03 - From Threat To Readiness Creating A Quantum Safe World

So you know like uh all the security conference that we go through like there's a lot of discussion on AI but like my topic is little different it's quantum. So what's quantum? So Einstein uh told that quantum is a spooky action from a distance. That's the quantum physics. So let's uh I know Halloween is coming so let's talk about some spooky story how quantum can help us or how we will uh get uh quantum safe work. So let's start with like um oh by the way I'm uh I've been working on the security field uh currently I'm working with IBM uh for a security as a security architect uh my primary focus on AI and

quantum security. So when we are talking about any kind of uh security so we need to talk that aspect like okay how that particular uh technology works so there are a lot of um uh research has been done on quantum uh computer and it's coming uh all the big uh vendor like Microsoft Google IBM Nvidia everyone is investing on quantum why because okay from CPU to GPU there is a transition and now from GPU you what next? So we need some more uh powerful computing compared to what the traditional computer can do. So um and uh this system level like what's com uh like quantum computing? Um anybody in this au uh like audience have some

experience with quantum computing or a little bit okay or understand? Okay, that's fine. So there are like three major uh I would say properties of or principle of quantum computing that makes it totally different from the traditional computer. So that superposition ent uh um entanglement and uh we call it interference. So that makes it totally different because um that like the quantum computer don't follow the uh straight uh forward uh way that a traditional u computing works. it actually takes in consideration of multiple different uh I would say uh result set and then zero into the correct one uh instead of one or zero and um how it has been like uh we we have seen

that um in for like probably like the quantum research has been done for almost 10 15 years uh but now the industry is adopting quantum uh for example uh there are some uh quantum um computing is being used on the real life. So for example like the Vanguard they actually partnered with IBM and HSBC also partner uh and they actually created their quantum quantum enable algorithm algorithm for trading. So you can see that like the quantum computing is been used for very like complex mathematical problem solving. So uh and other like more complex thing and that helps compared to the traditional uh computer because it can solve complex problem very quickly because of those three property as I mentioned earlier.

So but the challenge is every time like now we all talk about AI security. AI is like great like we saw like AI is being used on different organization for productivity and other stuff but every time in the technology world we introduce a new technology it comes with a different attack surface or a challenge or a risk. Cloud all we got it. Okay. Now cloud has been handled. Now AI come and then oh there's so many talk um like prompt injection evation other stuff. Now what quantum what like if the quant in the near future when the quantum come what is that risk that we will be um like seeing with when quantum computer will be available for example I cannot

go to Best Buy and buy a quantum computer at this moment. um there's it's not available at this moment uh but when it is uh available what are the different challenge so if you the main challenge that uh I would say for right now is harvest now decrypt what does it mean it means all the secret that you have at this moment will no longer be secret when quantum computer will be available Okay, you can tell like how come? So, um there are like how do we protect our secret? The basic answer is we use encrypt our disk encrypt like and we use our PKI infrastructure and this is how we transfer different like uh data from um

out like from uh from on-prem to cloud from B2B and all those different uh like communication everything is encrypted that this is how we actually use like secure our communication and cryptography is the building block of all our digital or you talk about your email, you talk about your HTTPS, SSL, everything. So when I'm talking about that, hey uh the uh your secret will no longer be a secret uh well if um it is not timesensitive. Uh for example, I did purchase something uh from Walmart with a credit card. uh that uh credit card information went from the POS terminal to the payment server and probably my like after four five years uh like my credit card would be invalid

because it will be expired. Every credit card has an expiry. So like if that is not timesensitive then probably you don't need to worry about your secret. However, your health record, your um SS uh SIN number and all those different things are real like stays for longer period of time like your passport information those are stays for longer period of time and that secret need to be secure even when the quantum computing will be available. So um when I told you like okay the future is coming to steal your data uh what does that mean? uh it's not a like sci-fi movie thing. We are talking about uh when the someone has a cryptorelevant quantum computing um resource to use

then what will be the effect. So let's um check about like what why I talked about okay um harvest now decipl. So typically what we do uh in uh in any enterprise or anywhere we have some uh intellectual property we have some PII data and other uh trade secret we keep it in a um secure vault or some some places and then what we do we use some cryptographic algorithm AES RSA or any other thing then using some key and put it in a cipher text that's works and this is this has been working for decades. Um, if we need that data, what we do, we decrypt it using the same key or depending on your PKI infrastructure and

then we get the data back. It's all working fine. But when the quantum computing will be available at that time what will happen uh it can actually um solve the complex mathematical problem that is underlying on those cryptographic algorithm for example AES RSA defy helman or bouncy castle any kind of cryptographic algorithm you're talking about those are really very complex math problem that is embedded so that it you cannot decrypt those um information from an encrypted uh information. So but as I mentioned earlier with using those quantum property we can actually uh u the ent uh we can do those uh complex problem into a shorter period of time. So if we have a quantum computing

right now and then what we can do we can actually take the encrypted information and we can decrypt it using some other algorithm like grover or shore algorithm and that will actually disrupt the whole digital world. What will be the effect? Our payment gateway will be forged. Our digital secret will no longer be a secret. And that is what we need to prepare for. So but the good part is quantum computer is not available or handy and to the best of our knowledge based on all the different research that has been done from academia and also from different um enterprise um the cryptorelevant quantum computer probably coming um maybe in next four to five years or 3 years. So

that's a good part right. So right now you do not need to worry about you can um like be calm and you can think of after you can wake up after 3 four five years and then say okay that um when the quantum cryptorelevant quantum computer will be available we can uh think of that the challenge that I'm talking about however what is harvest harvest now and decrypt later the bad guy they can what can do that basically for the like um they're looking for some uh trade secret or intellectual property. They can sniff on the network all those different public network and they're trying to get those data. They can store it for some time as a encrypted form and

once the cryptorelevant quantum computer is available they can use it and decrypt it and get those secret out of your organization without like knowing you that okay they has been actually taking all the secret. So what or when should we prepare for that particular thing to happen? So we call it Qday. So what is Qday? Unlike Y2K who actually um heard about like um that 2000 that okay Y2K happened and then all the computer will be uh will not work anymore. But uh these are the different things that can happen in the QDM. So as I mentioned um they can decrypt the um like payment industry like they can actually uh do the um like the power

grid they as the power grid actually works with different kind of uh like communicate with those different PLC communicate with different kind of um encryption algorithm they can actually disrupt those communication too. So everything will be disrupted. So right now for a preparation for those particular Q day what we can do we can um we need to mainly there like we need to prepare for okay where and how am I using those cryptography in my organization. um that is uh important because that will actually help you to prepare for the future especially if you are a developer uh if you are using so for example if you are a Java developer you are using some GSCA library and other

stuff so you need to think of like okay what kind of cryptographic algorithm that I'm using on my code because that probably uh like when the application is being deployed in the enterprise uh like someone wrote those application 5 years back. I don't know where it is been uh used the cryptographic algorithm on the code itself. So those are the different things that you need to think of and then also um the h how can we prepare for those particular uh like the encrypted uh information that we have at this moment in our enterprise. How can we actually secured it for the future proof um encryption? So the that was another part of it. But

when the Q day will happen. So uh the ch so that uh we can uh think of that okay um but what I was talking about those like okay changing of application code you uh changing your PKI infrastructure cuz like if you think of where are those cryptographic is been used it is being used everywhere so it is not a once single month of project. It's a multi-year project. So, you need to think of your um particular infrastructure depending on what where are you working, what kind of um business are you in, what are the different uh data that is your secret. You need to think of that aspect and you need to prepare for that. So as I

mentioned earlier okay it will be disrupted like but why it will be disrupted. So basically there are two kind of cryptographic algorithm that we use nowadays. One is um semantic and one is asymmetric. The symmetric uh cryptographic uh algorithm we use the same key we encrypt those uh like any uh piece of information and for decryption we use the same key. Uh so uh like typically like AES or um uh other um is is most popular that we have been using uh 256 bit is mostly we are calling it's more secure some some organ like uh in some application we use 128 bit uh but u 256 is uh more secure nowadays um and the other one is the asymmetric

where we use the public key where we use the public key to encrypt and only the people who has the private key they can actually decrypt those thing. So um and usually like RSA is the most um uh uh used uh encryption algorithm and we use usually 100 uh sorry,024bit to uh 148 bit of um um key to uh do that and decry uh like encryption. in the case of quantum computing that what we are talking about that okay how it will affect our cryptographic um uh algorithm. So basically in the case of asymmetric uh we use a prime number of uh factorization. So for example if I say what are the two prime factor for number 35 it's very

easy 7 and five but if I say what is the prime factorization of this one you probably will like spend entire life to do the factorization of this large number in fact this is this new number so Peter Shaw and Grover they created certain algorithm um way before like um 1980s actually um they created those algorithm to that can actually do the factorization of those um uh prime number and if you run a shore algorithm in a traditional computer right now um in theory it will take almost a million year to decrypt those big, 20 uh,024 beta of um prime number to do the factorization um problem. However, with the quantum computer, it is pre assume that it will take only few

hours. So, what we can do to prepare for the future? Um so many researcher and uh uh some industry has been working on it and finally uh after like two and a half year of evaluation national institute of standard technology which is called by Nest they published four cryptographic algorithm that is quantum relevant with what we called postquantum cryptography and um IBM contributed three of them and One of them has been contributed by academic um researcher which um was um also hired by IBM. But uh these are the different algorithm that you need to use in order to secure your uh environment for postquantum cryptography and this is open source and but in order to be a happy ending you need

to implement those algorithm into your environment. Now this is the challenge. Can you see where are those tool set is been used? It's too many places. It's not only one single place. So that is a big challenge to migrate from those encryption algorithm and become more quantum safe. So what you need to do you need to be more crypto agile I would say. So there is a term called crypto agility in the cryptography world. So basically it means that uh you um the ability to rapidly adopt cryptographic um algorithm without disrupting your business in a short term. And how does it um so but in order to do it you need three things to work

together. You need your people, process and technology work together in order to be agile on the cryptographic part. Why? As I mentioned in my previous slide, there's too many places that cryptography has been used. Your uh h SSL and other part too. And main challenge is the lack of visibility because as I mentioned especially from the application development perspective when we uh all the application developer that they're using you don't know where they has been used because the like typically like the SAS solution that we have like uh fuser and other stuff they can only do um um the uh vulnerability check like top 10 kind of thing but they do not do the cryptographic relevant test and tell you

okay these are the different places you actually use your cryptography in your application code. So what we need to do this is the approach that we actually adopted inside IBM. So you discover all your cryptographic inventory and assess and check how do you comply with those different aspect of those cryptographic uh inventory and then you need to protect where where like and change it. So the way that it works is like okay fine we first discover uh on from a network side from an application perspective from uh my u certificate perspective from my private key infrastructure perspective that's basically the typically you can start with and then for the assessment you need to check okay what are the

different cryptographic algorithm like still we can see that some some of the organization like or some places TLS 1.1 is been used instead of to like the uh recent TLS and then you need to rotate those certificate and everything with the qu like quantum relevant um uh algorithm or PQC what we call but the challenge is sometimes there are some legacy application that we cannot change what we can do in that case we can use a crypto proxy what it means like okay the user is accessing um your the browser maybe chrome or some other browser they will be uh changing their uh like the with the cryptograph they will align with the cryptographic algorithm.

However, the application falls under your part. So instead of having a crypto uh like a sending everything into the regular cryptographic um or SSL in a regular way what you can do actually you can put a proxy in between the user and the application. So what will it do? It will use the postquantum cryptographic algorithm between the user and the proxy and the the right side from proxy to the application it can use the uh traditional the or legacy uh encryption but that is secured nobody can actually help uh like log to that part. So that's another approach in in like you can follow whenever you don't have enough time to u migrate everything to the

postquantum cryptographic algorithm because it's complex and uh the Canadian center for cyber security they provided some guideline there are actually two things that they mentioned about like how you can be crypto agile uh and also there's some guideline around like by uh from April 2026 you need to start your crypto crypto inventory because crypto inventory is itself is a year long project. So that this information I just wanted to share with you and um one thing from a technology perspective there are some technology available that you can actually do some seabbomb which is cryptographic bill of material. uh there uh IBM has a product called like IBM quantum safe explorer where you can actually um do the um scanning of

application and provide okay which line of code is used on those different uh like cryptographic algorithm also they have a cryptography manager they can actually it's not like replacing your end trust or ver sign those um like CS certificate or anything that actually they can actually assess connect with different um stuff so you need to you that can help you to be um faster your uh migration process and the proxy that can help to um remediate the crypto uh cryptographic um uh proxy that I mentioned like the place where you cannot use um like or change your application code because of the nature of the business that you have. you can use a crypto proxy that

can help you not to um um byp like um and be qu like crypto agile. So that's what I just wanted to share with you folks that you need to be prepared um for the future uh which is coming in next few years but you need to prepare now uh unless it is too late or there is another solution if you have a time machine you can after two years you can take the time machine go back and encrypt everything with the PQC algorithm that has been published by NIS Thank you.

>> Thank you. We have time for one question way in the back. >> Hi, I've been around long enough.

What makes this change of different scarier than all. >> So the question was what makes this different than all the other ones and why is it more scarier? >> So as you can see like it's not so easy to change the whole cryptographic from your infrastructure perspective. So and the research has been done a significant uh improvement on the quantum cubits. So it like when it will be handy it will be very easy for the people to do any kind of um like um data uh like exposure and as there's some other stuff is happening from the AI revolution that data is very available at this moment from all those different part of like uh the application and

other stuff. So that is also another aspect of it because your data is available to store right now. You can extract you can ask some prompt and get some data store it somewhere and this is how you can actually get all those data in the um uh somewhere and then once it is available you can just decrypt it from there.

>> I can go back the same that's what I'm saying I don't see how this is materially different than

>> yeah so Grover algorithm actually knocked out half of the AES so that's why the symmetric key is not that much of affected mostly it is affected the asymmetric part of it so uh like if you say for example if you're using 128 bit you if you um use like change it to 256 bit. Even if you run Grover using some Crypto11 quantum computing, you they can knock it out half not the full. So you actually get like the uh same amount of um um security. Um but mostly you need to think of the asymmetric part of it. >> All right. No, thank you very much. Thank you, Ector. We're gonna >> uh I'm able if you have any question we

can just uh >> yeah if there's any questions will be in the hall you can just approach and talk to