ON 29 MAY 2023

BY ISAIAH HULL

In addition to credit risk and market risk, financial institutions also face operational risk, which arises as a consequence of flawed and outdated systems, policy failures, and employee conduct. Within the diverse class of operational risks -- which spans everything from rogue trading to outdated software -- cyber risk has historically accounted for only a small share of the total losses; however, this is an emerging class of risk and one that appears to be fat-tailed (Aldasoro et al. 2020). Recently, there has been growing concern that the development of quantum computers will pose a large cyber risk to financial sector. In this blog post, we examine the nature of this risk, when it is likely to materialize, and how financial institutions can protect themselves against it.

### The Risk

Let’s start with the risk. For certain classes of computational problems, quantum computers have better scaling properties than classical computers. One such problem is the factorization of integers into prime numbers. The best publicly known algorithm for performing this task on a classical computer requires a super-polynomial number of elementary computational steps as a function of the size of the integer.[i] Consequently, if we select a sufficiently large integer, even the most powerful classical supercomputers will require trillions of years to factor it into prime numbers. This is not true for quantum computers, due to their scaling advantage in this problem class. Shor’s (1994) algorithm, for example, demonstrates how a quantum computer can factor an integer into primes in a polynomial number of steps as a function of the size of the integer. This could potentially reduce the time it takes to solve such a problem from trillions of years to a few minutes.

At a first glance, the scaling advantage of quantum computers for certain problems may appear to be unambiguously positive. However, with respect to integer factorization, this advantage threatens to disrupt the secure communication protocols that underpin the financial system and the Internet more broadly. This is because the basis for public-key cryptography, which is used to deliver symmetric cryptographic keys securely,[ii] is the assumed intractable difficulty of factoring large integers. If integer factorization becomes easy, then public-key cryptography schemes, such as the Rivest-Shamir-Adleman (RSA) cryptosystem, will no longer be secure. This is especially troubling for banks and other financial institutions, which rely on secure communications to transmit sensitive financial data and perform authentication.

But how large is the scope of the problem? And does it create the possibility for substantial losses? Based on the recent experience of financial institutions, we know that losses associated with cyber risk tend to be fat-tailed (Aldasoro et al. 2020). Social engineering and phishing attacks, for example, might compromise individual accounts or succeed in fraudulently transferring small sums of money; however, a successful ransomware attack could completely disable a financial platform for days or weeks, preventing customers from accessing funds or services. The eventual failure of public-key cryptosystems against a quantum-enhanced attacker has the potential to create severe losses at unprepared institutions and a potential crisis in the system as a whole.

The development of a quantum computer capable of breaking public-key cryptography poses an especially potent operational risk because it strikes at a financial institution’s most carefully guarded secrets: namely, those which it has decided to protect using cryptography. Successful penetration of such systems could lead to loss of customer confidentiality, fraudulent transactions, and a long-term decline in trust in individual institutions and the financial sector as whole. A security breach could also necessitate regulatory actions against the institutions involved.

### The Timeline

While quantum hardware has passed several substantial milestones over the last decade, it is not yet sufficiently powerful to factor the large integers used in modern cryptographic applications, such as RSA-2048 integers, which require 2048 bits to represent. A recent survey of experts in the field predicts that quantum hardware is unlikely to reach this point within the next five to ten years (Mosca and Piani, 2022). Of those surveyed, 27 of 40 predicted that the probability that this would happen within the next five years was less than 0.01. Furthermore, none of the 40 experts surveyed thought it was higher than 0.50. Reported probabilities were considerably higher for 10 and 20 year horizons.

This does not, however, imply that we can ignore the quantum threat to the financial sector until it materializes. There are two reasons for this. First, attackers may take a “hold-and-decrypt” strategy, where they intercept and hold secure communications from the financial sector, only to decrypt them when a sufficiently powerful quantum computer becomes available. And second, migrating from one cryptosystem to another will take time and may introduce new vulnerabilities (Canto et al. 2023). As such, there will be advantages to starting the migration early and identifying the problems, rather than waiting for systems to fail and reacting only after a breach has caused substantial losses.

### The Solution

What can a financial institution do today to safeguard itself against quantum attacks in the future? A first step, which involves no changes in cryptographic systems, is to determine how information that may have already been intercepted and held could be used by a quantum-enhanced attacker in the future. This can be done by assuming that, in the worst-case scenario, all past secure communications are being held and will eventually become public information. Under these assumptions, what would a bank need to do to ensure that this information could not be used to perform fraudulent transactions or otherwise harm customers?

The next step is to harden cryptographic systems using post-quantum cryptography (PQC). This entails adding a second layer of classical encryption to existing systems to protect the key distribution process against quantum-enhanced attacks. In contrast to the existing public-key cryptosystems, such as RSA, PQC is built around computational tasks that are hard to perform both classically and quantumly. Thus, a would-be attacker would have to penetrate both the legacy RSA-based system and the PQC system before accessing sensitive customer data.

In the future, financial institutions may also consider moving towards quantum key distribution (QKD), which involves performing the key distribution step using quantum communication lines. QKD has the advantage of being information theoretically secure, which means that it protects the information transmitted using the laws of physics, rather than relying on a complexity-theoretic notion of security, such those that underpin existing public-key schemes. Using QKD would mean that secure communication at financial institutions would not be subject to disruption when new hardware or algorithms are developed.

Another step financial institutions can take is to cooperate with their peers and with government agencies to develop standards for efficient and safe communication in a post-quantum world. Given the interconnectedness of the financial sector, it is not sufficient to safeguard your institution against quantum-enhanced attacks if your clients and counterparties remain exposed.

### Conclusions

Quantum computers are not yet a threat to the financial system; however, prudent financial institutions that want to mitigate operational risk and protect their clients should begin their preparations today. They can start by assuming that past secure communications may eventually become public and should modify existing systems accordingly. Next, they can begin the process of hardening systems against future attacks, first by adding a layer of PQC and then exploring the possibility of using QKD in the near future. In addition to this, they can work across institutions and with government agencies to develop the relevant security standards to allow for efficient and secure communication and authentication protocols in the financial sector.

_{[i] This algorithm is the general number field sieve (GNFS), which factors large integers into prime numbers in a super-polynomial (but sub-exponential) number of steps as a function of the number of bits needed to represent the integer.}

_{[ii] Symmetric keys provide an efficient means to encrypt and decrypt communications; however, both parties to a communication session must have the same symmetric key. For this reason, the symmetric key is typically delivered over the Internet using public-key cryptography, which is asymmetric. The symmetric key is encrypted using the public key from a public-private key pair. It is then delivered over the Internet, where the private key holder decrypts it.}