[000:00:35] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me is my co-host Camille Morhardt.
[000:00:43] Camille Morhardt: Hi Tom.
[000:00:44] Tom Garrison: Well, today we’re embarking on a topic where we’ve sort of touched on a few times, but not really in depth. And that’s quantum computing and post quantum computing. And how do we build in security capabilities that are going to be able to withstand the onslaught of quantum computers, trying to hammer them in the future?
[000:01:07] Camille Morhardt: We’re right in the middle of this massive problem that we all know is coming. And yet it’s very difficult to really understand the underlying algorithms and things that may pull us out of it, but we all have to understand what the implications are and the various kinds of defenses we can use today to help start to protect ourselves. And this is an interesting conversation about that.
[000:01:34] Tom Garrison: Yeah. And some point, not in this episode, but at some point, hopefully we get an even better understanding of what does quantum computing even actually mean. I understand how transistors work and the logic that I learned when I was in school, but man, this stuff is just mind bending, but our guest does a very good job of talking about the implications of quantum computing and what we need to do to stay safe. So what do you say we get into it?
[000:02:03] Camille Morhardt: Love it.
[000:02:10] Tom Garrison: Our guest today is Michele Mosca. He is co-founder, president and CEO of evolutionQ and co-founder of the Institute of Quantum Computing at the University of Waterloo. Welcome to the podcast, Michele.
[000:02:24] Michele Mosca: Yeah. Thanks. Great to be here, Tom.
[000:02:27] Tom Garrison: I think it would be great to start with a topic like quantum computing because we’ve all heard about it, but I don’t think a lot of people really understand what it is. Do you have maybe a layman’s definition of what quantum computing is?
[000:02:45] Michele Mosca: Yeah. So just first a caution that quantum people mean many different things often when they say quantum or quantum computing and it’s based on quantum physics, which is just sort of a new set of rules in which we articulate and develop physical theories and it has implications for all sorts of things. If you look at the implications of quantum physics for information, it means any system that can store a zero or a one. That bit, if you really fully describe it in this quantum mechanical language that’s been developed for over a century, it’s a lot more complicated than just a zero and a one. And if you have several bits is even more complicated, but we as users don’t need to worry about that. What it means is there’s this sort of exponential richness in the bits that are lying inside a quantum computer and our job is to try to see how we can benefit from that.
So maybe another way to look at it if you try to describe a quantum computer, again, what is it? It’s a box with some stuff inside. You send in some inputs, you get some outputs, right? For most people, that’s what a computer is. And inside of course, under the hood, there’s some bits which you send instructions to. They do something and you get an answer back. So it’s really like a computer, except we’re somehow benefiting from those quantum mechanical properties. And if you try to simulate that with a regular computer, it gets exponentially completely insurmountable with even just a few hundred bits.
And so what Feynman tried in the 80s was to say, “What if we turned lemons into lemonade? What if we built such a device? Then it can solve certain problems that would be impossible to solve on a regular computer.” But that’s what quantum computing’s all about is actually building these computers and then finding really useful applications for them.
[000:04:38] Tom Garrison: And so are there types of problems that are well suited for quantum computers?
[000:04:44] Michele Mosca: That’s sort of the billion or maybe trillion dollar question that we’ve been pursuing for over 20 years now and we’re starting to get some insights into it. I think I would caution anyone who thinks we have all the answers that we’re almost certainly wrong. It’s like asking in the 50s and 60s, do we know what computers are going to be good for, or in the 80s and 90s, what’s the internet going to be good for? So we have some ideas.
One is building on Feynman’s original idea is you can use a quantum computer to really efficiently simulate other physical systems with quantum properties. So maybe we can design new next generation materials, new substrates for the technologies you develop at Intel or materials for capturing energy or transporting energy and so on or new drugs. If you want to design a new material, those sorts of properties that are possible, you can easily define trillions and trillions and trillions of different configurations of atoms, right? And then you wonder, does this have the properties I want? You can’t synthesize and test trillions of materials. So you want to simulate them on a computer and have a good guess as to what their properties might be. And then you implement a short list of these things. But a quantum computer, again, it’s not a magic box, but it gives us a really a good fighting chance at simulating and answering questions about these materials we are interested in potentially synthesizing.
Then there’s other problems, which aren’t so blatantly quantum in nature, but there’s an array of optimization problems that we continue to explore where you want to optimally allocate resources. Can quantum help with those? In some cases, yes. Again, the point is not that it’s a faster processor, it’s that if you explore it in a quantum mechanical way, you can actually get the answer with vastly fewer steps. So instead of trillions and trillions of steps, you can get that answer with thousands of steps. So we’re really trying to do fewer of these quantum operations to get some answer.
[000:06:53] Camille Morhardt: Is there a type of compute that we already know quantum would not be good at?
[000:06:59] Michele Mosca: Proofs of impossibility are super hard. There are things where we kind of at least don’t think they’re going to be tremendously good at. And that’s for example, just mundane in a sense of just processing vast amounts of data bit by bit, right, because looking up classical information and loading it into a quantum computer, there doesn’t seem to be a free lunch there. A lot of the basic tasks that we do day to day, we’re not aware of a quantum speedup. In fact, one might argue for most things, we’re not aware of a quantum speed up, but the point is for some really, really important things, there’s an immense potential quantum speed up.
[000:07:39] Tom Garrison: I’ve heard it described before that quantum computers, they don’t do things sequentially. They basically do them all at the same time. And so instead of doing step one, two, three, four, five or something like that, they do one through five, but at the same time. Is that a fair way to think about quantum computing?
[000:08:02] Michele Mosca: So yes and no. So it’s a very quantum answer.
[000:08:06] Camille Morhardt: Yes and no and everything in between.
[000:08:07] Michele Mosca: Yeah, and everything in between. That’s true. So remember I talked about the trillions of configurations of molecules or materials where you kind of want to test them all, see which ones might have the properties you’re looking for? So classically you could have one serial processor go through them one at a time, or you could have thousands of processors going through them in parallel. But if you want to test a trillion configurations, you have to one way or another compute a trillion things, right.
What one quantum computer could do, it can kind of embody all trillion or more of those configurations and calculate their properties all at the same time. Right. But there’s a tremendous caution there in that if you have a thousand processors calculating all these properties, you actually have all that information sitting there of all the different thousand configurations. You’re not going to have a trillion processors. Right. But with the quantum parallelism, where in theory you have these trillions of different configurations sitting there in this one quantum computer, you don’t get full access. It’s not like having a trillion classical computers in parallel. So it’s somewhere in between as Camille kind of is hinting at.
So in some sense, you’re getting a little taste of all these trillions of different computational paths in parallel, but you don’t get the full meal deal. You don’t get all the information out. I sometimes call it seeing the forest but not looking at the trees. So you can start to extract some sort of global properties of these trillions of configurations without actually learning much or anything about any specific one. Of course, over time, you’d like to finally converge to one good one, but it’s a really difficult art. How do I somehow interfere all these different combinations and extract a property that I care about?
So let’s just suppose this is not just an applying material design, but let’s say I have these trillions of different configurations, a first one, a second one, a third one. I could enumerate them. I could compute them all in parallel or serially, but there’s a pattern. At some point, these bit patterns, these pictures, let’s say these are pictures, they start to repeat. That repetition rate, the period after which this pattern starts to repeat, that’s a global property. I don’t care what these billion images are, but I just want to know when does it start to repeat. Quantumly you can really, with one glimpse, determine that global pattern, that periodicity. That’s one property where quantum is absolutely amazing at, right. So it’s not good at all sorts of other pattern recognition problems, but that’s one kind of pattern that it’s actually just almost built for.
[000:10:46] Tom Garrison: Right. That’s why I think there’s a lot of interest in quantum computing and its relation to security because in security we use cryptography and cryptography has keys and we want to keep those keys safe. And so can you talk a bit more about the direct link to security and quantum computing?
[000:11:11] Michele Mosca: When you use something like RSA cryptography or elliptic curve cryptography, which we use every day when we use our smartphones on the internet, use a browser, HTTPS. There’s a key agreement that’s happening there. If you do an RSA type key agreement, you encrypt one number with RSA, with a fixed RSA key and another number with a fixed RSA public key and so on. Eventually it actually starts to repeat. Now these are astronomically large numbers, so large that classically we don’t really have practical means to ever see that period with RSA. But if you could find that period, you could actually break the RSA keys. You could find the private keys associated with that public key. And that’s good for key agreement. You can also use the same methods for signatures. And you might think, “oh, but surely I could go to a bigger RSA key.” No you can’t because normally where we’re used to like if some smart mathematician figures out a better way to factor, which people have in the 80s and 90s, you’re like, “okay, well I’ll add 10 more bits, a few more bits to my RSA keys or maybe double them” because with RSA, if you had a handful of bits, you double the work an attacker has to do. But with a quantum attack, it’s almost even. The attacker has to do about as much work as the person using the encryption scheme. So you can’t just go to bigger keys. So this is really a devastating blow.
It’s not the kinds of things we saw before where we thought, “oops, we better go to a slightly bigger key.” It was like, “oops, we need a whole new system here.” And in crypto you could have a sort of unexpected break that breaks more than one algorithm even.
[000:12:44] Camille Morhardt: So is this an existential threat to device functionality for devices that are being released now that will be out in the world operating and doing maybe even driving for us or operating smart grids or something like that we plan not to replace within the next 10 years and then we’ll have quantum?
[000:13:04] Michele Mosca: None of us really want to be over dramatic, but I don’t know how else to put it. I think you’re right then that if this is supposed to remain in the field… So let me back up. It’s sort of the fundamental equation of quantum risk management, then that is the quantum computer’s not here. So let me worry about other things for now. That’s not the right analysis. First of all, in some cases–not the cases you just mentioned–but the information being protected is long lived. These could be people’s DNA. It could be national secrets, could be trade secrets. It’s being recorded, could be recorded until you deploy new algorithms that can’t be broken by quantum computers. So this is the so-called record now, decrypt later.
Then there’s the migration time. How long does it take you to migrate, to change your platforms, to be resilient to quantum attacks? That’s Y. So for the next Y years you’re stuck with those embedded systems or these algorithms you’ve baked in. You’re supposed to provide Y years of confidentiality say or integrity. If quantum attacks happen in fewer than X+Y years, you’re not going to provide those X years of security. So applications that need to be especially worried are those where there’s a big Y and/or a big X. Yet at the very least, you need some mechanism for updating of the cryptography to be resilient to these emerging quantum attacks. And really so do I need to worry? In most cases, the answer now is yes. That doesn’t mean panic. It doesn’t mean you have to deploy something. You have to ship the crypto tomorrow, but it means you better be well on your way of those four stages to quantum readiness, which is understand what it means. And then the second one is what does it mean to you? The third phase is plan, right? And the fourth phase is deployment. That’s when you’re shipping new product, which has these quantum resistant methods baked in. I think with any moderately important system, you really have to be well on your way and entering that third phase of planning and readiness.
What worries me the most, I think, is the rushed migration. Well, you know the technology, you know the life cycle of your technology, the ones you were just talking about, some cases is decades. If you want this technology in a plane that’s going to be flying, it’s decades in advance. And it has to be designed in some cases. So what happens if you suddenly face a crisis? You’re like now I need to very quickly rush out new software of any kind, right? It doesn’t work very well. If you don’t do all the quality assurance, things start to crash. Things don’t inter-operate. You’re going to lose customers. You’re going to lose the business functionality. And furthermore, when you rush out the design of software, especially again, even just regular software, a lot of the hacking we see today, people are exploiting generic software bugs, but if you mess up the cryptography, that’s a really bad piece of software to mess up. If you rush that out the door, you don’t need some sophisticated criminal service that hacks into quantum computers, mundane attack vectors can get in. That is perhaps at least as worrisome as the risk of quantum enabled attacks.
[000:16:11] Tom Garrison: I think it’s fascinating the picture you’re painting, which is these types of problems that are good for quantum computing pose a significant risk to the established security industry that exists today. But you’ve mentioned that there are at least research around quantum resistant algorithms or quantum resistant. Is that an active area of research first of all? And second, is there such a thing as something that is quantum resistant and also resistant to more traditional attacks or is it kind of one or the other?
[000:16:48] Michele Mosca: So definitely. We know how to fix the problem, but doing it in practice is a long, complicated process that you don’t want to rush and mess up. There’s two flavors of answers. One is let’s replace the current public key crypto with new public key crypto designed to be resilient to quantum attacks, at least the known quantum attacks. That is already a 10-year-plus process that has already been underway for many years. The National Institute of Standards and Technologies is going to announce its finalists in a few months. It’ll still take another year or two to finalize the completion of the standards, but we’ll know what the algorithms are for this first generation of standards. It’s too soon to pick a winner and stop working on this because we still don’t fully understand the power of quantum computers, right? So we’re going with the best thing we know today.
And we need to continue exploring and standardizing new algorithms as we gain better insights into what algorithms are secure against quantum attacks. That’ll form the new first layer of defense. That’ll replace how we do HTTPS today. I mean, it’ll still be HTTPS. How you achieve the S part will be new algorithms. But I would say that’s probably not good enough anymore. And there’s several ways to achieve additional layers of defense. So an alternative way to do key agreement is called quantum key agreement or quantum key distribution. That’s been commercialized honestly for about 20 years with very modest adoption. But now it’s becoming showtime for deploying large-scale QKD networks as an additional layer of defense in addition to these conventional cryptographic algorithms. And they’re very complimentary.
So to answer your question, we never know if a mathematical algorithm is unbreakable. Typically, over time, eventually somebody finds a way to break it one way or another. But the nice thing about quantum key agreement is there’s no mathematical assumption underlying it anymore. It’s an alternative to key agreement where we don’t have to go to bed at night and worry about whether a smart mathematician somewhere in the world has figured out how to break this cryptographic algorithm that underpins our digital technologies.
[000:19:05] Tom Garrison: Before we let you go, we do have one last segment we like to do that we call fun facts. Michele, do you have a fun fact that you would like to share with folks?
[000:19:16] Michele Mosca: Many people have seen movies and so on about the Enigma Code that Alan Turing and others figured out how to break and the British built the machine to break it, but often people oversimplify it and they’re actually conflating two different codes. The Enigma Code was for tactical communication as you would’ve seen in the movies, but the strategic codes were using a family of codes called the Fish Codes and a young British mathematician, at the time, Bill Tutte, a team of people, they figured out how to break these codes and the government built Colossus in order to implement those algorithms to break those codes. And it’s said, this is one of the greatest intellectual feats, the second world war. And then Bill Tutte moved to Canada, actually to Toronto and then to Waterloo. And he was actually a formative figure in our mathematics faculty here.
And nobody knew he had done this until like the late 1990s. This is one of the greatest mathematicians of the 20th century and no one… He just never bothered, or not never bothered. He wasn’t supposed to tell anyone. And very serendipitously, he supervised people who supervised me and got me into cryptography, right. And people who ended up by a fluke ended up getting into cryptography and developing elliptic curve cryptography from an ingenious academic idea into a globally-deployed commercial product.
[000:20:38] Tom Garrison: That’s a great fun fact. Camille, how about you?
[000:20:42] Camille Morhardt: Well, I was just going to share a novel that I’m reading because I really like it. I’m in the middle of it. It’s called The Five Wounds by Kirstin Valdez Quade. And it’s just really, really well written and a good story. That’s my fun fact.
[000:20:59] Tom Garrison: Excellent. Well, I found actually that the use of evergreen trees to celebrate the winter season occurred even before the birth of Christ. That was interesting, but it goes on even further. The first decorated Christmas tree was, I’m sure I’m going to say this wrong, it’s like Riga, R-I-G-A in Latvia. And that was in 1510. And the first printed reference to the Christmas trees appeared in Germany in 1531. So the whole tradition around, first of all, just what we now call Christmas trees actually is well over 2000 years old, but as we would call them Christmas trees and the decoration of those actually started all the way back in the 1500s. So Michele, thank you very much for opening our eyes to this quantum world of ones and zeros and everything in between and how it will impact security and evolve things the way we think about today. It was fascinating conversation.
[000:22:12] Michele Mosca: It’s been a pleasure to talk with both of you.