How are governments reacting to the threat of quantum computers?
MICHAEL BIRD
Hey Aubrey. Happy Thursday. Quick question. What are your feelings on puzzles?
AUBREY LOVELL
Ooh, puzzles, okay. I feel like I'm gonna sound really ancient when I see this, but I really do enjoy puzzles. Like when there is a puzzle around, I would love to do puzzles, but I never, I don't have any around, so maybe I should get some.
MICHAEL BIRD
Now, I feel like you might think less of me when I say what I'm about to say, which is my wife and I often gift each other a 1000 piece puzzle for Christmas
AUBREY LOVELL
that's cute.
MICHAEL BIRD
Okay, Aubrey, how about a puzzle that would make you lots of money if you complete it? But, It's a crime if you completed said puzzle.
AUBREY LOVELL
Oh, well. Probably wouldn't do it if it was a crime. But why are you offering me one?
MICHAEL BIRD
Sadly no, Aubrey, but today we are once again exploring post quantum cryptography and how governments are planning for the day when a quantum computer breaks modern-day encryption. Very exciting.
I'm Michael Bird.
AUBREY LOVELL
I'm Aubrey Lovell
MICHAEL BIRD
And welcome to Technology Now from HPE.
MICHAEL BIRD
Yeah. So Aubrey, we've talked quite a bit about quantum cryptography on this show, including our recent episode, How Do You Create Quantum Resistant Encryption, which will of course be linked to in the show notes. But this is of course a known threat and governments around the world are preparing for so-called Q-Day. What do think Q-Day stands for, Aubrey?
AUBREY LOVELL
Quantum Day? I don't know.
MICHAEL BIRD
Yeah, yeah, yeah, yeah. You'll be pleased to know it's not an annual holiday in the UK where we, you know, do our British pastime of queuing. It is, of course, the day that a cryptographically relevant quantum computer exists with institutions like the US National Institute for Standards and Technology, also known as NIST, and the European Telecommunications Standards Institute.
AUBREY LOVELL
Well done, Bird. All those names just really roll off the tongue. Now I want to see you do it 10 times over.
MICHAEL BIRD
Yeah, they are they are quite a mouthful, but they're also doing good work because These institutions are the ones helping to counter the threat posed by quantum computers and to tell us more about this, I met up with Ken Rich, Federal CTO at HPE, to find out more about how governments are proactively defending themselves against a potential quantum threat.
AUBREY LOVELL
But before we get into your conversation with Ken, Michael, are you ready for a whistle stop tour of the history of quantum computing?
MICHAEL BIRD
my goodness Aubrey, I am so ready for it. Let's go.
AUBREY LOVELL
I know it's right up your alley, we're going to say it's time for Technology Then.
AUBREY LOVELL
once again, we are jumping back to the 50s and an old friend of the podcast who seems to appear semi-regularly at this point, Richard Feynman.
In 59, as computer components shrank to microscopic scales, Feynman predicted that the effects of quantum mechanics would start to occur and suggested that designers could harness these phenomena to create more powerful computers . over the next decade a few scientists would start to consider the topic seriously including American physicist Paul Benioff who published the first ever description of a quantum computer.
In 1981, Feynman and Bunnyoff gave talks at the first ever Physics of Computation Conference, a conference which is viewed as where widespread interest in quantum computing began.
Okay, so the real threat to modern-day encryption appeared in the mid-90s when, and this is one heck of a title, theoretical computer scientist Peter Shor published an algorithm. So, Shor's algorithm to be more specific . This algorithm required a quantum computer to run it, which, as far as we know, does not yet exist.
But that's not a bad thing. One common method our modern day computers use to encrypt information uses incredibly large numbers created by multiplying two giant prime numbers together. So multiplying them is easy, but starting with the product and breaking it down is almost impossible. And that's why we use them. But Shor's algorithm would be the blueprint to undo all of that. Now, so far, no one has been able to build a computer capable of running this sort of algorithm, at least No one has admitted to being capable of building a computer like this. More basic ones though, those that have been around for decades
So way back in 1998, the first quantum computer was built and it only had two qubits, which is the quantum version of a bit. And nowadays quantum computers allegedly have over a thousand. So big difference there. While the 1998 computer only worked for a few nanoseconds before the system broke down, it did prove the concept and showed that quantum computing was indeed possible.
MICHAEL BIRD
possible, probable and at the forefront of some people's minds, including our guests this week, because it's not just the everyday person at threat from this sort of quantum breakthrough.
So I spoke to Ken Rich, Federal CTO at HPE, to find out more about how governments are preparing for Q Day. It partially comes down to who is able to make that first quantum computer.
KEN RICH
you look at the type of organizations that will have that type of computer, it's going to be nation states and maybe some very large high tech companies, but primarily nation states. All nation states have adversaries and so it's kind of a race to see who gets there first essentially.
MICHAEL BIRD
And so what in particular worries governments about a quantum computer just suddenly appearing?
KEN RICH
Well, so there's a couple of things. The primary one, and actually this is the engine that's driving the change into new cryptographic schemes and things like that, is what they call Harvest Now Decrypt later, which is a concern that an adversary may be able to record or collect data today and then at some point in the future be able to decrypt it and find out secrets. But there are other things as well. And you have to understand that governments are there to not only serve themselves, of course, but to serve their constituents. And so the governments are actually working towards these new...
cryptographic schemes so that they can secure their constituents as well, not just their own data.
MICHAEL BIRD
Yeah. And, you know, aside from Harvest Now Decrypt later, are there other things which they believe are more of a threat?
KEN RICH
There are a couple of more, what I would say, critical threats once the quantum computer is there and it's able to decrypt the data and that is being able to compromise the trust that we have in certain entities. And then once that trust is broken, then the second order effects come in, is human behavior. For example to pull all your money out of the banks that have been compromised, or no longer being able to international transfers of financial data and things like that. So it's a pretty big deal.
MICHAEL BIRD
Okay, so a cryptographically relevant computer appears suddenly. Are we saying that this could destroy all trust in modern day technology overnight?
KEN RICH
Well, could if we don't do anything, but the good news is that we are doing something. you know, it's a little bit of a controversial topic, to be honest with you, because there's some people that think that, you know, this is not going to happen for many years. There's some that think this is not going to happen ever. To be quite honest, if one of these quantum computers did exist, we likely would not know for years. The adversary is not going to publish that on the internet. So they're going to be trying to use it to their advantage for as long as possible before it becomes public knowledge.
MICHAEL BIRD
okay, so, all right, what can we do? mean,
Do we need a quantum computer to be able to solve this problem or can actually even without a cryptographically relevant quantum computer we can start to do something
KEN RICH
we are already doing things now and so if you look at some of the governments, they've already published a policy on post-quantum cryptography and moving to the kind of the next generation of cryptography. The U.S., back in about 2015 I believe, the U.S. government tasked NIST with organizing a an effort to find the next generation of quantum resistant cryptography. And so they've been doing that. And, you know, there's a number of algorithms that they've come up with that they've standardized. And so now, you know, there is a path forward. And so companies, you high tech companies like us, we're looking at those, we're integrating those into our products. And, you know, we'll be doing a migration for quite a long time, but, you know, it's already started.
MICHAEL BIRD
So what can goverments and out organisations do? I mean without having a quantum computer what can they do to protect themselves against a cryptographically relevant quantum computer?
KEN RICH
I mean, that's the thing. It's like, you we can go ahead and begin to implement these new algorithms. The algorithms themselves are not quantum. They're just quantum resistance, which means that, you know, they use methods inside the encryption that are resistant to being broken by a quantum computer, unlike the current cryptosystems that we have. So we don't need a quantum computer to get started and so that's the guidance is you we recommend, even in the government, we recommend that you start developing a team and then you start inventorying your IT infrastructure, prioritize what things that you need to make sure that are safe and begin to do the migrations and plan the migration.
MICHAEL BIRD
And this post quantum cryptography, or post quantum encryption is basically just really really really hard maths to solve versus current encryption which is just really hard maths to solve
KEN RICH
Yeah, yeah, exactly, yeah. You know, it's just a different kind of encryption. In our current crypto systems, we rely on things like factoring into prime components of a large number, which is incredibly difficult with a very large number. And other things like discrete logarithm algorithms and things like that. They're asymmetric algorithms, so it's easy to go one way, but it's hard to go back. And so we relied on that since probably in the early 90s with RSA and elliptic curve. The new ones are based on different algorithms, lattice, cryptography, and things like that. those are...
MICHAEL BIRD
OK so the government’s role is, to some extent, to serve it’s citizens. So what are governments doing to think about this from a citizen perspective. Because as citizens we have devices which are accessing the internet that are using current encryption methods to just interact with the world so are governments also thinking about that?
KEN RICH
I think a great example of that is this program that NIST put together starting in, it started in 2016, they were tasked with it in 2015, but, and that is to find some new quantum resistant algorithms, and at the time there were some, they weren't exactly what we needed. Every cryptographic algorithm has certain attributes that may or may not be good, so for certain tasks. So, yeah, they put this together and they worked with industry, they worked with academia, they work internationally with anybody across the world could submit an algorithm to be tested and to be approved. so they are definitely supporting it. They are also publishing documentation and training guides and things like that so that... that people that are in an enterprise or in an EDU, can begin to start that migration process. it's not a quick thing. So there's a lot of planning up front and a lot of working with vendors and things like that in order to get a plan and then the migration will happen. So I don't expect that many...
of these types of customers to migrate fully until beyond 2030, to be honest with you. It's going to be a monumental task.
MICHAEL BIRD
Sounds like it’s going to be quite a big job. So is there anything that we as citizens ourselves should be doing or should be thinking about
KEN RICH
the average internet user, no, they're not going to really understand. They don't understand what's in place today. And so they're not going really understand the relevance.
MICHAEL BIRD
And you think it’ll be a case of we don’t actually want them to think about it. We want it to be seamless for them.
KEN RICH
It's kind of like your electricity, you take it for granted and then when it's out, then it's a really big issue. It's kind of like that. They understand that you get the lock in the browser and so your communication's safe and all that stuff. So it's really up to, I think, the service providers and the... cloud application providers and things like that to shore up their own thing. companies that provide the certificates for websites and things like that are already migrating there. certain browsers are already supporting the new post-quantum algorithms. I think for the general...
I think it would be good for them to know. I don't think it would be necessary for them to know.
MICHAEL BIRD
And do you think you know, governments will need to impose some sort of regulation over time to encourage the companies that are manufacturing the devices and softwares that we are using. Do you think that’s going to happen and if so, when will that happen. Or do you think this changeover will happen organically?
KEN RICH
it's almost like the carrot and the stick right my father always told me when I'd go out at night with my buddies Just don't make the 10 o'clock news and that's kind of like the the industry right you know Nobody wants to be on the news for having a breach related to anything and so these you the service providers the and these companies that provide banking and financial and legal and healthcare and all that stuff, they're going to do their due diligence. So that's kind of the carrot. They want to make sure that they protect their own interests. But then the government will likely, in regulated industries, at least here in the US, start making requirements for companies to kind of upgrade their infrastructure to support this.
MICHAEL BIRD
How long do you think we have? Like what are your current estimates what are current estimates for Q-day?
KEN RICH
, I'll give you two answers. the first answer that I always say is it doesn't matter. The industry is migrating now. by the time we know this quantum computer exists, it's already going to be way too late. And if that quantum computer never exists... It's fine, we've just moved to a better, a more secure crypto system. But when do I think that we're going to see something? I would bet between 2030 and 2035, that's kind of where I'm falling. I've done some analysis of the rate of qubits being developed, the number of qubits being developed every year keeps growing and growing and seems like it's on an upward curve.
MICHAEL BIRD
I mean, publicly at least, like the development of quantum technologies does seem to be accelerating. There seems to be a bit of a who can get there first, because I suppose from a commercial perspective, the first person to do it, they sort of, they get all the spoils of war to some extent.
KEN RICH
yeah, it's very highly competitive in there to, know, who's going to get the breakthrough, who's going to get the patents, right, and things like that. But, yeah, it's interesting because, you know, there's several, there's several things that these quantum scientists are working on that actually affect the timeline. So the number of qubits is one of them, that's all anybody ever talks about, but the error rate of a qubit is another one. And so that affects how many qubits you need to get what's called a stable qubit, which is what you need to do, actually do the work without a whole bunch of errors. And then the algorithms and the circuitry around it and the... and the interconnects between the qubits, things like that. There's just a lot of stuff going on in that realm.
MICHAEL BIRD
Are you worried? Or are excited?
KEN RICH
I'll be retired, so...
MICHAEL BIRD
Somebody else's problem.
KEN RICH
I think it's exciting. I'm waiting for AI and quantum to converge in a true sense. We talk about it theoretically, but yeah, I'm excited about this stuff. And I just gave a talk yesterday on this very topic and my last slide said, enjoy the ride. It's going to be fun. We've never done anything like this before as an industry, so it'll be fun.
AUBREY LOVELL
I think it's such a fascinating topic, right? Because we think about, we've talked about this before in previous episodes about how things like the pandemic, et cetera, has accelerated innovation. Think about where we are today with AI because of certain events and just how quick that sped up to get us where we are today. And so to hear him say, like,
we could have this in 10 years. Maybe a few years ago we'd be like, nah, no way. But now it's very feasible that that could happen and that the technology is getting to a place where this could actually work.
MICHAEL BIRD
And 2030 to 2035, which is what was Ken's, , guesstimation. It really isn't that far away.
I mean, we talked in previous episodes and Ken talked about this, like the harvest now, steel now, decrypt later. And that concept of causing distrust or compromising trust in our entities, know, compromising trust in banks and financial transactions.
AUBREY LOVELL
It's something that you always see in like TV shows, et cetera. But I think the amount of research and development that's gone into it, it's just making it more real. And to your point, I mean, we talk about these things all the time. You have to fight fire with fire. So the more that we can do and be proactive, if it's a thought, it can happen, right?
And it kind of got me thinking too about hybrid systems, right? Like, you know, obviously quantum computers, they're not meant to replace our traditional computing or classical computers, but they can work alongside them and solve specific problems. So how do you factor that into the equation of what hybrid world does that look like with quantum computing and what we can do together.
MICHAEL BIRD
Yeah, I think it'll be quite fascinating. I also really loved what Ken said, I think when I asked him about time scales and he basically said, I can give you some time scales, here they are. But also the sense of actually, even if a quantum computer, a cryptographically relevant quantum computer never ever gets made. Worst case scenario, we just upgrade our encryption and our cryptography to something that is even harder to break, something that's even more secure. So it's sort of like the downside is that we get better encryption.
AUBREY LOVELL
Yeah, absolutely. I think there's a lot to be learned from it and whatever we can do to continue to improve and get ahead of all of these really, you know, nefarious and scary, you know, cyber security issues, I think is a great win for sure.
MICHAEL BIRD
It made me think about AI. Like we were talking about AI, you know, for as long as I can think we've been making podcasts, you know, five, 10, 15 years, AI has sort of been bubbling under the surface, but it's not really had that sort of public consciousness.
And then, what, 2022, 2023, it sort of just exploded and came onto the scene and people started caring about it and it was everywhere in it and in everything. Do you think we'll ever get that with quantum cryptography?
AUBREY LOVELL
I think so. And the reason I think that is because we're entering a world where we have this massive flow of free information. Like think about social media, think about AI, right? you can get a full on report and like end to end details about a specific subject with one click of a button. So we've kind of put that on ourselves by creating that technology that anybody can access as information and have that education and like you know, kind of learn about that subject.
MICHAEL BIRD
I think as soon as it starts to impact people's lives, if that is the case, then people will probably start to learn about it quite quickly.
Now, Aubrey, Ken lives and breathes post quantum cryptography. And while we haven't touched on it, he has some really interesting insights on how PQC could affect cryptocurrency.
MICHAEL BIRD
Now Ken lives and breathes post quantum cryptography and while we haven’t touched on it, he had some really interesting insights on how PQC could affect cryptocurrency.
KEN RICH
One of the things is, and I mentioned it a little bit here, is that we may not know if an adversary has a quantum computer, but there may be signs. as I was kind of noodling this, I don't know, maybe six months ago, I came to the realization that maybe cryptocurrency would be like a canary in the coal mine, to speak, kind of an indicator because...
MICHAEL BIRD
course, because cryptocurrency is basically solving problems. So if you can solve the problems faster than anyone else.
KEN RICH
Well, it's even it's actually even worse than that. because prior to 2012 if you look at the at the blockchain, they stored the public key on the blockchain and it's visible. I did a rabbit hole dive on this, like I said, about six months ago.
There are about 6 million bitcoins out there that have been dormant since 2012. So that means about 600 billion in bitcoin is out there on the chain for the taking.
You wouldn't be able to break the entire blockchain, but the way blockchain works is it's consensus based, it's a distributed ledger. And so as long as you have the private key that matches the public key, you own the Bitcoin.
AUBREY LOVELL
Okay, well that brings us to the end of Technology Now for this week. Thank you to our guest, Ken Rich thank you so much. And of course, to our listeners, thank you so much for joining us.
MICHAEL BIRD
and if you've enjoyed this episode, please do let us know, rate and review wherever you listen to podcasts. And if you want to get in contact with us, please send us an email to technology now at hpe.com. And don't forget to subscribe so you can listen first every single week.
Technology Now is hosted by Aubrey Lovell and myself, Michael Bird.
This episode was produced by Harry Lampert and Izzy Clark with production support from Alysha Kempson-Taylor, Beckie Bird, Allison Gaito, Alyssa Mitry and Renee Edwards. And our music was composed by Greg Hooper.
AUBREY LOVELL
Our social editorial team is Rebecca Wissinger, Judy-Anne Goldman and Jacqueline Green and our social media designers are Alejandra Garcia, and Ambar Maldonado.
MICHAEL BIRD
Technology Now is a Fresh Air Production for Hewlett Packard Enterprise.
(and) we’ll see you next week. Cheers!
AUBREY LOVELL
Cheers.