Today, there is a lot of talk about quantum technologies and cyber security all over the world. At a first glance, the two fields may appear to be quite far from each other, but, in addition to their topicality, the two seem to have some other interesting similarities as well.
Secure, insecure, neither or both?
The best-known story in quantum physics is probably Erwin Schrödinger’s thought experiment about a cat placed in a sealed box with a flask of poison and a radioactive source. The decay of the radioactive substance will set off a chain of events as a result of which the flask is shattered and the poor cat dies. According to a quantum theory interpretation, the atoms of the radioactive source may be in quantum superposition, in other words, exist in multiple states at once. Thus, the atom nucleus has and has not decayed, and the cat is and is not dead at the same time. However, one can never see such a cat in quantum superposition, because peeking into the box forces the system to make a choice between one of the two states: the cat either dies or survives.
In the cyber world, on the other hand, one of the basic assumptions is the Hyppönen law, which states that whenever an appliance is described as being "smart", it is also vulnerable. However, usually we do not know all the vulnerabilities of a system, so all systems are in a kind of Schrödinger's state of insecurity, in quantum superposition between states of security and insecurity. Observing, using and testing the system defines in which direction the system's state of will collapse.
The observer's motives
From the perspective of quantum physics, the observer's motives are usually irrelevant. Being an observer does not even require consciousness; the mere capacity to make observations suffices. When it comes to data security, the situation is different: the monitoring and measuring performed by the defenders of the system contribute to the system advancing towards a state of security, whereas the knocking on the system by the attackers pulls the system in the opposite, insecure direction. Both the defenders and attackers are probably humans or at least bots programmed by humans.
In the original Schrödinger's thought experiment, the probability of the cat’s survival was 50 per cent. Unfortunately, the cyber world, however, is governed by the “defender-attacker asymmetry”: attacker only needs to find one route into the system, while the defender must stay constantly alert in the midst of all technical and human vulnerabilities. Therefore, in cyber security the quantum superposition is more likely to collapse into the state of insecurity.
Another relatively well-known concept in quantum physics is the Heisenberg uncertainty principle, according to which it is not possible to measure a particle's exact location and velocity at the same time. On the other hand, in cyber security the uncertainty principle means that it is not possible to know exactly all the parties taking advantage of certain system vulnerabilities. On the other hand, if there is exact information about the attacking party, one cannot be certain about all the vulnerabilities it is exploiting.
Even though in the text above we are taking a slightly playful approach to serious topics, we find it quite amusing to notice that these two hot fields of technology may have some quite surprising similarities. Here at VTT, we are making major investments in both these technologies through such steps as a quantum computer acquisition and research of quantum-safe encryption methods. We believe that cyber security and quantum technologies may benefit from collaboration and that by combining our know-how we may find interesting new techniques.