Cambridge Quantum (CQ) today unfurled Quantum Origin, a cloud-based service based on a quantum computer that generates stronger cryptographic keys at a lower cost than a classical computer.
CQ is a wholly-owned subsidiary of Quantinuum, which was formed from the merger of Honeywell Quantum Solutions (HQS) and Cambridge Quantum (CQ) that brought together two entities that previously focused separately on quantum computing hardware and software.
Duncan Jones, head of cybersecurity at CQ, said Quantum Origin is the first commercial service based on a quantum computer that can’t be replicated using traditional classical computers. The service makes it possible to create a long string of random numbers that are less predictable via a call to an application programming interface (API), said Jones.
Existing approaches to generating random numbers using RSA or AES encryption specification have been found to be more predictable than initially thought, noted Jones. Quantum computers make it possible to create cryptographic keys based on a more random set of numbers that are more difficult to crack at a fraction of the cost of an existing service, he added.
IT organizations can employ Quantum Origin to generate cryptographic keys that adhere to existing encryption standards or they can use it to create keys that can’t be cracked by another quantum computer, said Jones.
The Quantum-Safe Security (QSS) working group of the Cloud Security Alliance (CSA) recently advised organizations to determine now which encryption schemes they will need to replace once the National Institute for Standards and Technology (NIST) next year formally endorses standards that are more resistant to being cracked by quantum computers.
While not yet sufficiently powerful enough to crack existing schemes, it’s only a question of when rather than if that will be achievable. One or more nation-states that are investing in quantum computers could theoretically begin cracking those schemes within the next few years. In fact, the CSA warned that many nation-states may already be aggregating encrypted data that they can’t decipher in anticipation of having that capability in the future.
There are basically two types of encryption widely used today. Symmetric cryptography is when the same key is used to encrypt and decrypt data within a platform or application. Because symmetric key strength is doubled by every bit added, the CSA is advising organizations that employ these tools to double the size of the symmetric key used with a minimum 256 bit or longer baseline. A quantum computer is also expected to be able to employ Grover’s algorithm to weaken the protective strength of existing symmetric keys by half. Also known as the quantum search algorithm, that algorithm enables unstructured search that determines with high probability the unique input to a black box function that produces a particular output value.
The threat to asymmetric cryptography is more serious. Asymmetric cryptography works using two types of mathematically related keys to create a pair. It is used for both encryption and digital signatures. The most widely used form of asymmetric cryptography are the public key infrastructure (PKI) platforms employed by Certificate Authority (CA) services to issue digital certificates. Asymmetric algorithms are also employed by HTTPS to secure website communications, digital signatures, Wi-Fi networks, smartcards, hardware authentication tokens, banking networks, cryptocurrencies and most virtual private networks (VPN). The asymmetric keys are typically used to securely transport symmetric keys that are used to actually encrypt data between source and destination. Many applications using symmetric encryption may still be susceptible to quantum computers if they employ asymmetric cryptography or digital signatures as part of this process. Most of the asymmetric digital schemes will need to be replaced with quantum-resistant cryptography when NIST defines a new set of standards.
It’s not clear to what degree organizations will, in effect, become dependent on quantum computing services, such as Quantum Origin, to defend their secrets from other quantum computers. However, it is clear that the threat quantum computers represent to cybersecurity is becoming more real with each passing day.