As quantum-powered cyber-attack threats become more real by the day, liberal democracies and autocratic regimes are racing to develop quantum-safe encryption. But Europe risks being a spectator.
With the recent Christopher Nolan film about the father of the atomic bomb, J. Robert Oppenheimer, a comparison of the race to build an atomic bomb in the 1940s to the race for quantum-safe algorithms is frighteningly similar.
While robust encryption is the backbone of securing the digital world at large and underpinning the world’s global trade, quantum computing can render obsolete the encryption commonly relied upon to secure and protect data.
On the one side, China, the UAE, and Russia are among the nations keen to create their own ecosystem of quantum-safe cryptographic standards and algorithms.
Conversely, the US National Institute of Standards and Technology (NIST) introduced standards to identify post-quantum cryptography algorithms and the National Security Agency (NSA) released Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) for quantum-resistant algorithms requirements.
“The standardisation process is well on its way, and it is fair to say that most researchers are satisfied with most of the decisions taken by NIST,” Dr Bart Preneel, cryptographer and cryptanalyst teaching at the Katholieke Universiteit Leuven, told EURACTIV.
Re-living the race for the atomic bomb
The magnitude of a transition in a post-quantum world will likely affect every internet user. The risks of breaking common encryption span from endangering financial transactions, to the disclosure of medical records, via revealing national security secrets.
“Crypto is not cryptocurrency. People are not really aware when they use crypto.” Dr. Axel Y. Poschmann, an expert on quantum technologies and head of product innovation & security at PQShield, told EURACTIV.
Cryptography is a component of virtually every aspect of the digital sphere.
This is why nations are now racing to develop quantum-powered algorithms for breaking encryption and for post-quantum cryptography. Much like the Manhattan Project in 1942, the benefits of getting a headstart in quantum computing are both strategic and economical.
The development of the atomic bomb led to a disastrous outcome – the bombing of Nagasaki and Hiroshima and a standstill of world powers due to fear of mutual destruction.
Quantum-powered cyber-attacks and decryption algorithms are bound to lead to a similar impasse as they might lead to unacceptable risks to each opponent’s society while fueling a constant arms race.
Particularly important is the protection of critical national infrastructure, which ranges from defence systems, nuclear power, telecommunication, infrastructure, energy and transport, to healthcare and financial transactions.
With the progress of quantum technologies, this type of data is at risk of interception and future decryption.
Geopolitical context
While cryptography was a feature of geopolitics in the past and only available for military units, “now it seems that it becomes a feature of geopolitics again,” said Poschmann.
The importance of quantum computing in the geopolitical context is highlighted by the recent US sanctions aimed precisely at crippling China’s access to semiconductors fundamental for developing quantum computers, and more export restrictions might follow.
These international tensions reverberate on technical standards, which have become increasingly politicised, with the United States and China using them to push their agenda. But just as with the atomic race, Europe risks being sidelined.
“As has happened before with other cryptographic standard developments, the contributions by EU researchers has been the largest, in part funded by the European Commission,” Preneel said, adding that, however, decisions are made by the US NIST.
EURACTIV understands that quantum cryptography is likely to rank high on the agenda of the next European Commission. The EU is already sponsoring the European High-Performance Computing Joint Undertaking (EuroHPC JU).
Europe’s disunity
While the EU contributes to the research in this field, it has not taken the initiative to shape the technical standards in this strategic field, despite the European standardisation strategy vowing for a more muscular approach to standard-setting.
In the last report from ENISA, the EU’s Agency for Cybersecurity, NIST has been recognised as a leading role, while calling on “governments, industry, and data-protection officers as well as other standardisation bodies – acquire sufficient understanding of post-quantum cryptography to make informed decisions”.
According to Preneel, some European countries are reluctant to yield power to Brussels and prefer the decision to be made by Washington, meaning that the EU has been largely absent in this debate.
At the same time, France and Germany are cautious when it comes to the adoption of either NIST or CNSA 2.0. NIST is considered to be the least robust because it focuses on efficiency, while CNSA 2.0 was developed by the NSA, which has an “abusing track record on backdoors,” added Poschmann.
“They [Germany and France] have decided to also push for slower algorithms with larger keys,” Preenel noted. Larger keys make for safer encryption but are also less efficient. The key length Berlin and Paris are pursuing might be suitable for protecting strategic infrastructure, but it is unlikely they will be used for commercial applications.
Missing the quantum cryptography train would mean that Europe will remain dependent on the United States for its security, despite all the EU talks about strategic autonomy and technological sovereignty.
Source: Euractiv