www.pwc.ru Information Security in the Age of Quantum Technologies
Algorithms that enable a quantum computer to reduce the time for password generation and data decryption to several hours or even minutes have already been developed. Cyber Security: The Quantum Threat Rapid technological progress has created a new business reality, the digital economy. Nowadays companies largely interact with each other and their partners and customers via digital channels that send and receive data. The issue of digital trust therefore arises. How can you ensure that sensitive data and information is secure and your company can be trusted digitally? Eighty-three percent of Russian CEOs believe that a cyber security breach would have negative consequences on confidence in their business. 1 At PwC, we believe that emerging technologies can both undermine consumer trust fostered over many years in companies, products and services as well as taking those levels of trust to new, previously unattainable levels. Quantum technologies are a perfect illustration of this dichotomy. Information security techniques currently employed by Russian companies rely upon data encryption and password-protected access. Thus, to obtain confidential information, a cyber-criminal needs either to intercept the password or solve a complex mathematical problem to guess the password (i.e. break the encryption), a time-consuming process even for modern classical computers. However new types of computers are currently being developed that leverage the computational power of quantum physics. These are quantum computers. One of their strengths is a much stronger capacity to perform parallel computations compared to classical computers. Algorithms 2 that enable a quantum computer to reduce the time for password generation and data decryption to several hours or even minutes have already been developed. Quantum computer development is progressing at a faster pace than expected. Alongside the successful initiatives of IBM and Google, research teams from Harvard and the University of Maryland have almost simultaneously implemented two new 51- and 53-qubit quantum computing systems. 3 Breaks of the RSA cryptosystem in recent years using conventional computation 4 Key length (bits) Log scale 2048 1024 512 Extrapolation suggests that 2048-bit keys could be safe from conventional attack for some time, but quantum computers using Shor s Algorithm + sufficient memory could make the trend exponential. Risk from quantum computing 256 Key lengths broken by conventional computing architectures in recent years 1995 2000 2005 2010 2015 2020 Years broken 1 PwC 20th Russian CEO Survey, 2017 2 Shor s and Grover s algorithms. 3 https://www.forbes.com/sites/jasonbloomberg/2017/08/11/this-is-why-quantum-computing-is-more-dangerous-than-you-realize. 4 ETSI. Quantum Safe Cryptography and Security: an introduction, benefits, enablers and challenges. ISBN 979-10-92620-03-0
Should Russian businesses be doing more to protect their data from the threat posed by Quantum Computing? PwC and the Russian Quantum Centre (RQC) believe they should for the following reasons: A rapid transition to new information security technologies, tools and methodologies is unrealistic because it requires significant infrastructural, cultural and procedural change, as well as funding. Transformation takes time and money. Cyber criminals are already capable of intercepting encrypted and strategically important confidential information and storing it. As quantum computing develops and becomes commercially viable they will be able to access and use quantum assets to break the encryption protecting this data. Quantum Computing the threat and the solution: there are two quantum enabled approaches to ensuring digital asset protection from the threats posed by quantum computers Information security guaranteed by the laws of physics Quantum key distribution Quantum key Encrypted data GOST* encryption Quantum channel Encrypted data Open communication channel Quantum key distribution GOST decryption Quantum key Quantum cryptography aims to protect the information transferred between individual users or data sources within one network. The primary objective is to prevent its interception and therefore avoid any subsequent decryption. Quantum cryptography uses a complex key sent from the sender to the recipient via photons, which are elementary particles of light. The integrity of the anti-interception security is complete since even the most sensitive intercepting device would inevitably change the photon s state. Therefore, whenever you try to eavesdrop on the information transmitted via a quantum channel, you will corrupt the message and be detected instantly. A safely transmitted key can then be used to encrypt information transferred along existing data channels. In the age of quantum computers, quantum cryptography will ensure long-term data protection. This technology does not require new infrastructure and can work via existing optical fibre lines, and it is compatible with the encryption devices currently in use. Such hardware solutions have been implemented and tested by RQC in Russia and are operational. However, there are a number of nuances that need to be taken into account when implementing this technology. For example, at the current development stage, there are certain limitations on key transmission distances (50-100 km) and generation time. To work, a dedicated optic fibre without amplifiers and repeaters is necessary. This, coupled with a relatively high cost, has so far made it difficult to apply this technology to ensure the end-to-end protection of all corporate data. It is therefore reasonable to focus on the most critical data. A new generation of mathematical algorithms Post-quantum cryptography puts forth new encryption algorithms that are hard to crack both for classic and quantum computers. The field of post-quantum cryptography is currently focused on R&D activities to develop such algorithms, verify existing solutions and test concepts and pilots. However, there are so far no unified and battle-proven standards for post-quantum encryption in the market. It is probable that given the pace of development of quantum technologies, the selected algorithm would no longer ensure the required level of protection and it would have to be replaced. That is why it is crucial to select an optimum algorithm at the very beginning of the project. Another nuance of post-quantum encryption is the high-level specifications for computational resources. On the one hand, these algorithms can be rolled out in almost any code, while on the other hand, the greater the volume of data to be protected, the more computational capacity it will take. * GOST Russian National Standards
Which quantum data protection technology should I choose? Quantum and post-quantum cryptography methods have their pros and cons. To select an optimal solution for a specific organisation, PwC and RQC have developed an approach combining global information security best practices and knowledge, and the experience of Russia s top quantum data protection solutions developer. Our approach consists of five steps: 1. Diagnostics The advent of the quantum computer enabling the decryption of data protected by classic encryption algorithms will affect market participants differently. We assess the business impact by analysing the technologies and infrastructure your company uses as well as the assets you wish to protect. 3. Pilot project In order to implement the data protection tools selected and establish appropriate quantum and post-quantum encryption solutions within your infrastructure, we suggest to start with a pilot project. Based on the pilot results, the proposed solutions and action plan can be modified and tailored to better fit an organisations need 5. Action plan update Enhancing data protection systems with quantum technologies is a continuous process. It is important to be informed on the latest developments in the field and to update your action plan accordingly. We suggest that your action plan is revised every six months. 1. Diagnostics 2. Action plan 3. Pilot project 4. Rollout 5. Action plan update 2. Action plan Based on the results of the diagnostic phase, we offer actions to modernise cryptographic tools in terms of cost efficiency and performance. The action plan will include suggestions on which means of data protection you could select, the order of implementation and cost estimation. 4. Rollout This step includes rolling out a successful solution (as tested and refined during the pilot) across the entire organisation to protect critical information. The rollout will scale the implemented technology to its full capacity in order to protect your company s most critical assets.
Quantum technologies have a much stronger capacity for parallel computations compared to classic computers. Algorithms that enable a quantum computer to reduce the time for password generation and data decryption to several hours or even minutes have already been developed. This increases the risk that quantum computers can be used to break encryptions allowing access to, and misuse of, sensitive data. Russia s first quantum communication line and the world s first quantum secured blockchain Office No. 1, 7, Koroviy val On 31 May 2016, Russia s first experimental and operational protected quantum communication line was commissioned and the first cryptographic data transfer was made along the 30-kilometre commercial line between two Gazprombank office buildings in Moscow. The Ministry of Education and Science of the Russian Federation is supporting the project. Investment in the project amounted to RUB 450 million. In 2017, the world s first experimental quantum blockchain technology was tested. Gazprombank is planning to use quantum communications in its daily operations. Office No. 2, 63, Novocheryomushkinskaya A quantum network project for interbank data transfers Bank 1 Bank 1 Intrabank networks Bank 1 Bank 3 Bank 2 Bank 2 Bank 3 Bank 3 Bank 3 In July 2017, it was decided to establish a quantum network to transfer interbank data. This project entails implementing quantum key distribution technology and a dedicated network protocol stack. This solution will enable communication through secure channels between various organisations. The plan is to set up quantum networks within specific organisations and between them. The time line for the project is three years. Interbank networks Joint development of quantum information security systems PwC and RQC signed a cooperation agreement at the 21st St Petersburg International Economic Forum. RQC's knowledge and leadership in quantum technology and PwC's best practices in cybersecurity will enable the joint development of unique solutions based on new quantum technologies to ensure unprecedented data protection and cybersecurity levels.
Our contacts We will gladly answer any questions about using quantum technology for information security purposes. PwC RQC Igor Lotakov Managing Partner PwC Russia + 7 (495) 967 6023 igor.lotakov@ru.pwc.com Ruslan Yunusov CEO Russian Quantum Center (RQC) +7 (495) 280 1291 ry@rqc.ru Tim Clough Technology Leader PwC Russia + 7 (495) 967 6018 tim.clough@ru.pwc.com Yuri Kurochkin Project Leader Russian Quantum Center (RQC) +7 (926) 275 8856 yk@rqc.ru Victor Morozov Director Risk assurance PwC Russia + 7 (903) 961 2665 victor.morozov@ru.pwc.com Aleksey Fedorov Group Leader Russian Quantum Center (RQC) +7 (916) 297 0977 akf@rqc.ru At PwC, our purpose is to build trust in society and solve important problems. We re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. 2017 PwC. All rights reserved.