In early April this year, a curious incident took place. Internet traffic from over 200 of the world’s largest content delivery networks (CDNs) was redirected through Rostelecom, Russia’s state-owned telecoms provider.

The occurrence only lasted for about an hour, but it affected many large online providers such as Google, Facebook, Amazon, CloudFlare, and GoDaddy.

This was not the first such incident.

In April 2017, traffic from over a dozen financial services firms, including MasterCard, Visa and HSBC, was also redirected through Rostelecom. Occasionally, countries including China, Belarus and Iceland, have also been involved in similar incidents of internet traffic re-routing for short periods of time. 

These kinds of occurrences are known as Border Gateway Protocol (BGP) hijackings. BGP is the routing protocol that maps out the connections for internet traffic. BGP hijacking is often the result of an innocent misconfiguration. But security experts worry that some of these re-routing occurrences have a more sinister motive lurking behind them.

“When we are trying to transmit data, if the protection is not high enough, people can still collect your data today, waiting to crack it tomorrow,” says Andersen Cheng, CEO at Post-Quantum, a firm focused on post-quantum security. “People used to think it is stupid, this will not happen. But I can tell you even in the last few years, there have been a number of very strange activities. From time to time we can see the entire internet traffic being diverted to some servers in Russia or in Eastern Europe.”

Cheng says certain countries are probably carrying out experiments or trials through such traffic rerouting, and are waiting for a time when the computing power arrives to be able to access the stored data. One way in which a malicious actor could decrypt this data in the future is with the help of quantum computers.

Recent advancements in quantum computing, including Google’s claim of achieving quantum supremacy last year, have drawn attention to the threat these machines could pose to current encryption schemes.

Lee Braine, director of research and engineering at Barclays, says there is a steady, incremental increase in power in quantum computing, so people are able to extrapolate and look forward to a point in the future when quantum computers would be scalable, and able to run complex algorithms on much greater numbers of reliable qubits.

“At that point, they could potentially be able to run Shor’s algorithm to factorize large numbers, which would be the tipping point for bad actors being able to crack existing classical cryptography,” he says.

Shor’s algorithm was invented in 1994 by Peter Shor at Bell Labs. His computational method for integer factorization showed, theoretically, how to use a quantum computer to break schemes for public key cryptography, which are widely used in many applications today.  

Which Data Needs Protection?

There are certain types of data, such as government communications or private medical records, that organizations must take extra care to prevent falling into the wrong hands.

However, Cheng, who was once JP Morgan’s European head of credit risk management, says for a financial services firm, not all types of data are top secret—for example, information related to the buying and selling of securities, which often can end up in the public domain.

Rather, he says, for a bank, it is customer or reference data that needs to be protected. Any leakage of this information could be very costly. Cheng says people who hold this data will treat even investors’ existence as a secret, including their relative holdings, transactions, how they conduct their business, and signature blocks.

“A hacker can go in, they know how it is done, and they can copy the signature and they can forge it,” he says.

Other types of data that need long-term protection include email communications, which regulators require to be kept for a certain number of years, and information related to mergers and acquisitions. As such, firms need to carefully examine the data they hold, and suss out any that needs long-term protection.  

Getting outside help could be one way to do this. This year, IBM introduced a quantum-safe cryptography service on its public cloud, which includes a risk assessment service to help firms understand what types of data need to be protected from quantum computers in the future.

“Our consultants go into a bank or to a government,” says an IBM spokesperson. “Some organizations have dozens and maybe even hundreds of different types of cryptography. You need to understand and assess what cryptography is at risk.”

After making its assessment, IBM informs the client which systems are holding data that needs to be protected for the longer term, say for 10 or 20 years.

“Then you look at those systems and then you look to migrate them potentially to something that is quantum-safe,” the spokesperson says.               

The Encryption Landscape

Not all cryptography is broken by quantum computers, however, says Vadim Lyubashevsky, a cryptographer at IBM. There are two main types of cryptography currently used by classical computers: symmetric and asymmetric.

In symmetric encryption, the same key is used to encrypt and decrypt data, while in asymmetric encryption, different keys are used: a public key to encrypt the data without compromising on the security process, and a private key to decrypt it. Asymmetric encryption is also more commonly referred to as public key encryption.

Symmetric key cryptography such as the Advanced Encryption Standard (AES), which is used by the US government, is not broken by quantum computers.

“The only problem was the public key encryption, so that is what we are dealing with,” Lyubashevsky says.

Building an algorithm is only part of the journey to becoming quantum-safe. Lyubashevsky says it will be interesting to see at which point people completely trust a new scheme from IBM. “Very similar things happened with RSA and elliptic curves,” he says.  

Rivest–Shamir–Adleman (RSA) is the public key encryption scheme that is currently widely used. It was introduced in the late 1970s, and has since become a global standard. In the 1980s, a new approach known as elliptic curve cryptography was introduced. Lyubashevsky says there was hesitation in adopting the new system due to the wider use of RSA by that stage. 

“Now, 20 years have gone by since then and people completely trust elliptic curves, so RSA is being almost phased out,” Lyubashevsky says. “Maybe similar things will happen [with quantum-safe cryptography]; there will be some standards three years from now, and then we’ll see what actually gets used.”  

The Road to Standardization

Moving over to a new encryption scheme will be a slow process. The National Institute of Standards and Technology (NIST) in the US is currently running a project to standardize post-quantum cryptography. IBM is among the candidates to have submitted their algorithm to NIST for consideration.

“The most important thing about cryptography is you want a lot of eyes to look at the implementation, look at the hard problems just to sort of be somewhat sure that it really is secure,” Lyubashevsky says.

There are a number of categories within the project for candidates to submit their algorithms. These include lattice, code-based, hash-based, multivariate and supersingular elliptic curve isogeny.

IBM has developed a lattice-based method for cryptography, which hides data inside complex math problems called lattices. Lyubashevsky says the encryption they have developed is fast and flexible.

Many banks and asset managers are waiting for standards to emerge before they can more fully explore these types of encryption.

“Once this becomes closer to the standard, we will see probably a lot more interest,” says a source from IBM. “A lot of clients are waiting for the NIST decision.”

The spokesperson at IBM says the banking industry can “begin to look at this technology and look at potentially doing some pilot projects with it. They don’t necessarily need to wait for it to become a standard, they can already begin to do some more pilots to understand how this is going to change their encryption schemes. Also, it helps them understand how agile they are in terms of their cryptography as well.”

Even still, there’s a concern about fragmentation when it comes to this type of security. Braine from Barclays says although firms could explore candidate solutions, and maybe even promote them to live environments, there is a risk that these would not become an industry standard, which will come in later and potentially replace those candidate solutions.

“What you do not want is different parties using different approaches and algorithms because we really need to encrypt and decrypt using the same techniques across the industry. So encryption standards are incredibly important. Many parties are highlighting the NIST initiative that is working through candidate algorithms and producing recommendations and draft standards—this will provide useful input for financial institutions considering which specific algorithms should actually be deployed,” Braine says.

Post-Quantum also submitted its algorithm for consideration to NIST. Cheng says the submission is one of seven currently left in the code-based category.

“We are in the code-based category, which is the most important and we know for sure that they are going to pick one candidate from here for standardization,” Cheng says.

Quantum Ready, Quantum Safe

For the past three years, Cheng has been promoting the concept of hybridization, also known as crypto-agility.  

Cheng says if he went to the chief information officer of a bank and offered his product, he would likely get a “no.” However, if he instead offered RSA encryption wrapped around a quantum-safe adapter, it would be easier for the bank to embrace the new technology.   

Cheng says there is a difference between being quantum-ready and quantum-safe. He says being quantum-ready is somewhere between the current protocol, which is not future-proof, and being quantum-safe.   

“We are offering quantum-ready solutions, because some of our customers just want the elliptic curve for the time being, but then be switchable to become quantum-safe later,” Cheng says.

He says when the time comes to switch to being quantum-safe, his firm knows exactly what to swap out and what to swap in.

“For us to go from being quantum-ready to quantum-safe, it will just be a matter of a few hours,” Cheng says. “Then, two [to] three days to do testing, and then the entire thing will become quantum-safe. I do believe this has to be way forward for anyone who has data to worry about, especially in the asset management business where a lot of the systems are very outdated now.”

Lyubashevsky from IBM also talks about taking a hybrid approach. “As long as you’re not becoming weaker, you can, for example, always combine whatever is used now, [such as] RSA; you could use it together with anything you want and it would still be standardized because RSA is secure,” he says. “You can sort of put it together with whatever you want, and hopefully it achieves even more security, but it’s definitely not less secure than something standard.”

Timeline to Quantum Threat

The timeline of the threat from quantum computers is open to debate. Braine says that while some feel it could be as soon as five years from now, the consensus tends to be around 10 to 15 years. Some even say that it may take as long as 30 years.

“My observation has been that the estimates tend to depend on the background of the people, including how closely they’re engaged in not only the theory of constructing the algorithms but also the practicality of actually building the hardware,” Braine says.

Vikram Bakshi, developer in the research and engineering team at Barclays, says that to be able to construct a quantum computer capable of running Shor’s algorithm on a larger scale, many logical qubits are needed. For example, a few thousand logical qubits with long coherence times and extremely low error rates would be needed. In order to construct each logical qubit, probably around 1,000 physical qubits are needed to implement the necessary error correction. A quantum computer would probably need a total of a few million physical qubits.  

“At the moment, if you look at general purpose quantum computing, some of latest systems have about 50 to 70 qubits, and perhaps upcoming systems will have double that number in another nine months, and so on. At that rate, it’s going to take a long time to reach over a million physical qubits,” Bakshi says.  

“There are some deep engineering challenges that need to be solved in terms of scalability during that time, hence some researchers are emphasizing that there will need to be some significant breakthroughs in the coming years in order to reach the scale that would be necessary to run Shor’s algorithm on large numbers,” Bakshi says.

For the time being, Barclays is busy getting quantum-ready. This has involved the bank connecting with multiple vendors to get their opinions, installing and running some software packages, and performing architectural reviews of third-party initiatives. The bank also produced internal session papers to increase awareness of the potential future threat.

One of the firms that has gone through the Barclays Accelerator program is Post-Quantum, with the bank’s CTO performing a deep dive review of the vendor’s technology.

It’s not just that the algorithms need to be good. Bakshi says the implementations of those algorithms must be bulletproof too.

“We have not yet explored one of the topics that NIST has been discussing, which is combining algorithms from different categories in order to construct more resilient solutions such that, if one of those algorithms or categories gets cracked in the future, you could potentially rely on the other algorithm,” Bakshi says. “That is a promising avenue that we intend to research in future.”

Bursting the Blockchain Bubble  

Another area of concern is investment from financial institutions in blockchain technology, with the fear it has exposed them to the risk of being hacked with quantum computers in the future.

Barclays has explored, partly via the R3 consortium, the benefits of a blockchain solution that couldn’t someday be cracked by a quantum computer. Braine says that could mean the security of assets stored on a distributed ledger could be potentially guaranteed for a much longer period. He says R3 has already published a post-quantum signature algorithm tailored to blockchains.

“One of the things we have come to appreciate in the blockchain space is that, the more you decouple the messaging and storage functionality from the cryptography, the easier it should become to ‘plug and play’ different cryptographic algorithms, making it simpler to be able to upgrade in the future,” Braine says. “This is important because if we hypothesize that one of the quantum resistant algorithms recommended as a standard could subsequently be cracked in future, you could more easily switch to an alternative algorithm at that time.”

Braine says blockchain technology is no more at risk than existing classical solutions of being cracked by bad actors using quantum computers. “The key point is that, at some point in future, it will be necessary for both existing centralized solutions and distributed blockchain solutions to upgrade,” he says.

Although standards are still some years away, financial institutions need to start examining their data now and make sure it is not being compromised by occurrences such as BGP hijacking, to be stored by bad actors in order to crack later. They should adopt good data practices, and perhaps also start exploring the algorithms that are being developed and testing hybrid-encryption products. After all, just because a hacker can’t do something malicious with stolen information today, doesn’t mean that will always be the case.