Financial institutions that aren’t “quantum safe” may find their payments systems pilfered by digital fraudsters in the next decade, according to some professionals monitoring the evolution of computer technology.

Quantum computing is an ultra high-speed form of technology that already exists and has been advancing in recent years, though it’s still not widely available, partly because it operates only at costly frigid temperatures just above zero Kelvin, or -460 Fahrenheit. 

Educational institutions, such as Rice University, and companies, like IBM, as well as cities, such as Chicago, are racing to be out in front in developing the powerful new breed of computing. They’re all seeking to harness the quantum firepower for solving more complex problems.

The expectation is that crooks are also angling to tap quantum computing, to break through cyber protections that governments, banks and other organizations have in place to protect almost everything that’s in digital form. 

As a result, those entities are increasingly becoming aware of the threat, and the preparations needed to be quantum safe in the next few years.

“Like a new light switch, quantum computing will require upgrades to hardware and software. Full implementation could take years,” Nanci McKenzie, a payments risk specialist at the Atlanta Federal Reserve, said in a February post on the bank’s blog. “Building a strategy to implement quantum computing within your information security program needs to be on your ‘to do’ list today.”

How the quantum threat could unfold is complicated. 

In simple terms, current cyber defenses for payments systems rely on asymmetric key encryption, also known as public-key cryptography, which uses two unique keys, one held by a sender and the other by a recipient, to encrypt and decrypt data used in transaction messages.

For instance, the Federal Reserve instant payments system FedNow requires messages to be signed using asymmetric key encryption. Digital currencies also depend on the same encryption process.

The financial service community generally depends on two algorithmic formulas to generate the “keys.” Those algos are known as RSA, or Rivest–Shamir–Adleman, which refers to the three computer scientists who developed it, and ECC, which stands for Elliptic Curve Cryptography. While it’s nearly impossible today for a computer to guess the long prime numbers that the algos generate, quantum computing could make it infinitely easier. 

“We consider [RSA and ECC] state of the art in financial services,” payments industry consultant Peter Tapling said at an industry forum discussion in Chicago last month. “What happens if quantum computing can take elliptic key cryptography, or RSA asymmetric key cryptography, and from one key, guess the other key in minutes. Yikes, that becomes a problem.”

Whether financial institutions are “quantum safe” to thwart those threats is becoming an important question, Tapling said at the recent Chicago Payments Forum event.

He explained how the American mathematician Peter Shor has created an algorithm that shows that one day quantum computing will be able to essentially break through the asymmetric key encryption on which financial systems hinge their security.

“Shor's algorithm has proven that you can indeed put all asymmetric key cryptography at risk once we reach this efficient frontier” for quantum computing, Tapling told bankers, lawyers and professionals in payments at the July 23 forum held at the offices of the law firm Kelley Drye & Warren.

Asked after the forum how many U.S. banks and other financial institutions are quantum safe, Tapling estimated that none are. There are many that are aware of the issue, or are trying to become quantum safe, but that requires that they know their partners on the other side of the key exchange are quantum safe too, he explained.

To change that situation and adapt financial institutions to the quantum era, the U.S. Commerce Department’s National Institute of Standards and Technology, the Federal Reserve and organizations like the U.S. Payments Forum and Nacha’s Payments Innovation Alliance are studying the issue, producing reports and generally sounding the alarm. 

NIST has been working on the quantum quandary for eight years and has developed three algorithmic standards designed to make systems quantum safe, as it finalizes a fourth, the federal agency said in a March press release. Some organizations have begun integrating the algos to “future-proof” their computer systems, the agency said. 

Last year, NIST outlined the threat in an August press release announcing the first three standards, saying quantum crooks “could break the current encryption that provides security and privacy for just about everything we do online.” 

Michele Mosca, a mathematician and computer scientist at the University of Waterloo’s Institute for Quantum Computing, has produced research on the quantum risk. He estimates there is a one in three chance the quantum computing threat materializes by 2035, he told Wired magazine in a March interview. Everything from emails to police reports to bitcoin wallets could be compromised, the article said.

“My guess is in financial services, in payment-service providing, in all of the infrastructure that we do to support payments, if you are not able to tick that box to say ‘we're quantum safe’ by say, 2032, you’re going to be in really big trouble,” Tapling said.