As quantum computing advances, experts work to develop encryption methods that can withstand future cyber threats and secure digital assets.Getty Images
Advancements in quantum computing promise to solve problems too complex for today’s systems. The technology also threatens the underlying architecture for sharing and protecting online data.
According to a KPMG survey, 60 per cent of large corporations in Canada believe it’s only a matter of time before cybercriminals use the power of quantum to decrypt and disrupt current cybersecurity protocols. These concerns are fuelling quantum-safe cryptography, a form of cybersecurity that math experts say may be too difficult even for quantum computers to solve.
Mattia Montagna, CEO of Quantum Bridge Technologies – a Toronto-based software company developing quantum-safe decryption – says harvest-now, decrypt-later (HNDL) attacks, where cybercriminals collect data now for future exploitation, poses a clear threat to encrypted data.
“We know that the tools will come in the future to break the cryptography,” Mr. Montagna says.
Quantum computing differs from current computing in how information is exchanged. Rather than “bits,” a single piece of information which can be expressed as either on or off to help create codes of information, quantum computers use “qubits,” which use the principles of quantum mechanics to exist in multiple states at once (for example: open and closed). With qubits, quantum computers can deliver information and solve problems faster than today’s computers. Based on conversations with tech executives, investors and academics, McKinsey predicted that we’ll see our first fault-tolerant quantum computer by 2035.
Industry and policy makers are responding. Canada’s National Quantum Strategy has prioritized developing a secure quantum communications network and a postquantum cryptography (PQC) initiative.
On the private-sector side, organizations are also making changes, Mr. Montagna says. “[A network] costs millions, maybe hundreds of millions of dollars, and takes years to build, so you probably want to keep it in place for five to 10 years. You enter into the overlap periods where you need to be quantum-safe.”
Mr. Montagna says it’s on the radars of some businesses as they build future architecture.
Lisa Lambert, CEO of Quantum Industry Canada – a non-profit consortium committed to advancing Canada’s quantum technology sector – says the nature of the quantum threat also depends on the relevance and sensitivity of data organizations collect. Ms. Lambert says for the government and banking system, transitioning to PQC is non-negotiable for critical infrastructure.
“We’re waiting for a new update [on transition timelines] from Canada right now,” she says, adding that we’re likely mirroring the U.S. approach. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in August, 2024, finalized its principal set of encryption algorithms designed to withstand quantum cyberattacks.
“With cybersecurity, you don’t necessarily always have a market driver in putting that forward … it’s more of a cost than a money maker,” Ms. Lambert says. “Having that government direction around this is really important [for] businesses to come in.”
Zoom, Apple and Signal Messenger have all been early adopters of PQC. But it’s early days for warding off the quantum threat.
Quantum Bridge Technologies has developed a protocol called Distributed Symmetric Key Establishment (DSKE) to automate the creation and distribution of symmetric keys – a system that uses the same key to encrypt and decrypt information – without relying on computational complexity or asymmetric encryption.
“Then we have a PQC solution as well in our system, [which gives you] agility,” Mr. Montagna says.
This solution is a central point where users can change or upgrade their cryptography on the fly, moving from DSKE to PQC encryptions as needed or combining them for added security. It’s almost like having 10 different locks on your door – one’s biometric, one’s an old-school skeleton key, one’s a riddle, and so on. They’re all continually generated so they can’t be memorized.
Michele Mosca, CEO and co-founder of evolutionQ, a quantum-safe cybersecurity company, has been working on the challenges of postquantum cryptography since 1996. Like Mr. Montagna, Mr. Mosca says the current solution lies in cryptographic diversity – a series of complementary approaches to protect critical digital platforms and assets. “So that if there is an unexpected advance due to quantum or AI or something else, it’s not a catastrophic event, it’s just a problem we have to deal with,” Mr. Mosca says.
He points to the public-key method of cryptography, also known as asymmetric cryptography. It uses a pair of keys – one public, one private – generated by a cryptographic algorithm. Public-key cryptography requires the private key to remain secret. Then there’s the symmetric keys method, where the key is shared manually between two parties via secure USB key or something similar.
“There’s a number of us, including me and my company and others around the world saying, ‘Okay, how can we use those old-school methods [with] 21st-century know-how [to] provide additional resilience?’” Mr. Mosca asks.
Quantum computing also promises solutions. With Quantum Key Distribution (QKD), keys can be distributed through an optical wire and photons with some quantum mechanical properties. QKD is already in use. But the industry is still in its early days even as the quantum threat rapidly approaches.
“The idea that you could have a major algorithmic advance break all of your algorithmic methods is not speculative … it has happened,” Mr. Mosca says. “Let’s not hide under a rock, [let’s] prepare and then boldly move forward and leverage quantum and AI and anything else that comes along.”