What is the quantum threat and what has simple maths got to do with protecting global security?

There may come a day known as Q-Day, which will shatter global security as we know it.

It could be in a few years from now, or in 10 years or more. But scientists, mathematicians, and governments are not waiting idly by for the quantum threat to happen.

Q-Day is when a quantum computer so powerful is built, it could break the public encryption systems that protect our online conversations, bank accounts, and most vital infrastructure, wreaking havoc on governments and businesses.

How this digital doomsday would happen comes down to simple maths.

How it started

Since the beginning of the Internet, cryptography has protected our online data and conversations by hiding or coding information that only the person receiving the message can read on traditional computers.

In the 1970s, mathematicians built encryption methods that consisted of numbers hundreds of digits long. The difficulty of mathematical problems was such that it could take at hundreds of years to solve if using the right parameter size and numbers.

To break the encryption, the numbers need to be split into their prime factors, but this could take hundreds if not thousands of years with traditional computers.

The threat of codes being cracked was therefore not a big worry.

That was until 1994 when the American mathematician Peter Shor showed how it could be done with an algorithm using a then hypothetical quantum computer that could split large numbers into their factors much quicker than a traditional computer.

The rise of quantum

The quantum threat was still not a significant concern back then but it started to become an issue four years later when the first quantum computer was built.

Though that quantum computer – and those currently being built – are still not powerful enough to use Shor’s algorithm to decrypt the numbers, in 2015, intelligence agencies determined that the advancement in quantum computing is happening at such a speed that it poses a threat to cyber security.

At the moment, qubits, the processing units of quantum computers, are not stable for long enough to decrypt large amounts of data.

But tech companies such as IBM and Google have slowly but steadily started making progress in building machines strong enough to deliver the benefits of quantum, which include pharmaceutical research, subatomic physics, and logistics.

“It’s a matter of time and it’s a matter of how long does it take until we have a large quantum computer to go,” Dr Jan Goetz, CEO and co-founder of IQM Quantum Computers, a start-up that builds quantum computers, told Euronews Next.

If it takes 30 years to build a strong enough computer, there would be less reason to panic as most of the encrypted data might no longer be relevant.

But “if someone comes up with a very clever idea and can already, do the code-breaking in 3 to 5 years, the whole situation also looks different,” Goetz said.

Who should be worried?

Individuals should not be concerned by Q-Day as there are probably few people who have data that is very sensitive and will still be relevant in years to come.

Goetz said once the new technology comes, encryption codes will be updated on all computers and phones and “you should not be too concerned about this because the industry will take care of this”.

If it takes 30 years to build a strong enough computer, there would be less reason to panic as most of the encrypted data might no longer be relevant. Canva

But governments, organisations, and businesses should be concerned by the quantum threat.

There is a concept called “store now, decrypt later”. It means someone could be storing the data and waiting for a quantum computer strong enough to come along and decrypt it.

“Governments in particular are harvesting data from the Internet,” said Dr Ali El Kaafarani, founder and CEO of quantum-safe cryptography company PQShield.

“They are storing data that they can’t access or read at the moment, but they can keep them there until the cryptography layer becomes weaker until they know of a way to attack it and then they break it and they read those communications,” he told Euronews Next.

A post-quantum cryptography world

Governments are not standing by for that to happen and the cryptographic community are building encryption methods that can withstand the quantum threat, known as post-quantum cryptography (PQC).

This year, sometime between May and June, the final standardisation of PQC will be released by the US National Institute of Standards and Technology.

This will be a game-changer as it will be on the market for all industries.

The US legislation has mandated that the timeline to change to PQC will be from 2025 until 2033, by which time the cyber secure supply chain will have to have transitioned to using PQC by default.

In 2025, web browsers and software updates will have to become post-quantum secure by default if they are sold to the US, said El Kaafarani.

This is why some companies, such as Google Chrome and Cloudflare, have already started using PQC.

The US’s PQC standards are international standards, but every country has their own guidelines governments do collaborate.

The US, UK, French government, German, and Dutch governments, among others, have all weighed in and produced whitepapers and guidelines for the industry to push them to start the transition phase to post-quantum cryptography as they understand that it is a process that will take time.

“Governments take care of standardising the algorithms so that we all speak the same language,” said El Kaafarani, but it is the cryptographic community that comes up with the new encryption methods that are not vulnerable against quantum computers.

Most of the cryptographic standards are developed in Europe by European cryptographers, he added, whose UK-based company had four encryption methods selected to be in the US’s PQC standards.

Once developed, the encryption methods are ruthlessly scrutinised by the wider cryptographic community, governments, and everyone else who is interested in cracking the encryption methods.

“Some get broken along the way. And that’s the whole point of the process, is to root out the weak ones and keep them the strong ones,” said El Kaafarani.

But there is no perfect encryption method or security method that can ensure that everything will stay secure forever.

“Therefore cryptography is naturally an evolving field and that’s why we need to keep ahead and keep an eye on how things are evolving,” he said.