What is quantum computing and why does it matter?
In a classical computer, the basic unit of information is the bit, which has a binary value of either 0 or 1. In a quantum computer, the basic unit of information is the qubit, which is in a superposition of both 0 and 1 simultaneously. This property, together with entanglement and interference, allows a quantum computer to take advantage of quantum mechanics and explore certain problem areas exponentially faster than any classical computer.
One such challenge is factoring very large numbers into their prime divisors. These kinds of factoring problems are the basis of modern cryptography. For example, say Alice wants to use public-key cryptography. Anyone should be able to send her information securely. She can choose two very large prime numbers p and q and publish the product n = p*q online; n is the public key, and p and q are the secret keys. Anyone who wishes to send her a message can encrypt their message using n and encode it in such a way that only someone with knowledge of p or q can decrypt it. In this situation, the cryptographic protocol’s security relies on the assumption that no third party can factor n into its prime divisors and thus decode the message themselves. With quantum algorithms like Shor, anyone with a powerful quantum computer can break this encryption.
NIST introduces three new standardized protocols for post-quantum encryption
With the increasing prevalence of quantum computing, it is necessary to develop secure cryptographic methods to prevent quantum attacks. At present, there is no quantum computer powerful enough to break modern encryption, but the algorithms for doing so exist and the hardware is expected to catch up in the coming years. Experts estimate that quantum computers will have this capability within five to 30 years.
Today, malicious parties can intercept and store encrypted information under the assumption that they can eventually decrypt it. This strategy is called “harvest now, decrypt later.” Even information that is several years old could represent a serious security breach if it is decrypted by a malicious third party. Therefore, it is critical to implement quantum-safe cryptographic methods now that cannot be broken even by quantum computers in the future. Two accepted methods for achieving this are quantum key distribution (QKD) and post-quantum cryptography (PQC). QKD relies on incorporating quantum effects into the cryptographic protocols themselves, while PQC relies on using classical problems that are exceedingly difficult for both classical and quantum computers to solve.
The National Institute of Standards and Technology (NIST) has released a new set of standards that defines the best-known methods for quantum-safe cryptography using PQC methods. These are the standards that will replace modern encryption and ensure quantum computing does not threaten the many industries that rely on the secure transmission of information. It is critical to start this process as soon as possible as the transition will be long and costly, and experts suggest it could take between 10 and 15 years. One way to illustrate the urgency is to use Mosca’s risk determination theorem. If Y is the time it takes to migrate to secure PQC protocols, X is the time that data must remain secure, and Z is the time it will take for quantum computers to break cryptography, data can only be expected to remain secure as long as X+Y > Z. If X+Y < Z, data that was harvested before the transition can be exploited and leveraged even if the industry has already transitioned away from vulnerable encryption methods.
Federal Information Processing Standards (FIPS) 203, 204, and 205
Three new standards define protocols intended to replace the current gold-standard encryption algorithms. Rather than relying on quantum effects, these algorithms work by encrypting data using problems that are difficult for any computer to solve, quantum or classical. They were selected because PQC methods are available today and can be expected to provide a level of resistance to quantum attacks, but ideally the standards of the future will be based in QKD methods.
FIPS 203 is a key-encapsulation mechanism and a public-key cryptosystem that allows senders to generate their own private key for their messages. This prevents bad actors from learning about the secret key from observing multiple encrypted messages.
FIPS 204 and 205 are also public-key cryptosystems but without key encapsulation. There are two algorithms because they accomplish the same thing by using completely different mathematical frameworks. This provides redundancy — if researchers break one of them in the future, the other will not be compromised. Phasing out old standards in favor of quantum-resistant ones will provide protection against the kinds of attacks we expect quantum computers to defend against.
What this means for the finance industry
A 2023 report by 200 experts and stakeholders in the field emphasizes that quantum computing represents both an opportunity and a threat to the industry as it stands today [1]. There is the obvious threat to encryption that the new NIST standards seek to address, but there may also be an advantage to early adoption by building up experience with quantum-computing technology. This report demonstrates that approximately 87% of respondents’ institutions did not have a budget for quantum initiatives, showing that the industry may be underprepared to adapt to rapid advancements in the field. There is also the fear that quantum computing may be overhyped.
Pure quantum algorithms like Shor’s may take time before they are viable, and there could be limited practical cases in which pure quantum computing provides an advantage over classical solvers and optimizers. Nonetheless, hybrid approaches combining the strengths of classical and quantum computing are more achievable in the short term and could provide tangible benefits in the fields of risk analysis, stress testing, cybersecurity, synthetic data, and fraud modeling.
Quantum-inspired algorithms leveraging research developed for quantum simulation may also provide shorter-term benefits outside their original use case for companies with the expertise to leverage them. Companies that are insufficiently prepared may find themselves falling behind compared with the rest of the industry.
How companies can prepare
In past years, we faced a talent shortage in the industry. The number of open job listings had substantially outpaced the number of master’s or higher-level graduate students in the field; however, this gap is narrowing. Most of the new graduates, who are excited about pushing the bounds of quantum technology, reside in the European Union and can fill these openings [2].
Companies seeking to contribute to the future of quantum technology can participate in the Quantum Safe Financial Forum, a consortium of financial institutions working together to determine how best to respond to advancements in the industry [3]. The three primary areas of concern are planning, which seeks to determine use cases, provide timelines, and identify priorities; stakeholders, which seeks to provide vendor roadmaps, work with regulators, and create certifications; and discovery, which seeks to conduct inventory of current tools and examine research to discover new technologies to explore.
Companies can ensure they are taking appropriate steps by contributing to one of these three groups, following the NIST’s recommendations as well as those from other national security agencies and regulators. By doing so, they will remain at the forefront of the field and stay prepared to react to the latest advancements.
References:
[1] Moody’s, “200 data, analytics, and innovation leaders reveal how quantum computing is set to transform financial services,” April 2023. Available: https://www.moodys.com/web/en/us/about/what-we-do/quantum-computing/quantum-survey-report.html. [Accessed August 26, 2024]
[2] McKinsey & Company, “Quantum technology sees record investments, progress on talent gap,” April 24, 2023. Available: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/quantum-technology-sees-record-investments-progress-on-talent-gap#/ [Accessed August 26, 2024]
[3] Europol, Quantum Safe Financial Forum, May 7, 2024. Available: https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3/qsff [Accessed August 26, 2024]