Source: Science Photo Library via Alamy Stock Photo
The longstanding and prevailing concern about quantum computing among cybersecurity experts is that these systems will ultimately achieve enough processing power to break classic RSA encryption. While that prospect famously came to light three decades ago with Shor's algorithm, it still overshadows the overlooked risk that today's quantum computers are not just potential platforms for attack but are also vulnerable as targets.
A pair of researchers believe that the focus on the need for strong post-quantum cryptography (PQC), while a critical issue, shouldn’t eclipse the risk that quantum computing systems themselves face from cyberattacks. At next month's Black Hat USA 2024 conference in Las Vegas, Adrian Colesa, a senior security researcher at Bitdefender, and software engineer Sorin Bolos, co-founder of Transilvania Quantum, will discuss the risks and the real-world implications of quantum vulnerability.
Assessing Risk to Post-Quantum Computing Platforms
Bolos and Colesa will present the findings of a white paper in their session, entitled “From Weapon to Target: Quantum Computers Paradox,” on Thursday, Aug. 8.
"Most of the time, when people think about quantum computers and security together, they think about Shor's algorithm and the fact that if you have a good enough quantum computer, you can use Shor's algorithm to factor numbers and break cryptography," Bolos says. "But we turned that on its head and said: 'How about quantum computers themselves? How secure are they? You would you attack them?'"
As a startup company based in Romania that created the open source quantum computing platform Uranium for prototyping quantum algorithms, Bolos decided that he wanted Transilvania Quantum to research the security risks of quantum computing infrastructure. "Because we only had expertise in quantum and not in cybersecurity, we turned to Bitdefender," he says.
Last October, the two researchers began utilizing their complementary cybersecurity and quantum computing expertise, respectively. Transilvania focused on attacking quantum computers, notably those provided by IBM and IonQ, and quantum software development kits such as Qiskit.
As a provider of endpoint protection, and cloud and managed cybersecurity tools, Bitdefender had some expertise in quantum concerning PQC, Transilvania's focus.
"The Bitdefender team investigated classical attack vectors, for instance, attacking the system of an end user or that the quantum development software could be corrupted by an attacker, and then looked at how cloud services, which provide access to quantum computers, could be attacked," Colesa explains.
Finding Weaknesses in Qubits & More
Bolos says they investigated the imperfections of quantum bits, or qubits, the quantum computing equivalent of bits in classic computing environments. Their research examined the potential for unwanted interactions, susceptibility to prompt injections, and other attack surfaces prevalent in traditional computing environments.
"We adapted the attacks for the quantum world and did our experiments," Bolos says.
According to Bolos, organizations using quantum computing capability currently access it through quantum service providers, which he says are integrated platforms hosted in cloud services such as Microsoft Azure or Amazon Web Services, or by companies that host their own quantum clouds.
In recent years, organizations with deep pockets have begun conducting research on how quantum computing can help them process complex computational workloads beyond the capabilities of even the most powerful classic systems.
Among them are those in drug discovery and medical research, such as Amgen, Cleveland Clinic, Merck, and Johnson & Johnson. Also, most of the world's largest financial services providers, including Bank of America, JP Morgan Chase, and Wells Fargo, have established research initiatives aimed at creating financial models not achievable with classic computing technologies. All of these could present rich targets for cybercriminals.
Yet the two researchers indicate that because organizations like these are looking to beat their competitors with new breakthroughs, such as drug discoveries or financial models, security often becomes an afterthought.
Colesa says they split the research into four ways an attacker could target a quantum computer:
Attacks on quantum computers launched from classic systems;
Attacks that manipulate the qubits quantum processing unit (QPU);
Using quantum components to attack a QPU;
And attacks on RSA-encrypted data.
Many of the vulnerabilities they found in quantum computing systems share the same characteristics of classic computing environments, meaning they require similar practices.
"For instance, checking if the software development kit (SDK) is coming from a trusted source, or checking if a transpiled [the quantum equivalent of compiled] circuit is exactly what should be sent to the quantum computer," Colesa says.
As quantum computers continue to grow in capacity beyond 1,000 qubits, Bolos warns that providers need to focus on error correction (i.e., the process of determining the root causes of risk to an organization).
"Errors can come either injected by someone or naturally from the environment," he says. "Error correction is one of the key aspects of protecting against malicious users."