Carlos Gonçalves

Quantum Information: Beyond the Cryptographic Apocalypse

Author: cgoncalves

  • Quantum Information: Beyond the Cryptographic Apocalypse

    Quantum Information: Beyond the Cryptographic Apocalypse

    I’m a quantum computing skeptic. The first time I came into contact with the subject, back in 2007 during my physics degree, I was already hearing that quantum computers were near and that encryption as we knew it was over. Eighteen years later, we’re still using the same cryptographic algorithms and still hearing the same story: encryption is going to end. I’ve talked about this topic in another article, but here I’d like to address a less discussed aspect.

    To be honest, quantum computing bores me these days. Not the concept itself, but the way it’s being handled today. When people talk about quantum computing, the topic that dominates the discourse is Shor’s algorithm: factoring large numbers more efficiently and declaring the end of public-key cryptography as we know it. Ok, this is mathematically proven, but in practice I have my doubts about the scalability of quantum processors and the practicality of their applications.

    But there’s another topic that doesn’t get much attention and has applications I find much more curious, interesting and anything but boring: Quantum Information.

    Quantum Information for the Impatient

    (with all due respect to Neil deGrasse Tyson’s “Astrophysics for People in a Hurry”)

    Quantum Information explores unique properties of the quantum world, like the impossibility of copying data without altering it, opening doors to applications that go beyond traditional computing. In quantum computing, we explore the properties of quantum mechanics to perform information processing in quantum states, with potential applications that are impossible in classical computing and, in some cases, gains in efficiency.

    In quantum information, we use the same properties of quantum mechanics to define the concept of information and the means to store, transmit, process and protect that information. Some of the characteristics that only appear in the quantum world can be leveraged to do truly new things, which are not just quantum versions of classical concepts.

    The No-Cloning Theorem

    One of these innovative concepts derives directly from the no-cloning theorem, which is a consequence of Heisenberg’s Uncertainty Principle. This principle states that merely observing or measuring a property of a quantum system will inevitably disturb it, altering its state. Consequently, any attempt to intercept a quantum system will result in a detectable alteration to that state.

    It is this impossibility of copying an unknown quantum state without affecting the original, formalized by the no-cloning theorem, that becomes the basis for practical applications like Quantum Key Distribution.

    Quantum Information in Action

    Recently, Swisscom and the German startup Quantum Optics Jena conducted a proof-of-concept experiment in Quantum Key Distribution (QKD) for symmetric encryption (https://www.quantum-photonics.de/en/c/swisscom-and-german-start-up-test-quantum-security-solution.63411). The test used entangled photon pairs transmitted over existing fiber optic infrastructure. No details were disclosed such as transmission distance, limitations or difficulties encountered. Even so, this already shows that quantum information concepts are moving beyond mathematical demonstration and into real-world implementation.

    This experiment uses quantum information concepts: entanglement and no-cloning to encode classical information into a quantum state and transmit it securely. During the test, entangled photons were generated: particles of light whose states are correlated in such a way that any attempt to intercept them alters the system and exposes the eavesdropping.

    This is one of the applications I find most interesting in quantum information: security doesn’t depend on external layers added to protect the information, it is a direct consequence of the laws of physics. And there’s no bypass here, breaking this kind of property would mean breaking the very functioning of the universe. Or discovering a flaw in the model physics uses to describe our reality. Either possibility would be fascinating.

    The Challenge of Cryptographic Key Exchange

    Quantum key distribution helps solve a major problem in cryptography. Imagine our old friends, Alice and Bob, needing to exchange secret messages between them, but they don’t have a reliable channel free from interference and eavesdropping. For that, encryption is used: the message will be encrypted with cryptographic keys that will be used to encode and decode the message, making it unreadable to anyone who doesn’t have the key. Now, regardless of the algorithm used, whether symmetric or asymmetric keys, for this encrypted communication to happen, the cryptographic keys must be distributed between the participants before the actual communication begins.

    To give an example that combines both types of keys, symmetric and asymmetric, we can use the TLS protocol, used in “https” connections that protect a large part of the internet. During the TLS handshake, before transmitting actual data, asymmetric cryptography is used: the server presents a certificate containing its public key, which the client verifies using a trusted Certificate Authority. The server may also prove possession of the private key by signing parts of the handshake messages. The matter of initial trust in the certificate and public key is a challenge in itself (and would deserve another article!), but for the purposes of this discussion, let’s assume that proper security protocols were followed to establish that trust.

    This process enables the secure negotiation of a symmetric session key. Yes, TLS doesn’t use asymmetric algorithms all the time. They’re used basically for the initial exchange of the symmetric keys that will be used during the entire communication session, which is unique for that moment. From there, encrypted communication can proceed normally between the two parties using symmetric encryption.

    Quantum Key Distribution – QKD

    So how does QKD help in this scenario? Simple! Or, at least, as simple as quantum mechanics allows. In QKD, using the no-cloning theorem, transmission security is guaranteed by quantum properties. Any attempt at interception alters the quantum state of the entangled photons (or any other implementation of an entangled system, photons are not the only possibility). This alteration can be immediately detected by the participants, who can then discard the key and interrupt the communication.

    In practice, this creates a key distribution channel in which the very act of eavesdropping exposes the eavesdropper. It doesn’t matter if the adversary has a supercomputer, or even a quantum computer, they will run into the fundamental laws of the universe. Security stops being an additional layer and becomes a property of the medium itself.

    Superdense Coding

    Quantum information also has other characteristics that feel strange. After all, as Niels Bohr, Nobel Prize winner in Physics in 1922, once said: those who are not shocked when they first come across quantum theory cannot possibly have understood it. Using the same idea of transmitting quantum information over a classical channel, there’s another fascinating topic that can bring a lot of utility to classical information: superdense coding.

    Imagine being able to send double the classical information using the same number of information “carriers”. That’s what superdense coding promises, using quantum entanglement to optimize the amount of data transmitted. In a classical scenario, to send two bits of information (for example, “00”, “01”, “10” or “11”), you would need two physical bits. With superdense coding, if Alice and Bob share a previously entangled pair of photons, Alice can manipulate just one of her photons in a specific way to encode those two bits of classical information. By sending this single manipulated photon to Bob, he can perform a measurement on his entangled pair and, with that information, decode the two bits Alice sent.

    This concept is fascinating because it shows how quantum properties can be used for other purposes beyond security, in this case to increase the efficiency of data transmission. Quantum information doesn’t just aim to solve the same problems as classical computing. It opens doors to entirely new capabilities, going far beyond the “cryptographic apocalypse” and the simple race for faster machines.

    Conclusion

    Quantum information goes far beyond quantum key distribution and superdense coding. We are also talking about applications such as:

    • Quantum teleportation: where the state of a quantum system can be instantly transferred to another, regardless of distance.
    • Distributed quantum computing: processing quantum information across networks, surpassing the limits of a single processor.
    • Communication in noisy channels: leveraging quantum properties to enable communication in highly noisy environments, something impossible under the current model.
    • Simulation of physical systems: implementations closer to the real world, challenging classical modeling and opening the way for advances in materials chemistry and drug development.

    While the spotlight remains fixed on quantum processors, perhaps the real revolution is happening quietly, in the foundations of information. The next big shift may not come from a machine that breaks keys, but from the way we choose to represent and protect what we call data.

  • Never Underestimate the Rebels — They’re the Ones Who Can Actually Move the System

    Never Underestimate the Rebels — They’re the Ones Who Can Actually Move the System

    Some people are easy to praise. They follow instructions, avoid conflict, and never question the way things are done. Then there are the others — the ones who push back, ask uncomfortable questions, and don’t know when to let something go. These are the ones often labeled as troublemakers. But more often than not, they’re the only ones actually paying attention.

    They’re not disruptive for the sake of it. They’re rebels — and that rebelliousness usually comes from seeing clearly what others choose to ignore. They’re not resisting change. They’re demanding it.

    Too often, they’re dismissed as difficult. Labeled as arrogant. Or told, directly, to stop being a problem. But these people — the ones who refuse to nod along quietly — are often the ones who drive real change.

    I’ve seen it firsthand. One of my challenges as a leader came when I was asked to lead a newly formed team with value to uncover and the freedom to shape what that would look like.

    One of the first people assigned to the team shared something with me even before we officially started working together.

    He had been working in a team responsible — among other things — for writing rules and procedures. And while he was technically capable, it was clear that the job wasn’t extracting his best. Someone with his sharpness, speed, and clarity of thought was stuck operating inside a rigid framework — ironically, he’d soon join what we internally started calling the Freestyle Team.”

    I’ve been told I should stop laying down the law,” he said. “That I come off as the guy who always needs to say how things should be done.”

    That comment came from that previous role — and it stuck with him. It made him question whether it was worth speaking up again.

    But I didn’t see it that way. Yes, he was impatient. He didn’t have much tolerance for bureaucracy, and he pushed hard for things to improve — fast. But he was smart, experienced, and he was right.

    I told him, “Don’t hold back. We need more people who care enough to speak up when something’s not working — and who actually know what they’re talking about.

    ”What others saw as overstepping, I saw as urgency. He wasn’t trying to control — he was trying to fix what was broken. And in this new team, that kind of clarity was exactly what we needed.

    In any organization, especially large ones, it’s easy to reward obedience and penalize friction. The quiet, compliant employee is easier to manage. But change never starts with the quiet. It starts with the ones who are restless. Who are frustrated. Who demand better. It starts with the rebels.

    But here’s the thing — if you don’t listen to them, if you don’t give them a real role in shaping the future, one of two things will happen. Either they’ll shut down and start nodding along like everyone else, saying “that’s just the way things are” — or they’ll leave.

    In both cases, the organization loses. Not just a sharp voice, but the very push that could’ve sparked progress.

    In my case, that so-called rebel was exactly what the team needed. He helped shape the mission. He questioned assumptions. He moved fast and challenged me, too — and that made all of us better.

    Leadership isn’t about keeping people in line. It’s about looking beyond the rough edges to understand what someone really brings to the table — even if it comes wrapped in frustration or sharp criticism. Sometimes the hardest voices to manage are the ones carrying the most insight. The challenge is not to silence them, but to help channel that energy into something constructive.

    So the next time someone on your team is labeled as too intense, too critical, or — my favorite — “always laying down the law,” ask yourself: are they actually the problem… or are they trying to solve one nobody else wants to look at?

  • We Need Less Fluffy Language and More Clear Thinking in Cybersecurity

    We Need Less Fluffy Language and More Clear Thinking in Cybersecurity

    There’s a particular genre of language that shows up in almost every cybersecurity report, press release, vendor pitch, or CISO recommendation: security must be robust, solutions should be advanced, systems must be resilient, and threats are always sophisticated. It’s the poetry of the unexamined, the PR sheen applied to technical failure.

    Take robust security. What does that even mean? What does robust protect against that, say, basic or adequate security doesn’t? Is it a measure of uptime? Coverage? Detection capabilities? Resilience under attack?

    Most of the time, “robust” is a placeholder for we don’t really know how this works, but it sounds solid. It’s the cybersecurity equivalent of calling a car “sporty” without specifying the engine. The irony? Many of the systems labeled “robust” fail under the most mundane of attacks — misconfigurations, phishing, default credentials, or unpatched dependencies. Apparently, “robust” doesn’t mean verified, proven, or audited. It just means we’re hoping you won’t ask.

    Then there’s the phrase advanced tools. Every vendor has them. Every CISO is “leveraging” them. And every breach report retroactively claims that “we should implement advanced tools to detect and respond.” But which tools, exactly? What made them advanced? Did they apply behavioral analytics? Correlate signals across domains? Or just produce prettier dashboards?

    When everything is labeled “advanced,” the term loses all discriminatory power. Worse, it implies that the solution to systemic issues is always just a smarter tool away — never better processes, governance, or culture. “Advanced” becomes a way to outsource responsibility to technology. And that’s dangerous.

    The word sophisticated is practically the industry’s safe word. It appears in breach disclosures like clockwork, usually to imply that the attack was so cleverly executed, no reasonable defense could’ve stopped it. But if your system was compromised because someone reused a password or clicked a fake login form, we’re not dealing with sophistication. We’re dealing with competence — on the attacker’s part, and a lack of it on ours.

    Calling every intrusion “sophisticated” shifts blame away from structural flaws and toward the mythical prowess of the adversary. It’s a rhetorical move, not an analytical one. And it doesn’t help anyone.

    Another favorite: resilient architectures. What does that even look like? Redundancy? Immutable infrastructure? Backup strategies? “Resilient” is often just another way of saying “we hope it doesn’t break too badly.” But that doesn’t answer the critical question: resilience under what conditions, with what mitigations, and at what cost?

    This language problem isn’t cosmetic. It actively undermines our understanding of risk. Buzzwords don’t make systems safer. They make failures easier to excuse. The use of vague, inflated terminology creates an illusion of maturity — and an environment where assumptions replace analysis.

    It’s not enough to say security is strong. We need to define how and why. Don’t tell me the system is robust. Show me the threat models, controls, and test results. Don’t say you use advanced tools. Describe the data sources and detection logic. Don’t label a threat as sophisticated unless you can explain its TTPs, and why your defenses failed.

    We don’t need more powerful adjectives. We need more precise thinking — and more honest communication.

  • Quantum Computing and Cyber Security: Separating Signal from Noise

    Quantum Computing and Cyber Security: Separating Signal from Noise

    For the past decades, quantum computing has occupied a strange space in cybersecurity discourse — somewhere between genuine scientific interest and marketing-fueled doomsaying. We’re told it’s coming to break cryptography and render all our defenses obsolete. And yet, here we are.

    Seventeen years after my first contact with quantum computing during my physics degree, we’re still signing our software with RSA, securing web traffic with ECC, and hashing passwords the same way. The predicted cryptographic collapse has yet to arrive — and not for lack of trying. So what gives?

    What Quantum Computers Actually Do

    Let’s start with some reality: quantum computers are not general-purpose machines. They won’t replace your laptop, run your IDE, or brute-force every password on your system overnight. They’re purpose-built to solve a narrow set of mathematical problems — problems that do include factoring large integers (bad news for RSA), but not, for example, bypassing multi-factor authentication or exploiting zero-days.

    The ability to break public-key cryptography stems from one algorithm: Shor’s. It’s brilliant, but it requires a level of quantum scale and error correction that we are still far from achieving. Despite headlines, today’s “quantum computers” remain noisy, limited, and experimental.

    Post-Quantum Cryptography Isn’t a Future Concept — It’s a Present Standard

    What’s often overlooked is that our response to the theoretical risk has already matured. NIST has completed its selection of quantum-resistant algorithms. Organizations across the public and private sectors are beginning migrations — not in panic, but as part of long-term planning. We don’t need fearmongering; we need implementation roadmaps.

    The actual risk isn’t that we won’t have quantum-safe cryptography. It’s that we’ll still be running vulnerable legacy systems when quantum capabilities do become viable. And let’s be clear: that’s a problem we already have with non-quantum threats today.

    Beware the Quantum Echo Chamber

    There’s also an uncomfortable truth we need to address: some of the loud voices about quantum risk have a vested interest in keeping the threat alive.

    “Quantum cybersecurity consultant” is a job title that only exists because of fear about quantum. Many in these roles lack formal training in quantum mechanics or cryptography. Yet their LinkedIn posts and webinars often treat speculation as inevitability and theoretical risk as operational crisis.

    That doesn’t mean quantum computing is irrelevant. But we should question the incentives behind any claim that it’s an urgent existential threat. And we should certainly be skeptical when the solution conveniently involves buying a proprietary “quantum-safe” appliance.

    What Sensible Preparation Actually Looks Like

    If you’re not designing cryptographic protocols, you don’t need to dive into quantum math. What you should be doing is:

    • Performing threat modeling: Where in your systems does data need to remain secure for decades? That’s where quantum becomes relevant.
    • Staying informed: Understand the roadmap for quantum computing advancements and NIST’s post-quantum standards. No need to follow every paper — just keep up with the milestones.
    • Planning migrations: Especially for long-term confidentiality, like government archives, health records, or industrial IP. Start now, move gradually.

    This is about posture, not panic.

    The Real Bottom Line

    Quantum computing deserves respect, not reverence. It’s a fascinating and complex area of research, and it will have an impact — eventually. But framing it as the sword of Damocles hanging over cybersecurity is neither honest nor helpful.

    The real work ahead isn’t in reinventing cryptography. It’s in upgrading our infrastructure, deprecating insecure systems, and making sure that when quantum does arrive, we’ve already adapted.

    So no, quantum isn’t going to “break security”. But if we let hype cloud our judgment and delay rational planning, we just might break it ourselves.

    AI helped me write this article, but the thinking and opinions are all mine.

  • Is Threat Intel Answering the Right Questions?

    Is Threat Intel Answering the Right Questions?

    I’m excited to share that, in addition to my main presentation at RSAC 2025, I’ll be facilitating a Birds of a Feather session called “Is Threat Intel Answering the Right Questions?” This will be an interactive discussion—no slides, no scripted lecture—just a chance for us to examine what really matters in cyber threat intelligence.

    Why This Topic?

    In the world of CTI, many teams focus on who is behind an attack (attribution) and what artifacts (IOCs) might block or detect it. But are these elements enough to cover the “right questions” that defenders must address every day? Attackers can easily switch IP addresses and domains, and an organization may not always benefit from deep actor profiling.

    The session aims to explore how we can turn threat intel into more actionable insights—especially in areas like TTPs (tactics, techniques, and procedures), where defenders often find the best long-term value.

    What to Expect

    • Open Conversation

    We’ll kick off with key questions around whether IoCs alone suffice, if attribution is overused, and how TTPs might fill in gaps. Then we’ll hand the mic (literally) around for everyone to weigh in.

    • Real-World Perspectives

    Whether you’re a seasoned threat intel analyst or just starting to integrate CTI, this BoF is a space to share experiences, debate approaches, and learn from peers.

    • Practical Takeaways

    Expect to leave with at least one or two insights—maybe a new method for prioritizing intel or a fresh perspective on balancing who vs. how. Our collective stories often spark the best ideas.

    Join the Discussion

    If you’ll be at RSAC 2025, drop by and lend your voice! Is threat intel truly answering the questions defenders need answered—or is there a disconnect between intel feeds and actual security outcomes? Let’s talk candidly about what works, what doesn’t, and how we can steer CTI toward more meaningful results.

    (Feel free to contact me if you have any pre-session questions or want to share initial thoughts. See you at RSAC!)

  • I’m Speaking at RSA Conference 2025! Join Me in San Francisco

    I’m Speaking at RSA Conference 2025! Join Me in San Francisco

    I’m thrilled to share that I’ll be speaking at RSA Conference 2025, one of the biggest cybersecurity events in the world. It’s an incredible opportunity to connect with industry experts, exchange ideas, and discuss the latest advancements in cybersecurity.

    My session, “Lessons Learned from Implementing an Intel-Based Purple Teaming Process”, will take place on Saturday, May 1st 12:20 PDT as part of the Security Strategy & Architecture track.

    In this talk, I’ll dive into:

    ✔️ How to integrate threat intelligence-based purple teaming into an organization
    ✔️ Practical challenges and lessons learned along the way
    ✔️ Using MITRE ATT&CK to guide testing and prioritize TTPs for adversary simulation
    ✔️ How this approach enhances risk assessment and improves security posture

    This is a topic I’m passionate about, as it blends real-world threat intelligence with red and blue team collaboration to drive meaningful security improvements. If you’re working in threat intelligence, red teaming, blue teaming, or risk management, this session will provide practical insights to help elevate your security strategy.

    Through this session, I hope to spark conversations, share what has worked (and what hasn’t), and learn from others in the field. I’d love to connect with you at RSAC 2025—whether at my session or around the event. If you’re attending, feel free to reach out!

    More details about my session here: https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1728065297917001WxUx

    Let’s make RSA Conference 2025 an opportunity to learn, share, and strengthen our cybersecurity community. See you in San Francisco!