At this year’s RSA show, delegates were alarmed to hear of the five-year “quantum window”, that is the time that they are supposed to have to make sure that assets protected by traditional security methods can be upgraded to quantum-based security, which by then could fall into the hands of attackers.
Noting this, telco Vodafone is working with technology partners and mobile industry body the GSMA to explore quantum-safe defences to help protect businesses from any future threats.
Explaining the rationale for the activity, Vodafone noted that businesses currently rely on public-key cryptography to establish secure communication channels and protect sensitive data, a security methodology that relies on the difficulty of solving certain mathematical problems.
However, it warned the emergence of fault-tolerant quantum computers, able to undertake far more complex processing tasks than a traditional computer, poses a risk. Specifically, this step-change in processing power has the potential to crack today’s codes, decimating the trust and security on which current technology is built.
Even though it conceded that at present there was no hard evidence that long-lived sensitive data, such as government records, corporate intellectual property, and even individual biodata, may already be at risk, Vodafone noted that threat actors may already be harvesting data in anticipation of the quantum computing revolution. To that end, it has started work on this now by testing new cryptography in partnership with key industry players.
Vodafone said that it was taking what it called necessary steps to mitigate as much risk as possible going forward, and that its goal to work in tandem with partners to migrate data in an orderly fashion to suitable, post-quantum cryptographic methods now to protect customers, governments and society.
The quantum risk is part of the ever-evolving security threat landscape, said Emma Smith, Vodafone’s cyber security director. “On one hand, quantum computing has the potential to rapidly solve ultra-complex problems in key areas such as healthcare, but on the other it could undermine today’s cryptography,” she said.
“This is why we are playing an active role in the transition to a quantum-safe world. We are exploring and trialling new algorithms to provide protection for our customers against possible quantum-empowered attackers in the future.”
Among a number of initiatives designed to anticipate and safeguard against future threats, Vodafone revealed that it is now working with Alphabet spin-off SandboxAQ to conduct a proof-of-concept test for a quantum-safe business network using a virtual private network (VPN).
The test was conducted using standard smartphones, connected to the VPN, that had been specifically adapted by Vodafone/SandboxAQ using cryptography algorithms from The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, and it has developed a framework of standards for national or corporate cyber security practices. Adapting a standard smartphone for the test allowed Vodafone/SandboxAQ to evaluate the latest NIST standards in a real-life telecommunications scenario.
Vodafone said governments are adopting NIST standards as part of their planning to mitigate the potential risk Quantum Computing poses today. One of those risks is the store now, decrypt later (SNDL) threat.
“The SNDL attack involves adversaries stealing encrypted data now so they can decrypt it in the future with a quantum computer,” said Vodafone head of research and development, Luke Ibbetson. “Although cryptographically relevant quantum computers may remain some years off, the threat posed by quantum-empowered attackers is already here today.”
Another area of activity is post-quantum cryptography (PQC). Such algorithms use new mathematics and methods to offer quantum safety and are the subject of ongoing standardisation processes. Vodafone said that it was taking “a leading role” in the GSMA’s newly established Post-Quantum Telco Network (PQTN) task force to help develop industry-wide strategies and planning to address the quantum threat.
One of the first outputs from this task force was the publication of a whitepaper in early 2023, discussing the quantum threat and outlining the telco-specific implications. Vodafone is working with a variety of technology partners in this area, from specialist startups in quantum technologies to what it calls established industry leaders.
Vodafone is also exploring the performance characteristics of the post-quantum algorithms in a quantum-safe VPN. The background to this is due to different types of post-quantum cryptography’s potential to have varying performance characteristics, which may impact existing communications processes such as voice calls or web browsing and telecommunications infrastructure.
A Vodafone-SandboxAQ quantum-safe VPN project has assessed the impact of PQC algorithms on this key telecommunications service, without compromising the customer experience. During the project, Vodafone established its first ever quantum-safe VPN, using new technology and customised SandboxAQ software for quantum-safe internet protocols and analytics.
Vodafone engineers conducted a series of experiments to test several scenarios, including connecting the modified smartphones to a server and site-to-site connections to replicate a link between head office and local branches.
“The experiments involved the assessment of both synthetic traffic and real data sessions made by internal volunteers from several countries in which we operate, together with the project team,” Ibbetson added.
“We tested the impact of post-quantum cryptography on activities many of us do every day. These included web browsing, social media and chat application use, video and audio streaming, and mobile gaming using PQC-enabled mobile handsets, helping to test network performance and assess the user experience.”
Moreover, the best-fit PQC algorithms selected for standardisation by NIST were found to perform well in the telecommunications setting. These PQC algorithms had relatively little impact on the quality of service for users of both smartphones and fixed broadband services. A second group of PQC algorithms, namely for digital signatures, is being considered by NIST in a new standardisation process that has just begun.