Bringing quantum-safe security to IBM Quantum Platform, and the worldQuantum Safe

When quantum computers achieve the scale and error correction capabilities needed to realize the full potential of Shor's algorithm, they will gain the ability to decipher the cryptography that safeguards much of the world's most valuable data. This isn't some far off hypothetical scenario. These capabilities may arrive as soon as the end of this decade. This leaves today's information systems vulnerable to a looming threat known as "harvest now, decrypt later" - where bad actors harvest today's encrypted data with the intention of decrypting it using the quantum technology of the future. That's especially true for systems that use public-key cryptography, and our infrastructure here at IBM® is no exception.

Earlier this week, the U.S. National Institute of Standards and Technology (NIST) published its first set of post-quantum cryptography (PQC) standards - encryption algorithms that are resistant to both quantum and classical code-breaking methods. Two of these standards were developed by cryptography experts at IBM Research® in Zurich, while the third was co-developed by a scientist who now works at IBM Research as well. We have made ourselves the leader in PQC research because we are committed to making the world quantum safe through our portfolio of IBM Quantum Safe™ products and services. However, that effort doesn't just start with clients and partners outside of IBM. It also starts at home.

Teams at IBM Quantum Safe and IBM Research more broadly have recently launched a number of initiatives to protect our quantum computing platform and hardware from the threat of "harvest now, decrypt later" cyber attacks. We're also forging partnerships with the quantum and open source communities at large to help keep our clients - and the world - quantum safe. Below, we take a closer look at these ongoing efforts, and the work still to come.

Making IBM Quantum™ quantum-safe

IBM Quantum is pursuing a comprehensive, long-term plan to integrate quantum-safe security protocols across all IBM hardware, software, and services. A key priority in this effort will be making IBM Quantum Platform (IQP) quantum-safe. IBM Quantum Platform provides cloud-based access to the IBM fleet of utility-scale quantum computers through the Qiskit software development kit.

Quantum-safe transformation for IBM Quantum Platform will unfold in a series of stages, each one carefully planned to help us bring post-quantum cryptography to new areas of our hardware and software stack until the entire system is quantum safe. We've already completed the first stage of this process.

Today, we are working to implement post-quantum encryption to enable quantum-safe Transport Layer Security (TLS) on IBM Quantum Platform. This quantum-safe TLS extends from the client workstation users employ to interface with IBM Quantum services, all the way through the firewall that protects the IBM Cloud. Enabled by the IBM Quantum Safe Remediator™ tool's Istio open-source service mesh, the quantum-safe TLS continues through the firewall into the various IBM Quantum services that execute in the cloud. Connections along this path are quantum safe by default, but we also continue to support standard legacy connections that are not protected by quantum-safe encryption.

Our expectation is that soon, researchers and developers who use our services will be able to submit a quantum computational task to IBM Quantum Platform in a way that is quantum safe from the client down into the cloud services layer. Once we've achieved that, we will get to work extending quantum-safe communications to the next-lower level of quantum services, Qiskit Runtime. We'll continue our efforts from there with the ultimate goal of bring quantum-safe security not only to IBM Quantum services but to all IBM hardware and software.

Using IBM Quantum Safe tools for our quantum-safe transition

IBM Quantum Safe provides powerful software tools like IBM Quantum Safe Explorer™, IBM Quantum Safe Posture Management, and IBM Quantum Safe Remediator to assist enterprises on their quantum-safe journeys, and we're proud to say that IBM itself is one the enterprises benefiting from these capabilities.

IBM Quantum Safe Explorer empowers CIOs and application developers to scan business applications across their entire organization and build a Cryptographic Bill of Materials (CBOM). It streamlines the process of identifying cryptographic artifacts across the application portfolio and helps leaders determine the corresponding vulnerabilities that must be addressed to ensure proper implementation of quantum-safe algorithms.

IBM Quantum Safe Posture Management identifies an organization's overall cryptographic inventory across network, systems, and applications. It allows CISOs and their teams to define cryptographic policies that work for their organization and enables risk assessment and cryptography posture management via contextual analysis of the organization's overall vulnerabilities and business security compliance.

IBM Quantum Safe Remediator enables organizations to mitigate against the "harvest now, decrypt later" scenario using the technology of today. It provides an adaptive proxy as an initial remediation pattern to enable the quantum-safe TLS communications that protect most data-in-transit. It also includes a Test Harness that gives users the ability to test the performance of post-quantum algorithms and quickly measure how those algorithms will impact system performance before they actually move forward with updating their cryptography.

IBM Quantum Safe Explorer and IBM Quantum Safe Remediator are both available today, while IBM Quantum Safe Posture Management is available as a private preview. We'll be adding more capabilities as we continue to grow our Quantum Safe Portfolio. We will also continue to secure our infrastructure offerings for the quantum future, just as we did with industry's first quantum-safe system, the IBM z16™. Together, these tools empower enterprises to replace at-risk cryptography and develop greater overall crypto-agility, while always maintaining complete visibility and control over their entire cybersecurity posture.

Work in the Open

As part of our long-term plans to eventually secure the entirety of the IBM hardware and software stacks, we've also invested major effort in bringing quantum safe security to the open-source community. Open source software (OSS) powers much of the world's computing systems, including here at IBM. Given the importance of open source software in the computing industry, it is crucial that we build community and governance around post-quantum cryptography for open source tools.

In 2022, we approached the Linux Foundation and the Open Quantum Safe community to create a common foundation with the overarching goal of addressing the cryptographic security challenges posed by quantum computing. After a year of discussions, recruitment, and coordination, this effort resulted in the founding of the Post-Quantum Cryptography Alliance (PQCA), an organization dedicated to driving the advancement and adoption of post-quantum cryptography.

The alliance is now in its first year of operations and has gathered a collection of industry members large and small, as well as a steady flow of contributors (AWS, NVIDIA, IBM, University of Waterloo, and others). We invite all to join the Technical Advisory Committee bi-weekly meetings to learn more details and engage with the community.

In addition to starting a foundation for all OSS quantum-safe software, we have made contributions related to post-quantum cryptography to numerous OSS projects, with the overarching purpose of advancing the field and enabling broader adoption of post-quantum cryptography. Here is a brief summary of those contributions:

• Open Quantum Safe - This is the primary project in the PQCA. It provides the necessary foundation to enable post-quantum cryptography in Linux and various languages. Currently, Open Quantum Safe is used in all announced post-quantum systems. It was initially created at the University of Waterloo and is still managed and led by a team there. IBM Research is a vice-chair to this important project.
• Post-Quantum Code Package - IBM Research started, currently leads, and manages all projects within this initiative for high-assurance software implementations of standards-track Post-Quantum Cryptography (PQC) algorithms.
• PQCA Board and Technical Advisory Committee - IBM currently chairs both the board and the technical advisory committee (TAC) for the PQCA.
• Sonar Cryptography - Created and open sourced by IBM Research, Sonar Cryptography is a SonarQube Plugin that performs static scanning of code bases to detect cryptographic assets and generate CBOMs for OSS projects. Currently supports Java and Python with more languages coming soon.
• OpenSSL - An open-source library that implements the TLS protocol to provide a method for secure communication across computer networks. IBMers contributed code (pull requests 20866, 21633, 22779) to enable PQC algorithms to be used in the common cryptography tool.
• cURL - A command line tool that transfers data across the network. IBMers contributed code (pull request 12030) to allow SIG and KEM PQC algorithms to be traced in verbose mode.
• HAProxy - An open-source based reverse proxy offering load balancing capabilities for both TCP and HTTP traffic. IBMers contributed code (pull requests 2165, 2532) to enhance observability by fetching the curve names used during key agreement as well as ciphers, supported groups, key shares and signature algorithms used in TLS ClientHello settings.
• Istio - A service mesh for adding universal traffic management, telemetry, and security for complex deployments in Kuberentes. IBMers contributed code (pull requests 51280 and 52290) to enable configuring ECDH curves for internal mesh traffic and to add quantum-safe curves to the list of supported curves.
• Python - A popular programming language used for numerous tasks including web development and machine learning. IBMers have contributed code (pull request 119244) to enable the configuration of multiple curves for TLS which would allow users to enable PQC via the OpenSSLv3 provider oqs-provider.

IBM has always held a deep commitment to the open source software community. As we move further into the era of quantum utility, and quantum computers continue making progress toward achieving the ability to break public-key encryption, that commitment will be more important than ever.

We were pioneers in establishing the Qiskit software development kit as an open source toolkit for creating, managing, and executing quantum circuits. Now, we believe it is our responsibility to continue this leadership by helping the open source community move in the direction that will make all open source software quantum safe.

What's next for IBM quantum-safe initiatives

As IBM continues to advance the science of quantum computing, we remain vigilant in addressing the inevitable consequences of this fast-maturing technology.

While it may be years before we see a quantum computer powerful enough to break public-key encryption, the ever-present threat of "harvest now, decrypt later" schemes makes the need for novel methods of encryption an urgent matter today. This is why IBM has poured years of effort into developing post-quantum encryption algorithms as part of the NIST quantum safe competition, and why we're proud to say our researchers have had a hand in building each of the three recently standardized algorithms.

Of course, our mission doesn't end there. Like many of our enterprise clients, we're working today to make the entirety of our computing stack quantum safe. We began with our quantum platform, but our ultimate goal is to extend these protections to all IBM products.

We will continue to share the results of these efforts publicly. We will continue serving as leaders in the Post-Quantum Cryptography Alliance. We will continue tracking the progress and releases of the NIST competition. The feedback we get both from the open source community and from the ongoing efforts of NIST will help guide us on our mission of making the world quantum safe. And, as always, all users must practice good cybersecurity hygiene today to avoid potential data breaches - the "harvest now" part.

For enterprises looking to start their own quantum safe journey, IBM has created a collection of tools and services that help clients not only achieve quantum-safe transformation, but which also provide powerful insight and control over an organization's overall cryptographic posture. Our work with IBM Quantum Safe users has provided crucial feedback that has helped us to continually improve our IBM Quantum Safe toolset, our education materials, and our open source and internal quantum-safe initiatives. We hope you'll join us - not only in bringing useful quantum computing to the world, but also in making the world quantum safe.

Public link

Please use the above public link if you want to share this noodl on another website.