are the tools based on them. Nor are the cyber security experts with quantum-safe skills who will use the tools to diagnose and fix each system separately. Without a strong impetus to focus efforts on a long-term campaign to meet the quantum threat, Canada will lose ground as vulnerabilities are exploited and the potential for global leadership is undermined. 

An effective response to the quantum threat will necessarily involve a range of stakeholders working together to identify opportunities to translate cutting-edge research into innovative quantum-safe products. An infusion of targeted financial support for infrastructure and personnel is needed to accelerate work on the discovery, testing and deployment of quantum-safe solutions in two areas: post-quantum cryptography and quantum key distribution.  

Post-Quantum Cryptography
Quantum readiness demands that new quantum-safe algorithms and cryptographic tools be discovered and developed to replace those now in place. In 2016, the US National Institute for Standards and Technology (NIST) began a multi-year project to identify a standardized suite of viable quantum-resistant cryptographic systems by 2024. The announcement of NIST standards for post-quantum cryptography is expected to result in a retooling of the information and communications technology infrastructure worldwide.  

Canadian researchers are active in the NIST effort and have contributed a number of the systems now under consideration. It will be to Canada’s long-term economic advantage if its researchers participate centrally at every stage of the NIST process and beyond, so their efforts should be encouraged and supported. Canada’s researchers and technologists are also at the forefront in developing software and services for post-quantum cryptography, including open-source software, commercial software and professional services. In response to advances in quantum computing, researchers will need to continue their work as successive generations of increasingly efficient and effective quantum-safe cryptography are deployed.

Quantum Key Distribution
The goal in quantum key distribution (QKD) initiatives is a scalable, tamper-proof tool for the important key-agreement mechanisms that protect digital transactions. The properties of quantum physics enable two parties to exchange signals that cannot be viewed, copied or tampered with by any third party without being detected immediately. This fundamental ability to detect an eavesdropper can be leveraged to achieve key agreement through untrusted communication channels. Since QKD does not rely on assumptions about the computational difficulty of mathematical problems, the keys cannot be mathematically cryptanalyzed (i.e., broken). This eliminates the risk of an unexpected mathematical advance leading to the systemic compromise of critical infrastructures, or the decryption of past messages that were protected with quantum-vulnerable keys. Research and development related to practical QKD requires substantial investment in essential physical components — such as satellites and ground stations — as well as software, related applications and skilled personnel. 

There is a clear need for QKD to be integrated into a real-world network in three to five years. This would enable the testing of QKD with a national satellite-based network linking individual collaboration centres. Preliminary work is already under way at universities across Canada. Not only are some of the critical physical elements in place, but leading researchers have also already coalesced and can mobilize quickly.  

These researchers will continue innovating to make QKD more effective and less expensive. Fully reaping the benefits for Canada and Canadians requires additional targeted financial investments to accelerate this work and integrate it into a broader effort to address the impending threat. This would likely first entail the completion of several collaboration centres on separate networks in cities across Canada, the most likely being:

• Calgary (near energy sector, to be enhanced);
• Waterloo/Toronto (near financial sector and government, to be developed);
• Ottawa (near government, to be completed); and
• Montreal (for example, tied to aerospace or the artificial intelligence sector, to be developed).  

The separate networks would subsequently be integrated into a single functioning Canadian QKD network, which may eventually be linked into a global QKD network. 

The National Cyber Security Strategy recognizes the need to expand Canada’s capacity to undertake the requisite research and commercialization activities. Significant steps must be taken to strengthen Canada’s skills base, without which the desired facets of cyber security — protection and economic development — cannot be achieved. 

Programs and courses offering professional training will need to be established if Canada is to have the necessary cadre of cyber security experts with superior quantum-safe skills. These experts would perform tasks such as cyber risk assessment and systems integration to ensure that the appropriate quantum-safe solutions have been properly installed and integrated into complex legacy systems.  

Development of a large pool of systems integrators and cyber security professionals with strong quantum-safe skills will take several years. A number of Canadian post-secondary institutions have indicated interest in augmenting their cyber security programs with courses focusing on the migration to post-quantum cryptography. Ideally, they will collaborate on a standard quantum-safe module for incorporation into existing cyber security programs.  

In addition, possibilities around outreach to industry should be explored. There is likely to be an appetite for training courses to familiarize technical staff with quantum-safe technologies and how best to work with external quantum-safe experts. There will also be a need for certification schemes to allow the quality of the training and the expertise of the trainees to be evaluated on an ongoing basis.

While education is a provincial responsibility, there is a need for the federal government to play strategic and funding roles to ensure that the provinces and territories, and the agencies and regulatory bodies they control, move with a sense of urgency.  

Governments have access to numerous policy powers that may be useful in encouraging and even ensuring that digitally enabled infrastructure — such as smart roads, smart bridges and smart cities — is designed, built and installed to be quantum-safe. These levers include approval, planning, procurement and funding powers, none of which need to be costly.  

A simple example would be a federal policy that any proposal for federal support for an infrastructure project must be accompanied by a cyber security strategy. This would necessarily include a quantum-safe strategy for infrastructure expected to be in service for decades.

As noted above, the National Cyber Security Strategy stresses the need to prepare for increasingly sophisticated threats to Canada’s cyber systems. At the same time, it points out that cyber security is not just a means of protection but also an important source of innovation that will help ensure Canada’s competitiveness. Both sides of the coin are in play when it comes to the quantum threat.  

Working in our favour is the fact that Canada is in the vanguard globally in both cryptography and quantum information science, and strong in cyber security applications and services. There is a significant history of collaboration among these realms, so Canada should be able to get its house in order ahead of other countries and then export its quantum-safe products and expertise abroad. Taking advantage of this opportunity would enhance both Canada’s national security and its economic prospects.

Implementation of the key elements discussed above will enable Canada to take advantage of the opportunities for innovation, prosperity and competitiveness that are inherent in moving quickly to address the quantum threat. A number of complementary actions should also be taken in support of the core elements:

• Name an advisory committee of top scientists in cryptography and cyber security to provide expert advice on research priorities and parameters for projects and proposals.  
• Identify the technical expertise needed to monitor relevant international standards development work and participate as necessary.  
• Identify the program management expertise needed to advance innovation and commercialization activities, the market research exercises needed to quantify the national and global requirements for quantum-safe expertise, and the necessary export-development initiatives related to quantum-safe technology, expertise and training.

A version of this essay was first delivered to the Standing Committee on Public Safety and National Security on February 22, 2019.