With investments increasing and research and development well underway, quantum computers are fast becoming a reality.
This new approach to computing, which harnesses quantum mechanics, will offer faster ways to solve complex problems than even the most powerful super computers currently available. One area of concern is the potential of quantum computers to crack current cryptography that’s widely used to secure digital communications and transactions.
Although largely in pilot phases, quantum computers are in operation today. However, due to the technical difficulty to develop the necessary stable hardware and performance, their levels of capability are, at present, relatively limited. That said, development in this emerging field is accelerating.
IBM, which offers access through the cloud to some of its fleet of 10 quantum computers, claims that in 2023, external users were using an average of 13 qubits on its Eagle quantum processors; and this figure jumped to 40 qubits last year as stability improved.
Meanwhile, its Heron quantum processor (launched in late 2023) offers 156 qubits, with users using an average of 115 qubits in 2024.
Google launched its Willow quantum chip in December 2024, with a claimed 105 qubits; however, Willow also set a record in a benchmark performance test and demonstrated error correction that could be key to scaling quantum systems.
Qubit estimates
Like a binary bit is a basic unit of information in classical computing, a qubit is a basic unit of information in quantum computing. Estimates around the number of qubits needed to crack existing cryptography varies, with Chinese researchers saying it can be done with as few as 372 qubits; other estimates are in the low thousands.
A 2024 report from the Global Risk Institute includes a prediction that 34% of experts in the field optimistically believe a “cryptographically-relevant quantum computer” will be developed within the next decade (up from 31% in 2023). Meanwhile, 14% estimate it will happen within five years (up from 11% in 2023).
Despite the exact unknowns around when quantum computers will achieve true supremacy over classical computers, especially with regards to cryptography, work has been undertaken to develop post-quantum cryptography standards.
Last year, the US National Institute of Standards and Technology (NIST) ratified three standards: ML-KEM, ML-DSA, and SLH-DSA. This formalisation opens the door to start the transition to a “quantum safe” world.
NIST is at the forefront of pushing the global transition to post-quantum cryptography, and has set a 2030 deadline to deprecate RSA-2048 and ECC-256 cryptography algorithms, with their use banned entirely by 2035.
While the “quantum threat” poses a longer-term challenge, especially when organisations are faced with the immediacy of burgeoning cyber threats, it is not something that should be ignored or postposed, says Michael Osborne, CTO at IBM Quantum Safe.
Osborne reasons that while there may seem to be plenty of time, the task to replace cryptography across an organisation is a significant undertaking, and should be addressed urgently. He says it’s also possible for bad actors to harvest sensitive information now, and decrypt it at a later date, once existing encryption standards are broken.
In order to tackle the problem, he adds, it’s important to have the right guidance, the right ecosystems, and the right regulation or incentives in place. In addition to the NIST 'incentives', the EU has also introduced the Digital Operational Resilience Act (DORA), which comes into force from 17 January and affects EU entities and companies that handle the data of companies within the EU.
“A large aspect of the journey to becoming quantum safe is structuring the problem such that you can do it in an organised way,” he says.
Identifying where cryptography is used in an organisation’s digital landscape is important, as is understanding the role of the supply chain in relation to that; whether that’s external software vendors, cloud service providers or applications and solutions that were developed internally.
It’s likely that vendors, such as IBM, will play their part in the effort and offer support to clients, but the biggest challenge is likely to come from legacy applications or code that an organisation has already built itself and where support is no longer available.
Jaime Gómez García, head, Quantum Technologies at Banco Santander, agrees that the process will be complex, especially with a global shortage of cryptography experts.
“You need to start with identifying the priorities, and understand the easy targets. Are they high risk? You need to put a balance on what will have a big impact in the future. There's a lot of learning that needs to happen along the way.”
He suggests quantum cryptography around digital signatures as one area to start exploring.
“It’s an important use case, so it's an area to start exploring without strong dependencies. Through that process, you can also start developing talent around the use case and new cryptography. By starting now, taking easy targets that you can work on on your own, you'll develop the talent and the use cases and have a clear vision of what the future roadmap will look like.”
Proper cryptography management
But Gómez García adds that the focus around upgrading cryptography should not be driven by quantum computers, but rather focus on “proper cryptography management”.
“Cryptography has been undermanaged historically by everybody, so we need to manage cryptography properly. The existence of a quantum computer marks a deadline, but we have other deadlines. In the financial sector in Europe, regulation is asking for mature cryptography management already in 2025. The US government is asking for a timeline to transition, which requires modern cryptography management. The end of life for cryptography that will be vulnerable has already been set; 2030 and 2035 the cryptography we're using today is not going to be a valid standard, that's regardless of what happens with quantum computing.”
Osborne agrees: “The debate around when quantum will or will not be ready, it's sometimes not a helpful one. It's more important to say this is modern, next-gen cryptography, and there's a good reason to use it as quickly as possible.”
And the important part to note is that it’s not just going to affect telcos, banks or governments, it will impact any organisation conducting digital transactions where data needs to be kept confidential.
Osborne says that over the years, thanks to encryption, we’ve built up trust in digital commerce, transactions and communications. “The whole of ecommerce is built on things that very few people understand, but they've grown to trust. But, what happens to trust in a situation where you can't trust?”
Share