A new type of computer is on the horizon: a quantum computer. This computer is supposed to be so powerful that it can break all current forms of encryption and end all forms of privacy and security as we know them. The question is: is this hype, FUD, or a real risk we should all be worried about? If you know anything about us, you know that we don’t believe in telling you what to think; we believe in giving you the data you need to make your own informed decision. If you are wondering what FUD is, it stands for fear, uncertainty, and doubt, and it is about causing those three things in folks for the sole purpose of spreading them. We’ve published a few articles on this topic before; take a look at the „What is FUD“ and „Debunking FUD“ articles for more on this topic.
For the last five years or so, there have been articles predicting that quantum computers will be available in the next five years, but those predictions don’t seem to be holding up too well. There is, though, no doubt that serious progress is being made in this space, so quantum computers are absolutely real and will be available sooner or later. We need to dissect what „available“ means, and we will do that in a bit.
First, let us dig into what a quantum computer is and what it does. Quantum computing is not a faster general-purpose computer. It’s a specialized co-processor that’s only dramatically better than classical computers for a narrow set of specific problem types, like molecular simulation, certain optimization problems, and breaking encryption. For the vast majority of workloads a typical company runs (databases, web apps, analytics, ERP, CRM, etc.), quantum computers offer zero advantage and plenty of disadvantages. Classical computers will still handle 99% of everyday tasks; quantum is designed to complement them for niche tasks, not replace them. The „solving problems thousands of times faster“ headlines apply only to very specific use cases.
The breaking encryption part is real and very concerning, but the question is to whom. For starters, if you have secrets that need to remain secret for the next 20 years and beyond, you need to start preparing today. For 99.99999% of folks and companies, this does not apply. The vast majority of data being encrypted today will be obsolete and irrelevant in 5 years, long before quantum computers are even close to being viable. In scientific papers, this is called the „harvest now, decrypt later“ issue. And as we’ve outlined, this isn’t something most folk should worry about. For those who need to be worried about it, they are likely not reading this blog and have already studied the NIST PQC papers with the solution.
The scenario that actually matters for most organizations is the live attack, the point at which a quantum computer can break encryption in real time or near-real time. That’s when:
- Someone intercepts your HTTPS traffic and reads it on the fly
- Your VPN is no longer private
- Ransomware actors can break into systems that relied on asymmetric encryption for access control
This is the scenario that needs a little more digging. Let’s first look at the environmental requirements for a quantum computer. Today’s quantum computers need to operate at temperatures between 0 and 2 degrees Kelvin, which is colder than -271 degrees Celsius or -456 degrees Fahrenheit. This simple requirement is not easily achieved, and only very specialized labs have reached that level of cold. I read somewhere that this is colder than outer space by a factor of roughly 180. This kind of cold is expensive, rare, and cannot be mass-produced today. You can’t simply stroll out to your local cooling vendor and order a unit to get your basement down to this level of cold. The heat generated by the computer and all the cabling required compound this problem. To change this problem would require a scientific breakthrough that violates all current laws of physics, including any theoretical ones. So chances are good that’s not happening in our lifetime. That being said, breakthroughs happen when you least expect them, so we never know. The other requirement is absolute silence and vibration less than 400 micrometers per second; that is about the size of a grain of sand. If the air around the computer moves by more than a grain of sand or the platform it is on moves that much, you have a huge problem.
I haven’t fully grasped how quantum computers actually work, but it’s an entirely new way of computing; this isn’t just a new type of CPU. You seem to need a PhD in quantum physics to really get how this works. There is something called a quantum state that the computer needs to achieve to even function, and the two environmental factors mentioned above must be present before this can be attempted. Even just a hum undetectable to the human ear, or vibration at over 400 micrometers per second, will literally crash the quantum computer. As I said, I’m struggling to wrap my head around this, but I can understand that it is a monumental problem that will require a dedicated, purpose-built data center. This significantly reduces the chances that this type of computer will be readily available. Time will tell how much progress will be made on this front in the coming years.
There is chatter that those with enough funds can rent time on a quantum computer, much like how the mainframes used to work back in the day. The most likely scenario is that such a time slice will cost no less than one million US dollars per hour, if not by minute. This is the scenario that is being talked about when folks say quantum computers will be available in 5-10 years’ time.
So if you’ve got a secret that someone might be willing to shell out a few dozen million US dollars to get their hands on, you might want to start preparing. Otherwise, I wouldn’t worry about it.
Conclusion: This is the purest form of FUD there is. Even saying it is theoretically a problem is a bit of a stretch. The only thing worth worrying about is if you’ve got data that must remain confidential for decades to come, then you are vulnerable to the „harvest now, decrypt later“ issue, and you should already be working on your remediation plan. For anyone else, there is nothing to worry about.
That bullet list above, those don’t actually need quantum computers to be a threat. Let’s look at that:
- Someone intercepts your HTTPS traffic and reads it on the fly by installing malware on your computer. The threat actor got you to open up an email attachment, which installed the malware, likely while you thought you were playing a game.
- Your VPN is no longer private. Same scenario as above.
- Ransomware actors can break into systems that rely on asymmetric encryption for access control by phishing for the encryption key.
By the time quantum computing is readily available, the live-capture scenario won’t be possible, since all crypto protocols will have been updated by then. Furthermore, due to the extreme conditions and the cost of a quantum computer, live capture won’t be feasible because it won’t be possible to put them in line with the communication flow.
