MAS completes sandbox trial to prepare financial sector for quantum-era cyber risks

The “quantum era” may sound like a distant, sci-fi concept, but for cybersecurity professionals, it is a very real and present concern. This is not just about a potential future threat; it is about vulnerabilities that exist today. Recent actions by the Monetary Authority of Singapore (MAS) highlight the proactive steps being taken to prepare for this new digital landscape.

MAS recently announced the successful completion of a Quantum Key Distribution (QKD) sandbox trial. The trial, conducted in partnership with various banks and technology firms, explored how QKD could be used to secure sensitive financial communications. This initiative is part of a broader effort to strengthen the cybersecurity foundations of Singapore’s financial system in anticipation of quantum-era cyber risks.

MAS has noted that while quantum computing is still in its early stages, its rapid development could eventually make current encryption methods obsolete, putting sensitive financial data and customer information at risk. To address this, MAS published an advisory in February 2024 to guide financial institutions on a quantum-safe transition. As part of this, MAS will begin working with financial institutions to create roadmaps for a full, albeit complex, transition.

This proactive stance by MAS reflects a growing international consensus: organizations must begin preparing for quantum threats now.

Current cybersecurity protocols are built on the assumption that classical computers cannot solve complex mathematical problems that are at the foundation of cryptography. This is particularly true for public-key cryptography, which is used to secure everything from online transactions to digital signatures.

However, quantum computers use the principles of quantum mechanics to find new ways to solve these difficult problems. For example, Shor’s algorithm, a quantum algorithm, can factor large numbers and solve discrete logarithm problems exponentially faster than classical methods. This capability could render today’s most widely used public-key encryption algorithms, such as RSA and Elliptic Curve Cryptography (ECC), vulnerable to attack. The National Institute of Standards and Technology (NIST) has warned that this could “seriously compromise the confidentiality and integrity of digital communications on the Internet”.

The most immediate danger is the “hold now, decrypt later” (HNDL) attack. In this type of attack, adversaries can harvest and store sensitive data that is secured by today’s encryption, with the intention of decrypting it later once sufficiently powerful quantum computers become available. This threat is particularly critical for data that needs to remain secure for decades, such as intellectual property, national security data, or personal identifiable information.

While the timeline for when quantum computers will be powerful enough to break modern encryption is uncertain, experts suggest it could be as soon as the next ten years. The ambiguous timeline, combined with the reality of HNDL attacks, underscores the need for organizations to act today. The good news is that the global cybersecurity community is actively developing quantum-safe encryption standards to address this.

For example, NIST has been leading a post-quantum cryptography (PQC) standardization process since 2016. PQC algorithms are designed to be resistant to attacks from both quantum and classical computers. Unlike traditional encryption, PQC is based on mathematical problems that are believed to be difficult for quantum computers to solve.

In addition to PQC, other quantum-resistant solutions are emerging:

• Quantum Key Distribution (QKD): As seen in the MAS trial, QKD is a method for securely sharing encryption keys using the principles of quantum mechanics. Any attempt to eavesdrop on the key exchange would disturb the particles’ quantum states, immediately alerting the sender and receiver.
• Quantum Random Number Generation (QRNG): These solutions use quantum properties to create inherently random numbers, which strengthens security protocols.

For organizations, transitioning to quantum-safe cryptography is a complex, enterprise-level initiative that requires a structured approach. The journey can be broken down into three main stages:

1. Discovery and Prioritization: Organizations must first conduct a comprehensive assessment to identify their cryptographic infrastructure. This involves reviewing all data and communications that rely on cryptography and prioritizing sensitive assets for a timely transition to PQC, especially those vulnerable to HNDL attacks.
2. Performance and Interoperability Testing: As PQC algorithms have different computational characteristics, they may affect network and system performance. Organizations should carefully test how new algorithms will integrate with existing systems and protocols to ensure a smooth transition.
3. Transition: The final stage involves migrating legacy systems and vendors to the new PQC algorithms. This requires establishing clear governance to ensure cryptographic agility – the ability to efficiently update algorithms as needed.

The move to a quantum-resilient economy is a shared responsibility that requires collaboration across governments, academia, and industry. By shifting their mindset from “racing against” to “racing with” others, nations and organizations can mitigate security risks while also promoting the responsible development and adoption of quantum technologies.