Chances are, if you work in IT security, you work with and depend on the strength and protection of cryptography every day of your life. Whether that crypto is in certificates that identify machines or websites, or in the locks and keys that store, protect, and hide sensitive data, cryptography underlies practically everything you think is protected.
In Privileged Access Management (PAM), cryptography is even more prolific. It underlies the protection of secrets and password vaults. It secures the tunnels used in jump boxes and remote session management of SSH and RDP. It creates the security of access tokens and Kerberos tickets, and verifies identities of practically everything: machines, users, APIs, service communications, Active Directory operations, and so on.
So when news of progress in quantum computing occurs, your ears should perk up.
Google’s announcement on Wednesday, October 23, 2019 that they have achieved “Quantum Supremacy” is a little like the Wright Brothers announcing sustained flight…but for geeks. In other words, it’s quite a big deal.
Much like the progress of any new technology or invention, progress is not a linear path. There are starts and fits, misfires and mis-directions, and then whammo, a big huge chunk of movement occurs. Google’s news is this kind of large, non-linear bit of progress. 😉
So what exactly is “Quantum Supremacy” and why should I care?
The term “Quantum Supremacy” refers to the use of a quantum computer to solve problems that would take orders of magnitude longer to solve with any currently known algorithms running on existing classical “digital” computers. It basically uses a quantum computer for what it’s uniquely BEST at – solving asymptotic quantum complexity, or, problems that cannot be accelerated in the bits and bytes and on/off nature of digital computing systems.
The emphasis here is on being as sure as possible that the problem really was solved quantumly and really is classically intractable, and ideally showing orders of magnitude of speed-up over digital computing methods.
Does this mean that Google has Supremacy over our Cryptography?
At the end of the day, cryptography is a set of mathematical constructs (and sometimes proofs) that show certain math operations are hard to undertake in one direction, and easy to undertake in another direction.
For example, signing operations that underly certificates and the strength of SSH/SSL utilize prime numbers and the general protection that multiplying is easier than factoring for very, very large numbers.
The “one-wayness” of those hard problems only exists in digital computing. In theory, quantum computers, operating in non-linear “quantum” operations, could break or reduce the ‘hardness’ of those math problems.
What’s missing from attacking present cryptosystems with the Google quantum machine?
According to analysis by Scott Aaronson: “The devices currently being built by Google, IBM, and others have 50-100 qubits and no error-correction. Running Shor’s algorithm to break the RSA cryptosystem would require several thousand logical qubits. With known error-correction methods, that could easily translate into millions of physical qubits, and those probably of a higher quality than any that exist today. I don’t think anyone is close to that, and we have no idea how long it will take.”
If these systems keep progressing, what are we going to do with weakened crypto?
So, major progress in quantum computing does mean new and increasing security challenges in relying on “linear” cryptosystems. In fact, NIST has put guidelines together outlining exactly this risk.
And the good news: work to define and standardize “post quantum” cryptograph takes this evolutionary research into account, and security vendors must be prepared to up their ante when it comes to their cryptography roadmap. We’re only years away from a realized fear that the currently non-explorable authentication method will be vulnerable to hackers that are leveraging quantum computers.
AUTHOR’S NOTE: I paraphrased and copied generously from a much more detailed technical examination of Google’s announcement, Thanks to Scott Aaronson for providing that deep insight here: https://www.scottaaronson.com/blog/?p=4317