Building a quantum-safe future

Man and woman working at computers

As innovation has progressed through radio, the internet, Wi-Fi, smartphones, and the Internet of Things, we have consistently faced security concerns with each technological milestone. Every new and disruptive technology comes with both opportunities and challenges.

With AI, we are heeding this lesson from the past and proactively addressing the security challenges that will inevitably arise.

Yet while the AI revolution feels like the biggest innovation in a generation, scaled quantum computing is set to disrupt many aspects of technology again — and we must prepare for it now.

Quantum computing at scale has the potential to help solve many of the world’s most complex and pressing problems. Whether it’s addressing food sustainability, developing better batteries, or mitigating climate change via carbon capture, scientists will have unprecedented computing power at their disposal. This transformational computing power capable of driving so much societal good could also be used by bad actors looking to cause disruption and harm. By advancing our security capabilities to meet this moment, people and organizations can reap the profound benefits of quantum computing without succumbing to these threats.

Microsoft embarked on the road to quantum more than 20 years ago and is in a unique position to contribute to a quantum-safe future. The investments we have made in this emerging field help us to understand new risks it may introduce and how to mitigate them early and effectively.

How quantum computing could upend encryption

Today, most security systems in existing IT environments rely on public-key cryptography, which is used almost everywhere from messaging to transactions to securing data at rest. These cryptographic systems are based on mathematical problems that are difficult and time- consuming for classical computers but will be much easier and quicker for quantum computers to solve.

The strength of current cryptographic systems lies in the complexity of certain mathematical problems, one of which involves finding the factor of extraordinarily large numbers — a task that would take traditional computers millions of years to solve. This is the core principle behind the RSA algorithm that’s been in use since the 1970s. Systems using RSA today range from hardware devices such as smart cards and routers, to software applications such as web browsers and email clients. RSA is also used throughout the supply chain of these systems, from the manufacturing of components to the distribution of software updates.

Yet, the emergence of quantum computers has the potential to dramatically upset this balance. Using Shor’s algorithm, a quantum computer may be able to unravel these large-number factors in mere minutes, rendering RSA and similar asymmetric algorithms vulnerable. As we progress, algorithm agility, resiliency and flexibility will be needed to easily switch or combine cryptographic approaches — a process that will require significant financial investment, changes in existing infrastructure, and timely planning, execution and coordination across supply chains and ecosystems.

Scaled quantum machines are on the way

A quantum machine capable of running Shor’s algorithm will likely need more than a million stable qubits — thousands of times more than today’s quantum computers. These powerful scaled machines are on the way and responsible companies will ensure these quantum systems are not used by bad actors.

At Microsoft, our quantum machine will be delivered as a cloud service through Azure. Just as we do with other technologies, Microsoft will deploy technical and operational controls to ensure our quantum machine will not be used maliciously.

But not every quantum machine in the future will be protected in this way. Immediate risks, such as “Harvest Now, Decrypt Later” scenarios and the potential obsolescence of un-updatable IoT devices, already demand our attention. For these reasons, we must start preparing and acting now, because the transition to become quantum safe for most organizations will take time. That’s why we recommend organizations get ready today, which we explain in more detail below. The risk posed by quantum computers is not imminent nor insurmountable, but the transition to become quantum-safe for most organizations will be a significant undertaking.

Just over two decades ago, the Y2K challenge wasn’t insurmountable or unsolvable, but it took a huge, industry-wide effort to get ready for the change. Today cryptographic systems are spread all over the globe, and the distributed and interconnected services, products and platforms handling those systems means there is an immense threat surface that needs to be prepared and updated to become quantum resistant.

The global community is rallying around quantum-safe readiness

The security industry has been preparing for quantum computers and the associated risks to classical cryptography. Governments and the private sector are investing in research, development, and standardization of quantum-safe approaches such as post-quantum cryptography (PQC) algorithms and potential quantum technologies to strengthen security. As a first step toward PQC adoption, the U.S. National Institute for Standards and Technology (NIST) has been engaged in a years-long effort to solicit, evaluate and standardize quantum-resistant algorithms for broader adoption.

In Europe, the European Telecommunication Standards Institute (ETSI) is assessing quantum-safe cryptographic protocols and standards and their practical implementation. The International Organization for Standardization (ISO) is evaluating PQC algorithms and has established a technical committee to build collaboration on international standards for PQC.

Microsoft has been investing in PQC research, development, experimentation and collaborations since 2014, playing a role in the emergence of PQC and public standards globally. We are participating in SC27/WG2 international standards efforts and have been in close collaboration with NIST, supporting and contributing to their National Cybersecurity Center of Excellence project on Migration to Post-Quantum Cryptography, whose goal is to prepare organizations for the PQC transition.

Microsoft is a core member and supporter of the Open Quantum Safe (OQS) project, and we are leading the PQC working group for SAFECode, a global industry forum for business leaders and technical experts to advance industry standards and help organizations prepare for the PQC transition. We have also been focused on quantum technologies and their impact on security with dedicated research and development of tools.

As the ecosystem progresses, we continue to encourage industry and government to invest in the global adoption of harmonized cryptographic standards and additional quantum-safe measures to facilitate secure global trade in the future.

Quantum-safe across Microsoft’s ecosystem

Given Microsoft’s unique position and wide perspective developing both hardware and software — along with our experience from past efforts transitioning to new cryptographic algorithms — we know that the journey to achieve quantum safety will be a significant undertaking.

This will be an iterative and collaborative process, and we are committed to being a trusted partner across industry and government. Transparency and clarity will be key to success, and as we continue to make progress, we will share learnings and recommendations with the broader community.

One of the best ways for an organization to accelerate their quantum-safe readiness is to move to the hyperscale cloud, but not all our customers and partners are using the cloud. With this in mind, we are taking a comprehensive approach across our platforms and systems.

Today we are taking the necessary steps across our own portfolio and ecosystem to ensure our products and services remain secure against potential risks the technology continues to develop.

We have formed a group of experts from across the company to concentrate on this matter with constant input from regulators, industry partners, vendors and legal experts and research teams. We have also started efforts to create, test, and implement practical cryptographic solutions that can resist potential threats posed by quantum computers. We are deepening our knowledge of quantum-safe algorithms and mitigation options for various use cases, considering hybrid encryption schemes to accommodate adaptive updates in cryptography algorithms, creating a cryptographic inventory to identify vulnerable cryptography in our platforms and services, and developing a multi-phase roadmap to address gaps and prioritize crucial areas.

From the cloud to on-premises environments, we are assessing every piece of technology that connects to Microsoft. Our goal is to make this journey as simple and manageable as possible both for us and for our customers and partners.

The time to prepare is now — and Microsoft is here to help

It will take time to implement such sweeping changes, but the sooner you start, the safer you’ll be. It is essential to raise awareness and deepen all of our understanding of the risks — and to start now.

If you’re wondering where to begin, creating an inventory of critical data and cryptography technologies can reveal areas where cryptography is implemented incorrectly or in a way that’s unsuitable for its intended purposes. It is crucial to identify internal standards and processes and assess all options to update those cryptography protocols and libraries to mitigate potential risks.

Based on those inventories and assessments, we recommend prioritizing your systems and services based on criteria such as criticality, dependencies and cost. From there, develop a transition roadmap.

We are already helping several customers and partners, notably those in risk-sensitive industries, in their quest to be quantum-safe by providing resources and transition strategies. Yet, the urgency for all organizations to embark on this journey cannot be overstated. We encourage customers and partners to act now, and we’re here to support.

As quantum technology continues to advance and change the world, our commitment to the security of our products and customers has never been stronger. We are dedicated to minimizing the efforts required by our customers and partners to become quantum-safe, using our world-leading research and engineering teams to keep our products and services secure.

Related link:
Read more about how we build security into everything we build and deliver at Microsoft.

Tags: , , ,