Quantum computers pose an "urgent but manageable" threat to the security of modern communications systems, according to a report published Thursday by influential US RAND Corporation.
The non-profit think tank's report, "Securing Communications in the Quantum Computing Age: Managing the Risks to Encryption," urges the US government to act quickly because quantum code-breaking could be a thing in, say, 12-15 years.
“If adequate implementation of new security measures has not taken place by the time capable quantum computers are developed, it may become impossible to ensure secure authentication and communication privacy without major, disruptive changes,” said Michael Vermeer, a RAND scientist and lead author of the report in a statement.
Experts in the field of quantum computing like University of Texas at Austin computer scientist Scott Aaronson have proposed an even hazier timeline.
Noting that the quantum computers built by Google and IBM have been in the neighborhood of 50 to 100 quantum bits (qubits) and that running Shor's algorithm to break public key RSA cryptosystems would probably take several thousand logical qubits – meaning millions of physical qubits due to error correction – Aaronson recently opined, "I don’t think anyone is close to that, and we have no idea how long it will take."
But other boffins, like University of Chicago computer science professor Diana Franklin, have suggested Shor's algorithm might be a possibility in a decade and a half.
So even though quantum computing poses a theoretical threat to most current public-key cryptography – and less risk for lattice-based, symmetric, privacy key, post-quantum, and quantum cryptography – there's not much consensus about how and when this threat might manifest itself.
Honeywell, I blew up the qubits: Thermostat maker to offer cloud access to 'world's most powerful quantum computer' within monthsREAD MORE
Nonetheless, the National Institute of Standards and Technology, the US government agency overseeing tech standards, has been pushing the development of quantum-resistant cryptography since at least 2016. Last year it winnowed a list of proposed post-quantum crypto (PQC) algorithms down to a field of 26 contenders.
The RAND report anticipates quantum computers capable of crypto-cracking will be functional by 2033, with the caveat that experts propose dates both before and after that. PQC algorithm standards should gel within the next five years, with adoption not expected until the mid-to-late 2030s, or later.
But the amount of time required for the US and the rest of the world to fully implement those protocols to mitigate the risk of quantum crypto cracking may take longer still. Note that the US government is still running COBOL applications on ancient mainframes.
"If adequate implementation of PQC has not taken place by the time capable quantum computers are developed, it may become impossible to ensure secure authentication and communication privacy without major, disruptive changes to our infrastructure," the report says.
RAND's report further notes that consumer lack of awareness and indifference to the issue means there will be no civic demand for change.
Hence, the report urges federal leadership to protect consumers, perhaps unaware that Congress is considering the EARN-IT Act, which critics characterize as an "all-out assault on encryption."
"If we act in time with appropriate policies, risk reduction measures, and a collective urgency to prepare for the threat, then we have an opportunity for a future communications infrastructure that is as safe as or more safe than the current status quo, despite overlapping cyber threats from conventional and quantum computers," the report concludes.
It's worth recalling that a 2017 National Academy of Sciences, Engineering, and Medicine report, "Global Health and the Future Role of the United States," urged the US to maintain its focus on global health security and to prepare for infection disease threats.
That was the same year nonprofit PATH issued a pandemic prevention report urging the US government to "maintain its leadership position backed up by the necessary resources to ensure continued vigilance against emerging pandemic threats, both at home and abroad."
The federal government's reaction to COVID-19 is a testament to the impact of reports from external organizations. We can only hope that the threat of crypto-cracking quantum computers elicits a response that's at least as vigorous. ®