New firm launches to provide the Easy Button for implementing quantum secure encryption
The pressure to implement quantum secure encryption is increasing. This isn’t because functioning quantum computers able to crack asymmetric encryption are expected tomorrow, but because of the growing belief they could become available in five- or ten-years’ time.
Communications are being stolen by adversaries today, containing secrets with a shelf-life of decades, under the ‘harvest now, decrypt later’ principle. These communications need to be protected against future quantum decryption now.
On April 18, 2022, Khanna, Connolly and Mace introduced the bipartisan Quantum Computing Cybersecurity Preparedness Act. The introduction states, “To protect our country’s data, critical government systems must be secured with algorithms and encryption so difficult to crack that even a future quantum computer won’t be able to break the code. This can be done through post-quantum cryptography.”
On May 4, 2022, the White House issued a memorandum with the dual purpose of promoting quantum research and development, and implementing quantum-proof encryption. Talking about ‘a cryptanalytically relevant quantum computer (CRQC)’, it warns, “When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”
NIST has been running a competition to develop new standard encryptions for the quantum age – in much the same way its work led to the development of AES for the classical computer age. The new cryptography, however, must be able to replace the asymmetric cryptography used in communications.
The process started in 2017, and the result was originally intended for 2026. The number of entrants has been successively reduced to just a few finalists. This month, NIST has announced that its final choices will be announced imminently.
However, having post-quantum encryption available is a separate problem to implementing the new encryption across entire existing infrastructures. QuSecure has been launched with a system designed to provide an ‘easy button’ for the infrastructure-wide rapid implementation of NIST recognized quantum resilient encryption.
Current state of quantum
We should consider the current state of quantum computer development to understand the extent of the quantum threat to cybersecurity. SecurityWeek spoke to Skip Sanzeri, co-founder and COO at QuSecure.
“Everywhere I go,” he said, “people ask me, ‘how many qubits does it take to crack RSA using Shor’s algorithm?’ Well, it’s two times the key size plus three, so two n plus three.” In short, that’s around 4,100 qubits. You could increase the required number of qubits by simply doubling the size of the RSA key, but that would increase latency for classical computers which would struggle with the necessary processing, and would still not be a long-term solution.
The requirement for 4,100 qubits may seem reassuring given that Google announced the success of its Quantum Supremacy project in Fall 2019 using a computer with just 54 qubits. However, in May 2022 IBM announced it expects to have a quantum computer of 4,000 cubits, partially error-corrected, by 2025. (Qubits are inherently unstable and currently require around 1,000 physical error-correcting qubits for every logical processing qubit. This is expected to come down dramatically as error-correction algorithms improve; and it seems likely that IBM has or is expecting to succeed at least somewhat in this requirement.)
It is also worth noting that the US Endless Frontier Act is expected to be signed by President Biden at any time. This will provide $100 billion dollars over the next five years for quantum development. But China is already spending at least a similar amount. The quantum era is approaching fast and could be here within 5 to 20 years.
When this happens, asymmetric encryption will be the first to fall. That means that all sensitive data already collected by adversaries will be readable. And it puts under threat every currently secure communication we use: emails, online commerce, blockchains, certificates, IoT connections, remote workers, web browsing, internal network processes and more.
As these computers get more powerful, which they will, all bets are off. “To give you a quick analogy,” said Sanzeri, “2 to the 300s, which is just 300 qubits, encompasses a number larger than all of the atoms in the known universe.” Now consider the processing power of 10,000 qubits (2 to the 10,000s) and more. It is impossible to predict the full capabilities of large-scale quantum computing – but we can be certain the power will be used for both beneficial and nefarious purposes.
QuSecure’s QuProtect product is designed to solve the quantum resilient encryption implementation problem right now. It provides end-to-end quantum resilient communications, with the addition of zero trust protection at each end. It is software based and suffers none of the scalability problems encountered with hardware solutions, such as quantum key distribution (QKD) over dark fiber cables.
The secret source is a method of applying quantum resilience to the communications without requiring agents on each node. Because of the complexity of corporate infrastructures, it comes with orchestration. “If you’re going quantum resilient, you want it across everything,” said Sanzeri. “So, we have a policy manager and orchestration that allows someone to put post quantum resilience across the enterprise.”
The product is compliant with standards and backward compatible. “No one is going to upgrade everything at once,” he said. “You’re first going to start with one part of the network – but you still need to talk to TLS. So, we created a layer that translates back and forth between quantum resilience and TLS.”
Compliance with quantum resilient encryption standards has been achieved even though the standards have not yet been announced by NIST. Sanzeri doesn’t expect these standards to be static. “They’re going to get changed out again, they’re going to find issues with them or change them – but it doesn’t matter. We’ve baked all the finalists into our solution.”
QuSecure, based in Silicon Valley, was founded in 2019 by Dave Krauthamer (CEO), Konstantin Vilk, Rebecca Krauthamer (CPO), and Skip Sanzeri (COO, CMO, and CFO). It currently has just over 50 employees from around the US. It grew up during the Covid era and was able to take advantage of remote working to hire the best people from anywhere.
The company has gathered top level staff and advisors – from Pete Ford (SVP of federal operations, but formerly a director at Raytheon and an employee at the Lawrence Livermore National Laboratory) to Laura Thomas (advisor, VP of corporate strategy at ColdQuanta and a former CIA station chief) and Rear Adm. Mike Brown (advisor, formerly Director, Cybersecurity Coordination at the DHS).
Related: Mitigating Threats to Encryption From Quantum and Bad Random
Related: Quantum Computing Is for Tomorrow, But Quantum-Related Risk Is Here Today
Related: Quantum Computing’s Threat to Public-key Cryptosystems
Related: New Quantum Computing Giant Quantinuum to Launch Cybersecurity Product