fraud prevention

Quantum cyber threats are likely years away. Why — and how — we’re working today to stop them

march 14, 2024 | BY christine gibson

You probably do it every day without a second thought — shop online with your credit card, or install an update on your phone, or send a confidential file to a co-worker. But how can you be sure your accounts won’t be hacked, or that the update isn’t malware?

The answer is internet security protocols, which safeguard billions of transactions and communications every day. Modern encryption methods use algorithms too difficult for conventional computers to break. Even the most powerful supercomputer might spend millions of years guessing before it landed on the right passkey.

But a new device called a quantum computer could crack the code in minutes. Exploiting the properties of quantum mechanics for unprecedented advances in processing power, these machines have the potential to help scientists discover blockbuster medicines or design high-efficiency batteries. Yet, in the hands of crime syndicates or state-sponsored hackers, they could shatter the bedrock of digital security. Although quantum computers aren’t yet widely enough available to break cryptographic standards, the race is on to fortify defenses around the world.

“We’re facing a truly existential threat to global commerce,” says Ed McLaughlin, president and chief technology officer for Mastercard. “We want to lead the innovation to protect businesses and customers everywhere.”

So in 2021, Mastercard launched its Quantum Security and Communications project, modeling new methods for encryption that are resistant to quantum attacks. The results will directly inform future network designs as engineers identify vulnerabilities and test upgrades. 

The quantum threat

Quantum computers, like classical computers, rely on physical phenomena to encode information as strings of ones and zeros. In your laptop, the physical entity is electrical current, which can be either off or on — 0 or 1. A quantum computer uses qubits, subatomic particles that have been isolated in specialized circuits or vacuum chambers. Like the circuits in a classical computer, qubits are confined to two distinct states (e.g. the direction of an electron’s spin or the polarization of a photon).

But — here’s where it starts to get weird — qubits can be put into superposition, meaning they occupy both states at once, until they are observed, at which point they collapse into a single outcome. (Remember Schrödinger’s cat, alive and dead at the same time?) This added dimension allows quantum computers to conjure all possible solutions to a problem simultaneously.

Quantum mechanics also bestows qubits with a force multiplier, and it’s even weirder: Qubits can become entangled, meaning that their states correlate, either always matching or always opposite. No matter how far apart they are, changes to an entangled qubit instantaneously affect the others, and observing one confirms the state of its counterparts.

These two properties, superposition and entanglement, grant quantum computers exponentially more power than today’s most advanced supercomputers can muster. Entangled qubits in superposition register every possible combination of their states, so each additional qubit doubles the data capacity: Two qubits store four values, three qubits store eight, and 50 store more than a quadrillion.

“That’s what makes them more powerful, that they go beyond conventional ways of processing data,” says George Maddaloni, who oversees the Operations, Network and Employee Digital Experience team at Mastercard and is leading the company’s approach to future-proofing its network against quantum threats.

“In the next 15 years, these computers could crack the foundations of the global cybersecurity infrastructure.”

Stronger encryption

To counter this threat, cybersecurity experts are experimenting with two parallel strategies: strengthening conventional cryptographic algorithms and using quantum computers to derive encryption keys.

Maddaloni and his team investigated both approaches. First they tested new encryption algorithms designed to be quantum-resistant, a tactic called post-quantum cryptography, or PQC. Partnering with trusted experts in this space, the Mastercard team built a virtual network in the cloud, simulating two businesses that communicate over a private channel. Then they shuttled data back and forth, encrypted by the algorithms the National Institute of Standards and Technology has selected as potential PQC standards.

The goal was to help NIST evaluate the candidate algorithms, which Maddaloni admits is a catch-22. “We can’t say exactly how secure these algorithms are, because there aren’t widely available quantum computers to test them with,” he says. “But as soon as the technology becomes commercially available, it will be too late.”

To learn more, Mastercard has also explored how the technology could integrate with its existing network. “We tested to see if existing hardware platforms could support PQC with software updates so we don’t have to design all-new equipment,” Maddaloni explains.

Fighting qubits with qubits

With an eye on the longer term, the team also tested solutions in quantum key distribution, or QKD, in which a sequence of light particles encodes the encryption key. As they travel from the sender to the recipient, the keys are protected from eavesdroppers by the properties of quantum mechanics. Because observing a quantum particle changes it irreversibly, any attempt by a hacker to read or copy the photon will create an error on the receiving end.

To determine whether QKD could work in Mastercard’s complex global network, the team created a model of quantum-enabled architecture. That in itself posed a challenge, as few hardware vendors make equipment that can integrate with QKD systems.

“There’s no off-the-shelf solution,” McLaughlin says. “We had to create it on our own.”

Two of the test setups were confined to the lab. The team linked state-of-the-art QKD generators and transmitters to the same kinds of physical hardware that make up the Mastercard network. Then, while the system mimicked real-world messaging flows, the engineers measured the performance of each solution; the fastest could provide keys to 1,831 devices every second. They also timed each system’s recovery after temporary disruptions (the winner was back online in five minutes). In one setup, the team simulated a hacker spying on the quantum channel. The recipient correctly recognized the disturbed qubits as errors.

To test QKD at longer distances, the engineers strung 2.5 miles of fiber-optic cable between two buildings. Then, to simulate interstate or transcontinental connections, they weakened the signal with an optical device. Keys arrived more slowly, but still fast enough for many applications.

Although the team ultimately concluded that QKD is not yet ready to go live, the latest generation of QKD devices are significantly more reliable and resilient than their predecessors. If vendors keep up the same pace, QKD could be ready for deployment within the next five years.

“We’re testing in real time with our vendors,” McLaughlin says. “If and when QKD becomes an industry standard, we are paving the way for other companies to keep their business data and customers safe.”

Christine Gibson, contributor