sign in sign up
<<
Home , Computation, Cryptography, Quantum computing, Quantum cryptography, Quantum information, Quantum supremacy

Issue 2 | 2020

Quantum and can be highly beneficial to scientific developments due to the new, speedy way of performing computing. Once available, they however could break currently used cryptography and undermine the protection of (personal) data.

I. What is ? z 0 The physical laws of quantum allow for an alternative method to how today’s computers pro- ψ cess . Whereas traditional computers θ use (0 or 1) as a building block, quantum com- puters employ quantum bits, or , that can be at the same moment a combination of |0⟩ and |1⟩. φ y The possible spectrum of values one can ad- opt is best depicted by the surface of the x in Figure 1. While bits allow for two discrete values, qubits can store a point in a two-dimensional con- tinuum, a surface of a sphere. Quantum computing 1 can take of those more powerful qubits and carry out operations not only for a determined Figure 1: The Bloch sphere is a geometrical repres- value |0⟩ or |1⟩, but also for all possible superpos- entation of a qubit. Qubits can take as value each itions at the same time. Consequently, quantum point on the surface described by the two angles computing attains an efficiency advantage over bin- 휑 and 휃. The pole points are |0⟩ or |1⟩. ary computing for selected tasks. Some tasks would be rendered only feasible due to this efficiency boost, tion in terms of data security and confidential- if the appropriate quantum hardware were ity of . One reason is the ability available. to break cryptography. Quantum computing can In sum, quantum computers have a speed advant- break many of today’s classical cryptography and age over classical computers for selected problems as such harm severely IT security. The risk extends and could therefore perform types of to the core security protocols. Nearly all not available to current classical computers. of today’s systems that demand security, or trust, would be affected. II. What are the data protection issues? II.1. Impact on public- cryptography

There are many reasons why quantum computing Public-key cryptography, also known as asymmetric could have significant implications for data protec- , is a method of encrypting data with the

EDPS TechDispatch on Quantum Computing and Cryptography 1 II.3. Retrospective decryption The technological progress in binary computing hard- ware, meaning today’s widespread classic computers, is also a threat to IT security. With increasing com- puting power at decreasing costs, the retrospective decryption of data from the past becomes of use if the employed key lengths used at the time were suf- ficiently short. Security experts regularly call out for an increase of key lengths to keep data secure for a given period. Some governments’ secret services are reported to collect data purposefully for future ret- rospective decryption. Quantum computers though follow different laws and would allow retrospective Figure 2: Quantum Computer IBM . Source: Pierre decryption in many cases much earlier. Metivier (detail, licensed under cc-by-nc 2.0) II.4. Practical quantum computers use of cryptographic protocols based on . To be able to execute quantum algorithms with prac- It requires two separate keys, a private and a public tical impacts, quantum computers would need to key. The Rivest-Sharmir-Adleman (RSA) have thousands or millions of qubits with error is a cryptographic system that is used for public-key rates. This is something which is beyond the reach cryptography, and is commonly used when sending of in the foreseeable future. sensitive data over the internet. The RSA algorithm In 2019, claimed to have demonstrated allows for both public and private keys to encrypt with its 54-qubit quantum messages so their and authenticity computer (Oliver 2019). The claim was that it took remain intact. their quantum computer hundreds of seconds to Quantum computers would allow for public-key perform computation that would take thousands of cryptography systems to be jeopardised by adversar- years for a powerful non-quantum . ies in possession of a sufficiently powerful quantum While the solved task has no practical significance, computer, that could carry out the decryption it served as a proof of concept. It is likely that more without prior knowledge of the private key. Ef- similar results may be announced in this decade, but fected could be for instance digital signatures, essen- in the foreseeable future they will unlikely have a tial Internet protocols like HTTPS (TLS) required for practical impact. secure browsing, online banking, online shopping, According to current understanding, to execute etc. useful algorithms of practical relevance there is a need to build a quantum computer with more qubits II.2. Impact on symmetric cryptography and smaller error rates than what is possible today. The creation of a large and usable quantum com- Quantum computing can also bring negative con- puter within the next ten years is highly unlikely, sequences for security guarantees of symmetric cryp- but difficult to predict. It is this unpredictability tography systems such as the Advanced Encryption that eventually leads to risks for IT security today. Standard (AES). Asymmetric (e.g. RSA) and symmet- ric (e.g. AES) cryptography are often used together II.5. Post- such as with the use of HTTPS. Symmetric crypto- graphy needs practical ways of exchanging private Post-quantum cryptography or quantum-safe cryp- keys in a confidential manner. To guarantee data se- tography refers to cryptography whose security is curity, the private must remain secure. believed to be unaffected by quantum computers. But the key exchange methods used in practice This is achieved by the use of very different math- today are based on problems that quantum comput- ematical building blocks, which incorporate math- ing may put at risk. To guarantee data confidentiality, ematical operations that quantum computers cannot the whole key exchange must remain secure. solve more efficiently than other computers.

EDPS TechDispatch on Quantum Computing and Cryptography 2 Post-quantum cryptography however will likely III. Recommended Reading come with performance drawbacks and require lar- ger computing resources to e.g. encrypt and decrypt German Federal Office for data or sign and verify signatures and more network- (2020). Post-Quantum Cryptography. ing resources to exchange lengthier keys and certi- Giles, Martin (2019). Explainer: What is post-quantum ficates. Post-quantum cryptography is not yet stand- cryptography? In: MIT Technology Review. ardised. Sufficient and convincing knowledge must Montanaro, Ashley (2016). Quantum algorithms: an be available to conclude in a so-called overview. In: npj 2.1. doi: that such a solution is safe for both quantum and 10.1038/npjqi.2015.23. binary computing. The US National Institute of National Academies of Sciences, , and Standards and Technology (NIST) is working to- Medicine (2019). Quantum Computing: Progress wards a Post-quantum cryptography standard and and Prospects. The National Academies Press. doi: estimates to publish a draft with a first algorithm 10.17226/25196. in 2022 or 2024. Once standardised, algorithms will Oliver, William D. (2019). Quantum computing takes need to be integrated with standard internet proto- flight. In: 574.7779, . 487–488. doi: 10 . cols like HTTPS. 1038/d41586-019-03173-4. As of 2020, prototypes of (non-standardised) Preskill, John (2018). Quantum Computing in the postquantum cryptography are available for test- NISQ era and beyond. In: Quantum 2, p. 79. doi: ing in the form of source , software libraries 10.22331/q-2018-08-06-79. (e.g. for OpenSSL), cloud services (e.g. Amazon AWS Shankland, Stephen (2019). IBM’s new 53-qubit and Cloudflare) and consumer software (e.g. Google quantum computer is its biggest yet. In: CNET. Chrome). It is estimated that a full transition could even take as long as 15-20 years in practice. Organisations should consider for how long they This publication is a brief report produced by the Techno- need to guarantee absolute confidentiality of data logy and Privacy Unit of the European Data Protection and protection from retrospective decryption. Based Supervisor (EDPS). It aims to provide a factual description of an emerging technology and discuss its possible impacts on what we know today there is no immediate on privacy and the protection of personal data. The con- threat posed by a quantum computer in the tents of this publication do not imply a policy position of foreseeable future. It may likely take decades to the EDPS. build a usable quantum computer that can execute Issue Author: Lukasz OLEJNIK, known algorithms. But for data that needs to remain Robert RIEMANN safe for very long, this uncertainty poses an issue Editor: Thomas ZERDICK that may require an early transition to post-quantum Contact: [email protected] cryptography. To subscribe or unsubscribe to the EDPS Tech- For this reason, some organisations may be in- Dispatch publications, please send a mail to terested in preparing appropriate risk assessment [email protected]. The data protection as well as contingency and migration plans. Such notice is online on the EDPS website. plans should always prioritise guaranteeing data se- © European Union, 2020. Except otherwise noted, the curity with respect to today’s non-quantum security. reuse of this document is authorised under a Creative When transitioning to post-quantum systems, Commons Attribution 4.0 International License (CC BY organisations should consider existing risks and the 4.0). This means that reuse is allowed provided appropriate usual considerations during migration of data that credit is given and any changes made are indicated. For any use or reproduction of photos or other material that would guarantee data security (i.e. reliability, avail- is not owned by the European Union, permission must be ability) as well as confidentiality (e.g. when the data sought directly from the holders. is re-encrypted with post-quantum cryptography). The German Federal Office for Information Security ISSN 2599-932X HTML: ISBN 978-92-9242-431-2 (2020) has developed initial recommendations for the QT-AD-20-002-EN-Q migration to post-quantum cryptography. https://data.europa.eu/doi/10.2804/603798 PDF: ISBN 978-92-9242-432-9 QT-AD-20-002-EN-N https://data.europa.eu/doi/10.2804/36404

EDPS TechDispatch on Quantum Computing and Cryptography 3