Quantum computers: cyber-security threats for the banking and financial sector

By Elisabetta Zaccaria, Chairman, Secure Chorus

Secure Chorus Chairman Elisabetta Zaccaria discusses the risk posed by quantum computers to information security in the banking and financial sector, and explains how current encryption methods need to be upgraded with ‘quantum-safe’ equivalents.

Quantum related technologies have the potential to massively disrupt financial services industry, in terms of the opportunities that such computing power will enable. However, with these opportunities also come information security threats, as current encryption methods become simpler  to break.

While quantum computers won’t become mainstream until around 2025, the banking and wider financial sector that process sensitive data and are required to archive data over long time-frames (up to a decade or more), need to start planning for a post-quantum computing world. Quantum computers represent such an advance in computational power that they have the potential to expose the financial sector to systemic breaches of existing security measures. Such developments could be disastrous for the financial sector if they are not properly anticipated and managed.

The main difference between currently deployed (so-called ‘classic’) computers and quantum computers is that classic computers operate on ‘Bits’ (zero or one), while quantum computers make use of a quantum-mechanical phenomenon that represents data as ‘Qubits’ (zero, one, or a little bit of both). A set of Qubits can represent exponentially more values than their ‘Bit’ counterparts, allowing them to interact and deliver computation and algorithm solving rates several orders of magnitude faster than with today’s more conventional technology.

Elisabetta Zaccaria
Elisabetta Zaccaria

Quantum-related technologies have the potential to massively disrupt the financial services industry: in algorithmic trading, fraud detection, and encryption and transaction security. But, in the wrong hands, quantum computers will also be able to break, or significantly weaken the public key encryption that protects the majority  of the data, software updates and technology now in use. It is expected that this will be achievable in the next 5-10 years. This means there is now a pressing need to develop public key encryption capable of resisting such quantum attacks. Lack of quantum-safe public key encryption could result in a systemic failure of the current banking and financial sector approach to information security, while exposing large volumes of high-value data.

The significance of the problem for the financial sector cannot be overestimated. Today, fraud linked to online banking as well as e-commerce transaction is an ever-growing issue in the classic computing world. In the future, quantum computers, with their ability to break current public key cryptography, may push on-line fraud from what is currently a manageable problem to subjecting the financial sector to systemic breach scenarios.

Recent fintech innovations are also at risk. Many blockchain-based technologies rely on the Elliptic Curve Digital Signature Algorithm (ECDSA): an algorithm that is not currently ‘quantum safe’. This places the burgeoning cryptocurrency markets at risk, as quantum computers will in all probability break the underlying cryptography at the core of these technologies, leading to cyber bank robberies of a previously unseen magnitude.

One method of developing quantum-safe public key cryptography is the deployment of a new set of public key cryptosystems for classic computers capable of resisting quantum computer attack. These cryptosystems are called ‘quantum-safe’ or ‘post-quantum cryptography’. The principle behind them is the use of mathematical problems of a complexity beyond quantum computing’s ability to solve them. The information security industry currently recognises five types of cryptosystems as promising replacement candidates for current cryptography. These are: hash-based, code-based, lattice-based, multivariate-based and supersingular isogeny-based. International standards bodies, including the National Institute of Standards and Technology (NIST), are currently in the process of conducting more analysis and research before they can go forward on determining which of these to adopt.

Secure Chorus is a not-for-profit membership organisation providing thought leadership, common interoperability standards and tangible capabilities for the information security industry. We recently collaborated with our partner member, ISARA Corporation, to produce a white paper about post-quantum cryptography.ISARA Corporation, a leader in post-quantum cryptography, is committed to the collaborative development of quantum-safe standards at the European Telecommunications Standards Institute (ETSI). ISARA,is also working with Secure Chorus, to evolve Secure Chorus’ cryptography standard of choice – MIKEY-SAKKE ­– to become quantum-safe.

Entitled ‘The Quantum Revolution: Security Implications and Considerations’, the paper provides a framework for assessing if and when organisations need to start working on protecting themselves against the threat posed by quantum computers. It also addresses the key considerations an organisation needs to take into account when migrating to a new cryptography standard. The paper introduces the MIKEY-SAKKE identity-based public key open cryptography standard, and explains that this cryptography standard, if made quantum safe, would continue to offer its unique combination of benefits for the financial sector.

MIKEY-SAKKE identity-based public key cryptography provides for end-to-end encryption and can be used in a variety of environments, both at rest (e.g. storage) and in transmission (e.g. network systems). Designed to be centrally managed, it gives financial institutions full control of system security as well as the ability to comply with any auditing requirements, through a managed and logged process. Additional benefits include scale and flexibility.

MIKEY-SAKKE has been developed by the UK government’s National Technical Authority for Information Assurance (CESG), which advises on how to protect information and information systems against today’s threats. CESG is now part of the National Cyber Security Centre (NCSC) and a government member of Secure Chorus. MIKEY-SAKKE was standardised by the Internet Engineering Task Force (IEFT). It has also recently been approved by the 3rd Generation Partnership Project (3GPP), the body responsible for standardising mobile communications for use in critical applications,hence receiving endorsement at global level for its innovative approach to public key cryptography. MIKEY-SAKKE is the Secure Chorus open cryptography standard of choice for its work on interoperability standards for its members’ information security products.

While it is likely to be a decade before quantum computing starts to significantly affect the financial services industry, the potential impact of this technology means that banking and financial sector must begin to prepare for its arrival now. In security terms, this should be done through quantum risk assessments as well as investment in well-recognised and endorsed quantum-safe public-key cryptography.

This article is based on a new white paper entitled ‘The Quantum Revolution: Security Implications and Considerations’ co-authored by Secure Chorus and the ISARA Corporation.

To download your free copy go to the Secure Chorus website www.securechorus.org