Banks are cautiously preparing to implement new encryption algorithms that will protect against hackers using quantum computing to crack their code. But experts warn they potentially need to stump up astronomical sums to raise their cyber defenses against the developing threats. If they don’t, then current cryptography could be obsolete within five years, according to some estimates.

Andersen Cheng, who worked on JP Morgan’s response to the ‘millennium bug’ in 2000, says the bank spent $286 million successfully mitigating the bug’s impact. Allowing for inflation, Cheng thinks that outlay would translate to up to $500 million today. But he warns that the cost of migrating to quantum-proof encryption could “easily take five to 10 times more”.

Cheng says he knows of one bank—not within the top three in the US—that has estimated the migration exercise will cost it $1.2 billion. “But I still don’t think that’s enough. This is a huge exercise, as every single thing you do more or less has public key cryptography in there, and every single thing has to be migrated.”

So-called classical computers run calculations using data existing in either one of two states—a one or a zero—whereas quantum computers hold pieces of data in two states simultaneously. That difference means calculating power increases exponentially, allowing quantum computers to operate at stupendous rates.

The new encryption tools are designed to withstand the assault of a quantum computer, which could potentially breach security protecting privacy in digital systems including online banking and email software.

Rupert Bull, co-founder of fintech research firm The Disruption House, agrees quantum computing is a “key investment area” for financial institutions.

“Clearly, the banks can’t be outgunned by hackers who’ve got more quantum cryptography. I think it’s an inevitable arms race, but it does require huge amounts of upfront investment.”

Don’t jump the gun

In June, US president Joe Biden discussed cyberspace and quantum computing with G7 leaders, including the threats posed by China, committing to new co-operation to deploy quantum-resistant cryptography.

In July, the US Department of Commerce’s National Institute of Standards and Technology (Nist) announced “the beginning of the finale” of a competition among the world’s cryptographers to devise and vet encryption methods to resist attacks from future quantum computers far more powerful than the machines available today.

The Nist competition began in 2016 with 82 submissions. These have been whittled down in three rounds to eight remaining contenders.

Four of those will now become part of Nist’s post-quantum cryptographic standards, expected to be finalised in about two years. The other four are under consideration in a fourth round, and Nist plans to announce the successful algos from that round at a future date. It is announcing its choices in two stages because of the need for a “robust variety of defence tools.”

Cheng is now chief executive of Post-Quantum, a cybersecurity firm that is part of the team behind Classic McEliece, one of the four algorithms under consideration in the fourth round.

Lee Braine, a managing director in Barclays’ chief technology office, says the industry is eagerly awaiting the conclusion of Nist’s fourth round.

“It’s been a long process with Nist now—about six years into an eight-year effort—which should result in a post-quantum cryptographic standard being finalised.”

Several banks, including Barclays, JP Morgan and Societe Generale, have said they are preparing new encryption algorithms that will provide protection against quantum computing, but none would comment on the potential cost of doing so.

However, bankers caution against adopting the standards too early.

“While the standard is in development, Nist encourages security experts to explore the new algorithms and consider how their applications will use them, but not to incorporate them into their systems yet, as the algorithms could change slightly before the standard is finalised,” says Eric Mely, quantum computing community leader at Societe Generale.

Some of the rejected algorithms were deemed to have vulnerabilities within their current parameters. The number of parameters could be increased, but this would leave them with very high overheads, meaning it would take too long for users to send messages back and forth to each other.

Other protocols were knocked out due to concerns around the practicality of their long keys, making implementation difficult. Keys are random strings of bits generated to scramble and unscramble data.

Hybridization

The algorithms seeking approval are designed for two main tasks for which encryption is typically used: general key encryption, used to protect information exchanged across a public network; and digital signatures used for identity authentication.

Of the four algos identified for standardisation so far, one is for public key encryption and the other three are for digital signatures. The fourth-round candidates are all for key encryption.

Societe Generale’s choice will be to go with a “hybrid model”, which will help it test the algorithms and see which one could best suit its needs, says Mely. Experts say hybrid models involve networks using dual signatures during a transitional phase before switching completely to post-quantum signatures. Compiling an inventory of systems that use public-key cryptography and that need to migrate to the new standards will be the bank’s first task.

Many banks will start moving to the new standards through this kind of hybrid approach, says Jack Hidary, chief executive of quantum technology company Sandbox AQ, a spinoff from Google’s parent company Alphabet. That is because they might already be under a compliance regime to keep their customers’ data encrypted using RSA or ECC, the two main protocols securing online systems that are vulnerable to exploitation by quantum computers.

RSA—devised by Ron Rivest, Adi Shamir and Leonard Adleman, who gave their initials to it—creates a public key by multiplying two large prime numbers and stores the result in a private key used to decrypt the public key. ECC, or elliptic curve cryptography, takes a point on an elliptic curve and multiplies it by another number to create a new point on the curve, which then becomes the public key.

Hidary says banks may want to start protecting their data from what is called store-now-decrypt-later, where cyber adversaries syphon off data from communication streams, then store it for decryption in a few years’ time when they are able to do so with quantum computers. To protect against that, banks can “hybridise and encrypt that data in a double wrapper” of RSA/ECC cryptography as well as quantum-proof cryptography.

Hidary adds that Sandbox AQ is also in talks with a large quantitative hedge fund to protect its proprietary models from hacking by quantum computers exploiting RSA and ECC vulnerabilities.

Hush-hush

With many banks preparing to migrate IT systems to the cloud, Cheng thinks that exercise could be combined with the move to post-quantum cryptography. But in addition, he believes, some banks may not “make a song and dance” about moving to the new standards, because they are currently in competition with each other to hire the most competent quantum computing talent—pool of people numbering only in the few thousands.

“Some of the largest banks in the world are keeping quiet about it. They have been quietly hiring expertise in-house, because they know that when quantum migration happens, there will be a huge shortfall in expertise,” Cheng says.

In the next few months, Cheng predicts one or two large banks will exit their stealth modes and make major announcements about the strength of their post-quantum cryptography teams responsible for migrations. He says it will become part of banks’ marketing strategies to demonstrate earlier than rivals that they are quantum-safe in order to protect client assets.