After a year spent scrambling to catch up with the pace of its advancement, much of the talk at this year’s Davos conference has inevitably focused on AI – its potential to accelerate scientific discovery, the need for a global approach to its regulation, understanding how we prepare future workforces for its impact…the list goes on.
But there is another technology that deserved equal – if not more – attention than it arguably ended up receiving, especially if we want to learn from our AI mistakes and get ahead of the game this time.
Quantum computing (QC) promises to open the door to boundless innovation, but also threatens to effectively change and compromise the contents of all public (and much symmetric) key cryptography; specifically, the algorithms used by much of the Internet establishment, for privacy, e-commerce, digital signatures and more. Indeed, one of the things that was said on the technology during this year’s WEF conference was that QB could spark a “cybersecurity Armageddon.”
While Armageddon smacks of a certain hyperbole, the warning must nevertheless be heeded. How should today’s leaders be getting their businesses quantum-ready in 2024? And rather than being a competitor for technology investment and airtime, what role might AI play in all this? After all, we are in a time of not just a single potential disruptive innovation or change, but many – all of which affect one another.
The give and take of cryptologic vs. cryptanalysis
When it comes to cryptography, QC could actually end up being as much of an advantage to businesses as it is a threat – the difference being whether you are talking about cryptanalysis (the breaking of messages) or cryptologic (the attempt to make messages difficult to break).
On the cryptologic side, QC and more generally quantum technology offer businesses advantages both in terms of random number generation and (to some degree) the sharing of secrets, with some additional tamper-proofing benefits thanks to properties around quantum entanglement.
Picking up that first point, if you ask a computer to choose a number between one and 10, it’s a struggle to make it do so in a way that is truly (or even effectively) random. The number generation function within computers is built on a sampling of the things within the machines themselves or using external services – meaning that they are all either local and deterministic, or remote and both probably deterministic but also public. In other words, if you knew the state of the machine and its inputs when you asked that question, you would know the random number it gave back or at least have a reasonably small and finite set of numbers to work through.
For nation states, governments, the military and businesses, this becomes a significant problem – if you can predict a random number by simulating the system that generated it, you can predict all of the cryptography downstream. Quantum technology has the potential to solve this problem since certain events at certain scales (i.e. those large enough) are effectively non-deterministic. Furthermore, the very act of intercepting and observing transmissions will affect them, meaning when “party A” and “party B” use entangled quantum phenomenon to determine shared random numbers, any “eavesdropper” will change their value when they listen in – effectively decoupling the numbers from their original input.
On the cryptanalytic side, QC’s potential impact is far less positive – and that is where businesses need to direct their concern.
All public key cryptography to date is based on something that is computationally relatively simple to do in direction and much more difficult to reverse. For example, multiplying two large prime numbers together is easy. By comparison, factoring the product of two large prime numbers has – till now – been far more challenging, which is what the RSA algorithm of 1977 relied upon. Breakthroughs in QC are, however, dramatically simplifying these problems, and in this example would make factoring a computationally much less intensive and therefore far faster operation. This would mean that for every known public key in the world, the matching private key could be inferred relatively trivially when enough QC power becomes available.
With quantum computers capable of quickly cycling through prime number combinations, breaking keys in order to read the messages they hide becomes a matter of determination – an inevitability with the right amount and duration of attack on the cryptosystem. If you have been recording all the traffic that’s ever been transmitted using these keys, you can then go back and read everything once the cryptosystem is broken.
Using AI to rebuild your cryptography
Alarming a prospect as all of that is, we can’t worry about the threat of cryptanalysis on data that might already have been compromised. Instead, the focus must be on trying to secure the information that currently sits safely within our walls. And here, there are actions businesses can take both individually and by joining forces.
On the individual level, the first step businesses need to take to getting quantum-ready is to build their cryptography in a way that is modularized and changeable – allowing them to switch out compromised libraries as needed. If quantum computing broke a business’s cryptography tomorrow, for example, the task that would be involved in having to go through every piece of code, isolate the crypto parts and replace them would be nothing short of Herculean for many. We’re talking about millions of lines of code.
Instead, businesses need to do the factoring of their code now so that it becomes a relatively straight forward task to replace vulnerable libraries with new ones that do the same function.
Of course, that is far easier to state than it is to do – or at least, it would be, if AI wasn’t here to help.
Within any organization, code grows a bit like a coral reef – with different coders adding their own branches over time until no one remembers who wrote what, let alone what it says. Eventually, the tribal wisdom is lost and the code has gained a momentum and life of its own. This is where AI can step in.
When you get down to it, Large Language Models (LLMs) and Generative AI are great at reading and parsing language. And that is all coding really is, making these tools ideally suited to tackling and refactoring it. When directed towards old code (with work!), AI can refactor it, analyze it, tell you what the components did, and even assist with modularizing and commenting a new body of functionally equivalent code. Of course, this needs to be tested, but the task that was before Herculean now becomes tractable and a viable solve for externalizing where non-QC-resistant cryptography is in use and getting it ready for changing to QC-resistant options or other necessary updates.
This will also allow anybody in the future to read each discrete section of code and immediately understand what it does. In other words, businesses can use AI to gradually modularize and modernize their code, making it more maintainable and reducing their technical debt as they do so. Pro-tip, this is a great use of GenAI generally and not just for the QC use case; but that is perhaps the subject of a whole other paper or perhaps something for a startup or two out there to tackle.
Supporting the development of quantum resistant algorithms
Beyond our own walls, businesses and government institutions also have to support industry efforts to find the next set of quantum resistant algorithms that are easy to create, but hard to break, even with quantum cryptanalysis.
Some of these already exist, or are being found as we speak – but they remain either untested or in need of more testing and development. The only way the industry can have confidence in new algorithms is for them to be made public and then hammered rigorously over a sustained period. And this takes a truly cross-border, diverse effort by companies, university, NGAs, governments and more, joining in public advancement, development and testing initiatives, collaborating on their findings, and sharing learnings.
All of which brings us nicely back to Davos – one of the most high-profile examples of businesses and world leaders coming together to discuss the world’s biggest issues. For all its threats and opportunities, QC is absolutely one such issue and needs therefore to remain a real point of industry discussion beyond last month’s conference. The situation is critical, but there are steps we can take to be QC-ready if we act now. I would encourage business leaders to start conversations about their own quantum-readiness as soon as they can. This isn’t some future problem – the data that will one day be broken by QC-enabled cryptanalysis is being encrypted right now and kept in storage ready for decryption sometime in the next couple of years.
Sam Curry
Sam Curry is VP CISO at Zscaler. With over three decades as an entrepreneur, information security expert and executive at companies including RSA, Arbor Networks, CA and McAfee, Sam is dedicated to empowering defenders in cyber conflict and fulfilling the promise of security, enabling a safe, reliable, connected world.