The year is 2027. Quantum computers (QCs) have finally become a reality and are far more powerful than anyone could have imagined. AI-enabled QCs can solve problems that would take classical computers billions of years to solve, and they pose a severe threat to the security of our data. In the previous three years, companies like IBM, Google, and a couple of mischievous nation-state actors have made monumental improvements in qubit count (the measure of processing power for QCs) and vast advances in error correction. The advent of quantum computing makes any password vulnerable to cracking in seconds--no existing encryption system is safe.
This is the “Quantum Apocalypse” - the day QCs break traditional public key cryptography -, and it is a genuine possibility.
Startups and investors that use cloud services and collaboration tools should immediately take steps to mitigate the risk posed by quantum computers. This includes using post-quantum cryptography to resist future quantum computer attacks and migrate to self-hosted solutions. In addition to strong passwords, enterprises should consider implementing multi-factor authentication, software patch management, and network monitoring to protect their systems and data.
I am Jeff Phillips, a corporate development professional at Code Siren, LLC. We are a deep tech startup founded by game developers, white hat hackers, and cryptologists. In this article, I will discuss the threat quantum computers pose to cloud security, the "steal now, decrypt later" (SNDL) tactic, and the steps you can take to protect your data on collaboration apps.
Table of Contents
Part I: The Quantum Apocalypse is Near
1. Quantum Computers Will Crush All Existing Encryption Systems
QCs work fundamentally differently from traditional computers. They use quantum bits, or qubits, in a superposition of two states, 0 and 1. This allows QC to perform specific calculations much faster than classical computers. QCs are not limited by the speed of electrons or light. They are limited by the laws of quantum mechanics. In 2019, Google's Sycamore QC performed a calculation that would have taken IBM's Summit supercomputer 10,000 years, demonstrating the power of existing quantum computing.
As QC process more advanced algorithms, there is a growing concern about the potential threats posed by universal or cryptanalytically relevant quantum computers (CRQCs). A CRQC is a quantum computer powerful enough to break the existing encryption algorithms currently used to secure digital communications and data by executing Shor’s algorithm.
Shor's algorithm, first proposed by Peter Shor in 1994, can factor in large numbers exponentially faster than classical computers. This means that even if a classical computer would take millions of years to factor a large number, a quantum computer could factor it in minutes.
Another algorithm, devised in 1996 by Lov Kumar Grover, can be used to search for patterns in data and break other types of encryption algorithms at quadratic speed. A quadratic speedup means that the time it takes to run Grover's algorithm is proportional to the square root of the time it takes to run the best classical search algorithm. For example, if it takes 100 steps to run the best classical search algorithm on a database of 100 items, then it would take only 10 steps to run Grover's algorithm on the same database.
This matters because current encryption standards are based on the difficulty of factoring large numbers (i.e., RSA, Diffie Hellman, elliptic curve, etc.). With the Quantum Apocalypse, every financial institution, government, cloud-based service, and the internet (at large) is exposed. At first, nation-state actors will use QCs to cyber attack each other. This will lead to a "quantum arms race." Shortly after, cyber-criminals will acquire QCs too, and the attack vectors will shift to corporate and personal data.
Source: Council on Foreign Relations, Cyber Operations Tracker
2. State-Sponsored Cyber-Criminals are on the Lookout
Advanced persistent threats (APTs) are sophisticated, often state-sponsored actors or well-funded criminal organizations that typically carry out skillful cyber attacks. APT objectives range from espionage, data/IP theft, extortion, and network/system disruption or destruction. APTs are characterized by their cyberwarfare capabilities, long-term planning, complex techniques, and targeted attacks.
"APTs and nation-state actors are likely to be the first to obtain access to CRQCs [for nefarious purposes], and they will use these computers to attack critical infrastructure, financial systems, and other sensitive systems,”
- T he National Institute of Standards and Technology (NIST)
Many APT actors have already been involved in large-scale credential phishing (aka credential harvesting), zero-hour/zero-day, man-in-the-middle (MitM), and social engineering attacks. Some of the most notable include:
APTs are becoming increasingly sophisticated in their use of cyber attacks and zero-hour (never before seen) threats. Several high-profile attacks have been attributed to APTs, including the SolarWinds and Microsoft Exchange hacks in recent years. These attacks have shown that APTs are willing to invest significant resources in developing and using sophisticated techniques, usually through credential theft.
Now, the trillion-dollar question: What happens when APTs get their hands on quantum computers?
Source: MIT Technology Review
3. QC Unleashes the Threat of APTs over Collaboration Apps
Collaboration apps are software tools that allow people to work together and share information: Microsoft Teams, Google Workspaces, Zoom, Asana, Slack... Collaboration apps are attractive to APTs because they offer several attack vectors:
Source: Cloudflare, Inc.
The current APT approaches are well known and consist of the following:
Given these factors, one can only imagine the damage that could be done when nation-state sponsors grant APTs access to quantum computers.
Although a functional CRQC is primarily believed to be (at a minimum) several years away (i.e., 2027), there is evidence that quantum operations of "Steal Now, Decrypt Later" (SNDL) are already underway. The U.S. National Security Agency (NSA) has warned that nation-states and criminal organizations are collecting data to decrypt later with CRQCs. Criminal organizations and governments are already actively recording traffic in bulk. In 2022, over $30 billion was spent on quantum technology development.
The timeline for developing CRQCs is uncertain, but some experts believe they could be available as soon as 2025.
SNDL seriously threatens the 97% of enterprises that use cloud-based services to host their intellectual property, financial data, or other sensitive information. Founders, startups, and investors using cloud services to communicate their workflow are at risk.
Source: Booz Allen Hamilton Inc., Code Siren, LLC
Part II: How to Prepare for the Quantum Apocalypse
Post-quantum cryptography (PQC) is a type of cryptography designed to resist attacks by quantum computers. PQC is still nascent, but according to CISA, NIST, and the NSA, it is important for technology startup founders and investors to consider migrating immediately.
Using PQC, we can help protect our data from classical and quantum computer attacks and ensure that our communications, work, and intellectual property remain secure. Incorporating PQC into your communications and storage is essential. Migrating to a PQC collaboration platform like Polynom is a low-cost solution. Polynom offers a free-to-use Community Edition for small enterprises to securely text, file share, and conduct high-quality VoIP via quantum-proof encryption.
1. Lattices and Learning With Errors (LWE)
Lattice-based cryptography is a relatively new field that is PQC and relies on the difficulty of solving vector-related problems in multidimensional lattices. A multidimensional lattice is an infinite set of points in a space of n dimensions such that the distance between any two points is a multiple of a fixed length. These problems are extremely challenging to solve even for quantum computers, which means that lattice-based cryptography is considered to be quantum-proof.
LWE is a promising lattice-based cryptographic scheme that is believed to be too tricky for quantum computers to solve. This makes LWE today’s best candidate for building secure cryptographic schemes resistant to quantum attacks. LWE has been used to construct several secure cryptographic schemes, including encryption schemes, signature schemes, and key exchange protocols. These schemes are all currently secure against quantum computers and offer a promising way to protect communications in the future.
How is lattice-based cryptography/LWE different from traditional cryptography? Here's the explanation - feel free to skip if it's too technical for your liking:
Source: Code Siren, LLC
2. CRYSTALS-Kyber and CRYSTALS-Dilithium
The CRYSTALS lattice cryptography schemes (Kyber and Dilithium) use the LWE problem to generate cryptographic keys. The keys are generated by encrypting the secret vectors using a public key. The public key is used to encrypt messages, and the secret key is used to decrypt messages.
In July 2023, NIST announced that it had selected CRYSTALS-Kyber and CRYSTALS-Dilithium as the first two post-quantum cryptographic algorithms to be standardized. The algorithms were selected from 82 submissions after a rigorous evaluation process. In August 2023, NIST designated FIPS standards for the selections.
FIPS is the Federal Information Processing Standards. They are publicly announced standards that NIST has developed for use in computer systems of non-military US government agencies and contractors. FIPS standards establish requirements for ensuring computer security and interoperability.
CRYSTALS-Kyber is a key-encapsulation mechanism (KEM) designed for use in applications such as secure messaging and virtual private networks (VPNs). CRYSTALS-Dilithium is a digital signature algorithm (DSA) designed for electronic signatures and authentication applications.
NIST's decision to standardize these algorithms is a significant step in developing a quantum-resistant future.
Self-hosting means hosting the software on your own servers (on-premise) rather than using a third-party cloud-based provider. This gives you complete control over your data, including who has access to it and how it's stored. It also means you're not relying on a third party to keep your data safe.
There are many benefits to self-hosting your own collaboration apps:
Of course, there are also some challenges to self-hosting your collaboration apps. You need to have the technical expertise to set up and maintain the servers, and you need to be prepared to deal with any security incidents that may occur. The Intel NUC and ASUS PN 64 are some low-cost entry points that are easy to set up, relatively quiet, and great devices for getting started with self-hosting.
It is important to note that quantum computers are still in differing stages of development. Superconducting quantum computers are the most advanced type of QC, and they have been used to achieve a number of important milestones, such as the factoring of real numbers using Shor's algorithm. Neutral atom, ion trap, topological, and photonic QCs are less advanced but more stable and easier to control.
Quantum error correction is rapidly developing, and quantum computers will likely become more resistant to errors in the near future. It is equally likely that QCs will have the potential to break the encryption of cloud-based collaboration and storage tools within the next few years. Regardless of whether quantum computers become more powerful, APTs will likely continue to threaten the free enterprise system and intellectual property everywhere.
Here are several ways that founders and investors can protect themselves from APTs that use both classical computers and QCs to hack collaboration apps, including:
About the Author
Jeff Phillips works in Corporate Development at Code Siren, LLC. Founded in 2018, Code Siren is a deep tech startup building sophisticated cryptographic tools that are designed to be easy to use and accessible for everyone.
Jeff can be reached at [email protected]
Here are some resources where you can learn more about post-quantum cryptography and self-hosting:
- National Academies Press: https://nap.nationalacademies.org/read/25196/chapter/6#97
- NIST PQC Project: https://csrc.nist.gov/projects/post-quantum-cryptography
- PQCrypto: https://pqcrypto.org
- The Self-Hosted Wiki: https://js.wiki
- Post-Quantum Cryptography for Today: https://eprint.iacr.org/2019/1208.pdf
- Polynom: https://polynom.app