At UK FinTech Week 2019, Secure Chorus brought to the stage a powerhouse of thought leaders in the field of post-quantum cryptography from UK government, industry and academia. The speakers discussed the quantum threats considered to be the next undefended frontier of cybersecurity and the significance of the problem for the finance industry.
Quantum-related technologies have the potential to massively disrupt the finance industry in algorithmic trading, fraud detection, encryption and transaction security. And yet, with these opportunities also come information security threats, as current encryption methods become simpler to break. Because organisations within the finance industry process and archive sensitive data over long time-frames (up to a decade or more), it is becoming clear that this industry needs to start upgrading all critical infrastructure to be quantum safe.
This was the theme of our recent Thought Leadership Platform addressing the finance industry at the UK FinTech Week 2019. Entitled “Quantum-Safe Finance: Preparing for the Storm”, the event was joined by government, industry and academic experts to discuss quantum threats for the financial sector. Speakers included experts from the UK National Cyber Security Centre (NCSC), ISARA Corporation, Post-Quantum and the Centre for Secure Information Technologies (CSIT).
The massive processing power that will be unlocked by quantum computers will make the public key cryptography we are using today vulnerable. This could bring on-line e-commerce and banking fraud to a systemic breach-type scenario. Blockchain-based technologies that rely on the Elliptic Curve Digital Signature Algorithm (ECDSA) would also not be ‘quantum safe’, exposing the burgeoning cryptocurrency markets to cyber risks.
The vision statement for our Thought Leadership Platform was to raise awareness on the need for greater cooperation between governments, industry and academia to develop successful quantum-safe initiatives.
The market has seen rising investment and excitement surrounding transformational opportunities created by quantum computing. However, the significant threat to our global information infrastructure posed by large-scale quantum computing has greatly overshadowed by it.
Our panel spoke about the design of quantum computers drawing upon very different scientific concepts from those used in today’s conventional or ‘classic’ computers. This could eventually enable them to factor large numbers relatively quickly, which means that they will potentially be able to significantly weaken the public key cryptography that has protected the majority of data to date.
Popular cryptographic schemes based on these hard problems – including RSA and Elliptic Curve Cryptography – will be easily broken by a quantum computer. This will rapidly accelerate the obsolescence of our currently deployed security systems, creating an unprecedented scale of the threat that will require a significant amount of time and resources to mitigate.
Without quantum-safe cryptography and security, all electronic information will become vulnerable to cyber attacks. It will no longer be possible to guarantee the integrity and authenticity of transmitted information. Importantly, encrypted data that is currently safe from cyber attacks can be stored for later decryption once quantum computers become available. From a legal perspective, these scenarios would mean a violation of regulatory requirements for data privacy and security that organisations are required to comply with.
This means there is now a pressing need to develop public key cryptography capable of resisting such quantum attacks. This can be achieved by developing post-quantum algorithms based on different mathematical tools that are resistant to both quantum and conventional cyber attacks.
Standards-setting bodies, including the US-based National Institute of Standards and Technology (NIST) as well as the European Telecommunications Standards Institute (ETSI), are currently in the processes of selecting the strongest cryptographic algorithms in a step towards standardising the relevant algorithms, primitives, and risk management practices as needed to seamlessly preserve our global information security infrastructure.
Of the various post-quantum cryptographic scheme candidates, lattice-based cryptographic schemes (LBC) have emerged as one of the most promising classes for standardisation. For three reasons: first, due to their efficiency and simplicity; second, due to their good security properties; and third, due to their manifestation into more complex security functions.
In order to make the transition from the security we use in the digital space today to a fully quantum-safe one, we need to fundamentally change the way we build our digital systems. We need technology solutions that bridge the gap between current cryptography and quantum-safe cryptography without causing a complete breakdown of systems because of one algorithm not being able to communicate with the other.
Standards help technologies speak the same language. However, the required standards won’t be ready for several more years. In the meantime, we need a path to quantum-safe security. One method of developing quantum-safe public key cryptography is the deployment of a new set of public key cryptosystems for classic computers that can resist quantum attack. These cryptosystems are called ‘quantum-safe’ or ‘post-quantum cryptography’. The principle behind them is the use of mathematical problems of a complexity beyond quantum computing’s ability to solve them. The key takeaway message from our Thought Leadership Platform was that there is a pressing need to start planning for the transition to quantum-safe systems. This is especially relevant in industries such as finance, due to the complexity of their systems that will require several years to be updated.
By Elisabetta Zaccaria, Chairman Secure Chorus