The future of encryption: Getting ready for the quantum computer attack

PQShield, a spin-out from the UK's Oxford University, is developing advanced cryptographic solutions for hardware, software and communications to protect businesses' data from the quantum threat.

Here's when we can expect the next major leap in quantum computing

The development of quantum computers poses a cybersecurity problem such as the IT industry has never seen before. All stored data currently deemed secure by modern standards – whether that's health records, financial data, customer databases and even critical government infrastructure – could, in theory, be cracked by quantum computers, which are capable of effectively short circuiting the encryption we've used to protect that data until now.

Efforts to protect our data from the quantum threat are underway, though whether the issue is being looked at with the urgency it deserves is up for debate. PQShield, a post-quantum cryptography startup spun out of Oxford University, perceives a disconnect between the scale of the threat and the current cyber-readiness of most businesses in 2020, which it is now trying to address.

SEE:  Quantum computing: Myths v. Realities  (TechRepublic) 

"The scale of the quantum attack is just too big to imagine," Dr. Ali Kaafarani, research fellow at Oxford's Mathematical Institute and founder of PQShield, tells TechRepublic.

"The most important part of what we're doing is to educate the market."

Kaafarani is a former engineer at Hewlett-Packard Labs and leads a team of 10 full-time quantum cryptographers, from what he estimates to be a worldwide pool of just a hundred or so. The company is busy working on the development of quantum-secure cryptography – encryption solutions for hardware, software and communications that will secure information from future risk, yet can be implemented using today's technology.

This comprises a system on chip (SoC) and software development kit that allow companies to create secure messaging applications, protected by a "post-quantum" variant of the Signal cryptographic protocol. Central to PQShield's technology is that it is designed to work with both legacy systems as well as those expected in the years to come, meaning it could offer protection for everything from keyless cars and other connected devices, to data moving to and from cloud servers.

This, Kaafarani explains, is important owing to the fact that post-quantum cryptography cannot be retrospectively implemented – meanwhile data encrypted by modern standards remains open to post-quantum threats. "What we're using right now as end-to-end encryption...is secure now, but people can intercept them and steal encrypted data," he says.

"Once they have access to a quantum computer, they can decrypt them, so confidentiality is threatened in retrospect, because whatever is considered confidential now can be decrypted later on."

Kaafarani also perceives an issue with the current attitudes to remediating cyberattacks, which he likens to applying a band-aid to a repeating problem. 

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

"That's why we started PQShield – to fill in this gap, to lead the way to a smooth and secure transition to the quantum era. There is a real opportunity here to get things right from the beginning."

The startup recently completed a £5.5m funding round led by VC Firm Kindred Capital and has now secured German engineering company Bosch as its first OEM customer. While the exact details of the deal are still under wraps, Kaafarani says the deal is indicative of the threats businesses are beginning to identify as the age of quantum computing approaches.

"Their hardware may be built to last, but right now, their security isn't," he says.

"If you're designing a car that's going to go on the roads in the next three years, if you're doing security by design, you should be thinking of the next security standards: not the standards that are valid now, but the standards that will be valid in the next five, 10, 15 years," he says.

"Future-proofing is an imperative, just as it is for the banks and agencies that hold so much of our sensitive data." 

Also see