How Secure is Your Data Against the Y2Q Quantum Threat?

How Secure is Your Data Against the Y2Q Quantum Threat?
Share on facebook
Share on twitter
Share on linkedin
Share on email

In early June, quantum consulting company Interference Advisors shared their new report on the quantum threat and Y2Q. Titled “Y2Q – the quantum threat to our data & communications”, the report covers recent cybersecurity trends through the prism of quantum computing and the quantum threat.

The quantum threat to cryptography as a concept is not new. It has been a major concern in expert circles ever since American mathematician Peter Shor introduced his quantum computing algorithm for efficiently finding the prime factors of an integer in 1994.

Why is Shor’s algorithm a huge deal? Well, modern public-key cryptosystems use prime numbers to generate cryptographic keys. These keys are secure against brute-force attacks because it would take millions of years for a classical computer to compute their prime factors. For quantum computers though, this problem will be far from difficult.

Here’s why.

Operations in quantum computers are represented in qubits. Unlike classical bits that can encode information as either 0 or 1, qubits can encode a combination of 0 and 1 – a phenomenon called quantum superposition. Thanks to quantum superposition, quantum computers can perform computations much faster than classical computers.

In theory, a sufficiently large and powerful quantum computer can break 2048-bit RSA in just minutes, versus millions of years for a classical computer. Luckily for us now, quantum computers don’t yet have the power to crack public-key encryption.

But make no mistake – it’s just a matter of time until malicious groups get their hands on a quantum computer that’s powerful enough to defeat public-key encryption. And here’s where the concept of Y2Q comes into play.

What is Y2Q?

Y2Q is the date when quantum computers will become large and powerful enough to defeat classical public-key encryption systems. On this date, classical public-key encryption will become powerless against real-world threats.

The term Y2Q is a reference to Y2K, also known as the Year 2000 Problem. Before 2000, many programs represented the current year only with the last two digits. The issue with this approach was that such programs would treat the year 2000 as the year 1900.

While very simple at first glance, this software bug had the potential to disrupt global IT infrastructures and entire industries. It could disrupt aircraft scheduling, affect the readings of radiation levels at nuclear power plants, and cause mistakes in interest rate calculations.

Luckily, the Y2K bug was successfully solved with preemptive software updates. IT infrastructures across the world stayed intact, and we were able to continue to enjoy the conveniences of the digital era.

The year 2038 problem, or Y2K38, is a similar issue that we have yet to tackle. This problem will affect systems that use Unix time to measure time. Unix time measures the number of seconds elapsed since 00:00:00 UTC of January 1st, 1970 and stores the number as a signed 32-bit integer.

Because 32-bit integers can only encode integers between –(231) and 231 – 1, the latest time that Unix time can properly represent is 03:14:07 UTC on January 19th, 2038. After this date, programs using Unix time will not be able to correctly track time.

Why Y2Q is Much More Dangerous Than Y2K

What unites problems like Y2K, Y2K38, and Y2Q is that they have the potential to bring down entire IT infrastructures. Y2Q is very different and relates to our cryptographic systems, but at a high level, the effect of the three problems is similar.

However, what makes Y2Q much more dangerous than Y2K and Y2K38 is that we don’t know when it will happen.

Y2K and Y2K38 are fairly straightforward issues that are well understood. We’ve successfully dealt with Y2K, and Y2K38 likely won’t cause much trouble either. We have plenty of time until 2038, and we know precisely when Y2K38 will happen and can plan around that.

Y2Q doesn’t have a set date, and hackers aren’t going to be courteous enough to give us a warning before their first quantum attack. Security experts have tried to give estimates as to when Y2Q will be here, but their estimates vary so much that we can’t use them to plan ahead. What’s more, with time, expert estimates seem to have become more and more pessimistic.

Back in 2016, Professor Michele Mosca from the Institute for Quantum Computing at the University of Waterloo wrote that quantum attacks would break public-key cryptography by 2026 with a 1 in 7 chance and by 2031 with a 50% chance. Similarly, the Cloud Security Alliance estimates that Y2Q will arrive on April 14th, 2030.

In stark contrast with these estimates, a February 2022 survey by Dimensional Research and Cambridge Quantum shows a much gloomier picture. 61% of the 614 security professionals surveyed think that quantum attacks will defeat classical encryption methods within only 2 years. Another 28% think that it will take 3-5 years for classical public-key cryptography to be cracked.

While 2-5 years might sound ridiculous, these estimates are not without reason. Quantum technology is becoming better by the day. IBM, for example, managed to grow its quantum computers from 65 qubits in November 2020 to 127 qubits in November 2021 and plans to unveil a 1,121-qubit machine in 2023. However, qubit counts are just part of the equation.

Quantum Technology Improves Exponentially Quickly

Researchers keep finding more and more efficient ways of solving problems on quantum computers. This applies to breaking public-key encryption as well.

A few years back, researchers believed that hackers would need between ten million and one billion physical qubits to break 2048-bit RSA. But in 2019, a pair of researchers from Google and the KTH Royal Institute of Technology of Sweden described a way to break 2048-bit RSA in 8 hours with just 20 million physical qubits.

In the same year, Chinese researchers reformatted the integer factorization problem into an optimization task and used the D-Wave 2000Q quantum annealer to efficiently factorize large integers. The researchers stated that they wouldn’t have been able to do the same with Shor’s algorithm and the universal quantum computers available at the time.

In March 2022, Microsoft’s Azure Quantum program demonstrated the physics needed to build scalable topological qubits. Microsoft expects that topological qubits will allow it to more easily build stable and scalable quantum machines.

The likes of Google and IBM plan to build quantum machines with a million qubits by only 2030, so we are still far from the tens of millions of qubits necessary to break public-key encryption. However, algorithmic optimizations and leaps in quantum research might significantly shrink the compute requirements of this task.

Progress in quantum research is certainly exciting because it brings us that much closer to the practical applications of quantum computing. But similarly, it also dramatically shrinks the amount of time we have until Y2Q.

What You Can Do to Prepare for Y2Q

We cannot prevent Y2Q, but we can for sure prepare for it. The two keys to future-proofing your IT infrastructure are as follows:

  1. Deploying quantum-secure encryption solutions
  2. Preventing data breaches and minimizing data leaks

Let’s take a look at these two steps more in-depth below:

Deploying Quantum-Secure Encryption Solutions

Deploying quantum-safe security solutions is the first step to quantum-proofing your IT infrastructure. Upgrading to completely new cryptographic techniques requires risk assessment, extensive planning, updating cybersecurity policies, and retraining staff.

This process can take years, so starting early is key. If you delay the transition to quantum-safe protection, you might not be able to finalize its adoption before Y2Q.

There are currently two major approaches to quantum security – post-quantum cryptography (PQC) and quantum cryptography. Post-quantum cryptography relies on complex mathematical algorithms that are thought to be resistant to quantum attacks, while quantum cryptography exploits the properties of quantum mechanics. The most famous quantum cryptography technique is quantum key distribution, or QKD.

Because PQC is based on math, it can be easily implemented in computer code and delivered to end devices through software updates. However, PQC has a noticeable performance cost due to its large key sizes, and it won’t be resistant to increasing quantum computing power.

In contrast, quantum cryptography and QKD in particular theoretically provide 100% protection against quantum threats for indefinite time frames. This is because they rely on quantum mechanics rather than mathematical complexity. The main downside of QKD is that it’s expensive to implement because it requires dedicated optical fiber connections and photon emitters to securely transmit data. At this point, QKD is still a lab experiment.

While PQC seems more promising, a combination of PQC and QKD would probably deliver the best all-around protection. As a matter of fact, Quantropi’s unique QiSpace™ SaaS quantum security platform offers digital QKD and a novel PQC algorithms that solve the issues of their “vanilla” counterparts while keeping their strengths.

Preventing Data Breaches and Minimizing Data Leaks

Data harvesting is a major concern for cybersecurity experts. While we don’t know this for sure, hacker groups might be employing the so-called “Steal now, decrypt later” tactic. This tactic boils down to the following – hackers might be holding on to data they cannot crack today in the hopes of being able to crack it at a later time.

Y2Q might be this “later time.”

Current public-key encryption algorithms are resistant to brute-force attacks. Unless the attackers have your cryptographic keys, they will not be able to decrypt your data. Until they get their hands on a powerful quantum computer, that is.

This implies that any piece of your data that has been recently leaked or stolen is a likely threat to your long-term security. Forms of data that need to stay confidential for a very long time – like personally identifiable information – are especially vulnerable. Recent trends in cyberattacks amplify the danger of data harvesting even further.

2021 became a record-breaking year for data breaches. Already by September 30, 2021, 1,291 data breaches had been recorded – 17% more than in the entirety of 2020. Hundreds of millions of user records were leaked through incidents at Cognyte, LinkedIn, and Facebook.

2022 might be yet another record-breaking year as Q1 2022 has already marked the third consecutive year when data breaches increased compared to Q1 of the previous year. The Russian invasion of Ukraine has raised the stakes further as it increased the geopolitical tension between NATO countries, Russia, and possibly China.

After Russia invaded Ukraine, attacks on NATO countries from Chinese IPs surged by 116%. Additionally, in March 2022, it was discovered that Russian internet company Yandex embedded tracking code into mobile apps through its platform that allows developers to create applications for Android and iOS devices. The data of millions of users might have ended up in the hands of the Kremlin.

All this leads to one thing – you should start strengthening your data protection measures as soon as you can to prevent or minimize data harvesting. To do this, you could upgrade your cybersecurity tech stack or use approaches like zero trust, and you could also use quantum-proof cryptography to make your data resistant to future quantum attacks today.

The Time to Act is Now

As Professor Mosca points out, fixing vulnerabilities and defeating individual hacks is nothing to write home about. Vulnerabilities in software can be easily patched, while malicious insiders can be quickly detected and removed from your company. Although the consequences of hacker attacks can be devastating, identifying and fixing vulnerabilities in software or hardware isn’t that challenging per se.

It’s an entirely different deal when we consider cryptography as a whole. Because public-key cryptography is the foundation of modern data protection, there are no fixes that we can deploy overnight if it breaks. It takes years and years to research, plan, and deploy cryptographic systems.

We managed to solve Y2K by proactively changing the way our software represented dates. Because we took action early, we were able to avoid major IT incidents.

We must act the same way for Y2Q, though this is easier said than done. While the clock is ticking, many businesses still don’t realize the seriousness of the quantum threat. It doesn’t help that NATO and the White House started preparing for Y2Q only recently and that NIST is to release standards for PQC only by 2024.

We must act now – or it will be too late.

Read the full report on Y2Q with all the data and analysis here. Learn more about Quantropi’s TrUE Quantum-Secure technologies and their QiSpace™ enterprise quantum-safe platform here. Quantropi is also currently offering a 60-day free trial for QiSpace™.

Share on facebook
Share on twitter
Share on linkedin
Share on email

Marco Pagani

Marco Pagani began his long and successful career as a senior executive in Ottawa’s high-tech sector in 1985, with Nortel Networks (then Bell-Northern Research). He rose across two decades to become president of several Nortel Business Units, managing more than 2,000 employees and over $1 billion in revenue. Having gone on to advise numerous organizations, as well as guide a range of companies through complex, critically necessary turnarounds, he is particularly respected for placing a strong emphasis on ethics and corporate governance in building the culture of the corporate and not-for-profit organizations he leads and supports.

Talk To Us

Patricio Mariaca

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum quis mauris justo. Vestibulum vel nulla vel tortor dignissim auctor. Donec porta semper lacus, id mollis metus pretium at. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam malesuada ullamcorper metus, eget facilisis tortor posuere sed.

Eric Chan

Eric Chan a.k.a. EEPMON is a Crypto / Digital Artist with 15 years in the industry – and Quantropi’s Creative Emissary. His hybrid fractal/digital creations have been seen in fashion, comics to museums and has exhibited worldwide. EEPMON’s collaborations include Canada Goose, MARVEL, Snoopy, Microsoft Xbox, Canada Science & Technology Museum and was a TEDx performing artist. In 2018 he represented Canada on its first Creative Industries Trade Mission led by Canada’s Minister of Heritage and serves on the Canadian Museums Association‘s Board of Directors. At the same time, he is currently completing his Master of Information Technology – Digital Media at Carleton University. 

Christopher McKenzie

With his extensive experience in software development and strong analytical skills, Chris can handle the entire end-to-end software development life cycle. Prior to Quantropi, he served as Director of Product Development at Sphyrna Security, Inc., where he managed the delivery of security compliance automation and data diode appliance products, and as Commercial Software Development Manager at Cord3, Inc., where he managed the development of an advanced data access policy management product. Chris graduated from Computer Science at Algonquin College and the Ottawa School of Arts in 1998. Read less

Dafu Lou

Dafu is Quantropi’s Director of engineering. Prior to Quantropi, he served as a technical leader at Irdeto, a world-leading provider of digital platform security software, where he was responsible for white-box cryptography, cloaked CA secure core, and iOS/android application protection services, among others. Prior to Irdeto, Dafu served as a senior software engineer at SecureNex Systems, where he led the implementation of an SSL-VPN solution and ECC-based secure data storage & PKI. He earned his Ph.D. in electrical engineering from the University of Ottawa in 2009. Dafu is also a part-time professor, teaching VLSI, Cryptography and other subjects at uOttawa.

Pauline Arnold

As James Nguyen’s EA, Pauline Arnold brings more than 40 years of experience in complementary customer service and administrative roles. Prior to Quantropi, she served 20 years as Branch Manager and an assistant in investments, and over 20 years at Metropolitan Life Canada in various aspects of the insurance sector – assisting clients, management and colleagues to complete tasks, solve problems, address questions and achieve goals. She also worked part-time for Royal Lepage Performance for 5+ years as a receptionist & admin, and for 5 years was chair of the TKFG’s charity golf tournament.

Bond Vo

Bond Vo is the Business Analyst of Quantropi. Along with Quantropi, Bond has been dynamic in accordance with a fast and evolving startup environment and is responsible in a wide range of areas including market research, funding, and more involved in the controller roles to oversee day to day accounting operation as well as build financing models and budget to achieve company’s ultimate goals/objectives. Bond has applied best practices consistently and successfully supports equity, debt, and non-dilutive funding for Quantropi since joint the team. He earned a Bachelor of Commerce concentrated in Finance from Carleton University. Outside of his professional career, Bond also participated in volunteer for the Vietnamese Immigration Student Association (VISA) to help and support students as well as newcomers in Canada.

Tina Wang

Tina develops websites and participates in a range of different projects, using new frameworks for front-end UI, along with Vuejs, Angula, Beego, Ruby on Rails, and Electron. She developed Quantropi’s desktop CipherSpace application by integrating Electron, Webassembly and Go, to ensure a good user experience, as well as perfect operating system compatibility. She is also part of the dynamic and efficient QKD-NODE project team. Tina is always looking for new ways to increase her knowledge, improve her technological proficiency and enhance her strong execution and implementation skills. Prior to Quantropi, Tina served as a full-stack web developer at Sunny Future, where she maintained a WordPress home site and managed the release of new content for the company.

Nick Kuang

As VP Corporate Services, Nick plans, directs and coordinates a wide range of activities aimed at achieving Quantropi’s vision of the Quantum Internet. He has a keen interest in transformative technologies and the possibilities they offer for bettering our everyday lives. A pharmacist by training, Nick nurtures teams with a focus on integrity and collaborative effort, coupled with strong attention to detail. With prior experience in a successful biotech start-up developing point-of-care test kits, he enjoys the fast pace and challenge of the start-up environment.

Alex He

Alex is a product-oriented project manager who bridges the gaps between the company’s engineering and commercial teams. He has over ten years of experience in the analysis, design and development of enterprise-class applications, with a particular focus on creating optimal user experiences (UX). Ever passionate about cybersecurity solutions that can deliver solid security without unreasonably sacrificing customer convenience, Alex is the lead inventor of a registered patent on user interface security. He is committed to helping ensure that the Agile software engineering team at Quantropi delivers consistently high-quality, high crypto-agility cybersecurity solutions for next-generation communications.

Michael Redding

Before joining Quantropi, Mike was Managing Director and co-founder of Accenture Ventures, where he grew a global portfolio of strategic partnerships and 38 equity investments in emerging technology startups.

During his nearly 30 years with Accenture, he incubated and launched technology innovations for enterprises across multiple geographies and industries. Ever-passionate about bold ideas with game-changing results, he speaks frequently on the impact of emerging technology on large organizations.

With a bachelor’s degree in Electrical Engineering and Computer Science from Princeton, and a Master’s in Biomedical Engineering from Northwestern, Mike is a former member of the Board of Directors for the Accenture Foundation and Board Observer for startups Maana and Splice Machine.

Raj Narula, P.Eng.

A seasoned technology executive, business builder and angel investor, Raj has held operational and advisory roles in Recognia (Trading Central), Belair Networks (Ericsson), March Networks (Infinova), Sandvine (Procera), Neurolanguage (ADEC), Bridgewater Systems (Amdocs), Vayyoo (Cafex), TenXc (CCI), 1Mobility (Qualys) and others. Having divided his time among North America, EMEA and Asia-Pac for over 20 years, Raj speaks several languages. He grew up in Asia, Europe, South America and Canada, and holds a B.Eng degree in Mechanical Engineering from the University of Ottawa. He is also a co-founder and Charter Member of the Ottawa chapter of TiE (the Indus Entrepreneur).

Ken Dobell

Ken leads marketing strategy at Quantropi. In high demand as a consultant with 25 years’ experience in performance media and an award- winning creative background, he has completed successful transformations, (re)branding and product development mandates with KPMG, Keurig, Fidelity, Eddyfi, Coveo, and more, and provides digital advice to the CMA. Previously, Ken pivoted an offline advertising brokerage to a leading-edge, data-driven performance agency as President of DAC Digital, held a progression of international leadership roles with Monster.com, pioneered a range of multi-channel initiatives as VP Marketing with a global franchisor, and introduced a mobile-first programmatic media offering to Canada within WPP.

Dr. Randy Kuang

Randy holds a doctorate in quantum physics. His research findings have been published in top international journals and named “Kuang’s semi-classical formalism” by NASA in 2012. With a career spanning IT, including with Nortel as senior network researcher & developer, he co-founded inBay Technologies in 2009, serving as CTO of the cybersecurity platform. As the first recipient of a patent for two-level authentication (2011), Randy is a prolific inventor, with 30+ U.S. patents in broad technology fields, such as WiMAX, optical networks, multi-factor identity authentication, transaction authorization, as well as concepts, technologies and industrial applications for quantum key distribution.

James Nguyen

Prior to leading Quantropi, James was Chief Investment Officer & VP Asia Operations for a group of private and public real estate, mining, energy storage, graphene technologies and manufacturing interests, where, in his responsibilities for strategy, banking and global expansions, he secured large-scale investments and partnerships for commercializing graphene applications across multiple industries. A graduate of Carleton in Economics, he previously achieved success managing a mid-market portfolio (professional services, public sector, Asian markets) at RBC for over a decade. James has been on the HKCBA board, held advisory positions with technology start-ups and gives back as volunteer, fundraiser and mentor.