Financial services companies are preparing for a time when a powerful quantum computer could break some of the most widespread cryptographic methods currently used in cybersecurity.
Experts say quantum-computing cyberattacks could be more than a decade away, based on the technology’s rate of progress, but the consequences could be so severe that companies and cryptographers world-wide are preparing now.
Chase & Co., for example, are researching methods capable of thwarting such an attack, developing new processes and closely following the race for new encryption standards.
“The data we have is sensitive, and it is vast in quantity, so protecting that data is job number one for us,” said Rajat Taneja, president of technology at Visa.
Nearly six years ago, researchers at Visa began studying so-called post-quantum cryptography, which refers to the new cryptographic methods that could be used to withstand an attack from a quantum computer.
Researchers at Visa have published four peer-reviewed papers about cryptographic systems that could be used against a quantum-computing attack, and a fifth is in the works, Mr. Taneja said. Dozens of security experts and software engineers across the firm have contributed to the research.
computers are still in the early stages of development. The machines harness the properties of quantum physics, including superposition and entanglement, to radically speed up complex calculations related to finance, health care and manufacturing that are intractable for today’s computers. While traditional computers store information as either zeros or ones, quantum computers use quantum bits, or qubits, which represent and store information as both zeros and ones simultaneously.
Some researchers estimate that it would take a machine with 250 million qubits to break today’s public-key cryptography, a widely used encryption method that could be particularly vulnerable.
While today’s early-stage quantum computers are far less powerful, much of the financial industry is secured by public-key cryptography, ranging from online banking and online transactions to banking mobile apps, Mr. Taneja said.
A popular public-key cryptography method, RSA, would be especially at risk. RSA is vulnerable to quantum computers because it is based on integer factorization, which is essentially reverse multiplication, using numbers that can be about 1,000 digits long.
Regular computers—even supercomputers—can’t factor such long numbers fast enough to beat these defenses. Quantum computers, though, may be able to solve integer factorization problems many millions of times faster.
Security experts and the companies developing quantum computers, such as
, have been aware of the threat for years. Hundreds of the world’s top cryptographers are involved in a competition to develop new encryption standards for the U.S., which would guard against both classical and quantum-computing cyberattacks.
A quantum computing attack could compromise not only data in the path of the attack but also the digital-signature algorithms used to verify the identity of some secure websites, said Yassir Nawaz, an executive director at JPMorgan responsible for securing emerging technologies at the bank.
That could allow bad actors to create fake identities for websites, as well as fake software downloads and software updates. JPMorgan executives have been aware of the threat for years, he said. “We’ve been actively discussing within the firm as to how we’d address this,” Mr. Nawaz said. “But the reality is that this is something that affects the entire ecosystem.”
JPMorgan is developing processes to help identify high-priority data sets that need to be protected for several years and could be at risk if a powerful quantum computer becomes available, Mr. Nawaz said. “We need to have a process that lets us identify and inventory that data,” he said.
That data would then be first in line to be secured by new encryption standards that could withstand a quantum cyberattack, he said. New encryption standards are being developed now, in a cryptography competition led by the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce.
Visa and JPMorgan plan to begin adopting NIST’s new standards when they become available, which will require coordination with industry organizations. It can take as long as 15 years for internet activity to be secured by the new encryption methods, experts say.
“I don’t believe one day we’ll flip a switch and everything will be post-quantum (encryption),” Mr. Nawaz said. “It’s going to take a long time, starting with the high-risk data.”
Write to Sara Castellanos at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8