Singapore’s Monetary Authority Advises Banks To Get Busy Protecting Against Quantum Decryption

Industry / Press Release February 23, 2024

February 21, 2024 -- The Monetary Authority of Singapore (MAS) advised on Monday that financial institutions need to stay agile enough to adopt post-quantum cryptography (PQC) and quantum key distribution (QKD) technology, without significantly impacting systems as part of cyber security measures.

"Leading experts forecast that cyber security risks associated with quantum will materialize in the coming decade," reasoned [PDF] the MAS.

Cryptographically relevant quantum computers (CRQCs) "would break commonly used asymmetric cryptography, while symmetric cryptography could require larger key sizes to remain secure," it added.

The monetary authority warned that the security of financial transactions and sensitive data financial institutions process could be at risk, thanks to quantum computers that can "break some of the commonly used encryption and digital signature algorithms."

The Monetary Authority of Singapore (MAS) advised on Monday that financial institutions need to stay agile enough to adopt post-quantum cryptography (PQC) and quantum key distribution (QKD) technology, without significantly impacting systems as part of cyber security measures.

"Leading experts forecast that cyber security risks associated with quantum will materialize in the coming decade," reasoned [PDF] the MAS.

Cryptographically relevant quantum computers (CRQCs) "would break commonly used asymmetric cryptography, while symmetric cryptography could require larger key sizes to remain secure," it added.

The monetary authority warned that the security of financial transactions and sensitive data financial institutions process could be at risk, thanks to quantum computers that can "break some of the commonly used encryption and digital signature algorithms."

Suggestions on how to keep on top of things include watching out for quantum computing developments that could pose threats, and the ability to mitigate them through PQC and QKD, ensuring third parties and management aren't out of touch when it comes to the risk, and monitoring the cryptographic solutions used by institutions – particularly which ones are vulnerable and need replacement.

It is also important to assess whether systems are upgradable to a position that can handle the new threat without hindering any future transition to more secure systems. And of course, MAS advises training technical staff, having standards, and keeping contingency plans in place.

Singapore is a regional hub for Asia's financial services community and is growing in importance as that sector considers China's increasing influence in Hong Kong. Few major finance industry players aren't in Singapore, so this call by MAS will likely have a flow-on effect across Asia.

Joe Fitzsimons, CEO of Singapore-based Horizon Quantum, told The Register it's not unheard of for flaws to be found in encryption protocols during their lifecycle, and that the advisory was sensible and well timed.

"Since late last year, a number of research results have emerged which indicate that cryptographically relevant quantum computers may be closer than had been previously thought," explained Fitzsimons. "We still have some time to mitigate risks, but it is definitely time for financial institutions to start paying attention to the issue."

Stas Protassov, executive board member of cyber security firm Acronis, told The Reg that the urgency to address quantum computing arises because encrypted network communications – often used for transferring data that remains sensitive for extended periods – are susceptible to a "capture now decrypt later" attack strategy.

"Typical users seldom change their passwords, leaving captured encrypted sessions vulnerable to decryption when quantum computers become available in the future," warned Protassov. "This vulnerability underscores the need for proactive measures, given numerous instances where sensitive information retains its importance over extended durations."

Protassov estimated the world has around 10 to 15 years before quantum computing benefits will become evident – and consequently accompanied by widespread attacks.

"While the advent of quantum computing presents challenges, the onset of a 'quantum apocalypse' is not immediate," he assured us.