Someday, somebody, somewhere will likely have a quantum computer capable of cracking the fragile codes that underpin every piece of data we exchange over the internet. We don’t know when. It could be ten years. Maybe sooner. But the experts overwhelmingly agree: the day we flick the quantum switch (Q-Day, as it’s colloquially known) is coming. And this version of the world—the emails exchanged, the secrets we’ve told over fibre optics, the credit card purchases and digitalized lab test results, the encryptions protecting the carefully contained order that defines our digital lives—could come undone.
For Gilles Brassard, a seventy-year-old cryptographer and professor of computer science at the Université de Montréal, this development is enough to reverse the arrow of time. If we become quantum tomorrow, data is lost today.
Quantum comes down to size and efficiency. Current computers approach problems step by step, but quantum computers could theoretically use the principles of quantum mechanics to explore many possibilities simultaneously, tackling complex problems—like cracking an encryption—exponentially faster. Hackers know this. They’ve started preparing for it, collecting and stashing vast amounts of data to break the encryption when a quantum computer is available. It’s called the “Harvest Now, Decrypt Later” attack. “Terrified . . . I’m totally terrified,” says Brassard.
But Brassard’s is a peculiar kind of terror: a terror unavoidably entangled with validation. Because, in a sense, it’s a future he prepared us for. Over forty years ago, he helped pioneer one of our best lines of defence against the post-quantum future: the BB84 protocol, an elegant and unassailably secure way to transfer encrypted data using quantum mechanics. “The protocol we invented back in ’83 is mathematically proven to be unconditionally secure,” says Brassard, with the caveat that quantum theory is correct and carried out without introducing technical flaws or loopholes. In other words, BB84 works if quantum mechanics, one of the most complex and beautiful theories of how our world operates, is right.
Brassard was born and raised in Montreal, alongside three brothers and a sister. His dad was an accountant, and his mother was a yoga instructor. Brassard was a prodigy among prodigies. He attended the Université de Montréal at thirteen (for science; two years later, he transferred to the department of computer science), following his older brother, Robert, who went to university at fifteen. “He taught me all my college-level mathematics when I was in primary school,” says Brassard of his brother.
In 1979, Brassard graduated from Cornell University with a PhD in computer science. He was twenty-four. That same year, he attended a conference in San Juan, Puerto Rico, to give a talk on cryptography. While he was swimming at the hotel beach, a stranger approached him in the water. “He tells me he knows how to use quantum theory to make banknotes that are impossible to counterfeit,” says Brassard.
The stranger was Charles H. Bennett, an American physicist and the other eventual “B” in BB84. At the time, Brassard had zero interest in quantum theory or physics, but in that moment, bobbing in the Atlantic, he listened politely.
The idea Bennett proselytized to a captive Brassard was that of Stephen Wiesner, a physicist Bennett had met at Brandeis University in Massachusetts in the 1960s. “Immediately, I noticed a major shortcoming,” says Brassard, who is perpetually drawn to the seemingly unsolvable. “The banknotes Wiesner had invented theoretically could not be counterfeited, but they also couldn’t be verified by anyone for validity. Except the people who produced them in the first place.”
Wiesner’s paper on the quantum banknotes had been rejected by an engineering journal, probably due to the ill-fitting physics jargon, says Brassard. Wiesner tossed it in a drawer and moved on. “Bennett understood that it was not something that should be left to die,” says Brassard. “I don’t know how many people he tried to talk to, but nobody paid any attention until he met me.”
Within an hour of meeting in San Juan, they’d devised a way to rework Wiesner’s quantum banknote scheme for public key cryptography. Public key cryptography uses a pair of digital keys: one that anyone can use to encrypt a message, and another, kept private, that only the recipient can use to decrypt it. It’s like a mailbox anyone can drop a letter into, but only the person with the key can unlock and read what’s inside.
Today, public key cryptography is an invisible function of our online existence that typically occurs when we send an email and every time we open a website with an “https” in the title. It’s critical, understated, ignored—much like breathing or blinking. But back in 1979, public key cryptography was a new discipline, introduced to the world three years earlier at Stanford University by Martin Hellman and Whitfield Diffie, who were aided by the work of Ralph Merkle at UC Berkeley. Brassard and Bennett saw the opportunity to use quantum mechanics to do what public key cryptography does, but more securely.
To begin to understand quantum mechanics, one needs to accept the staggering gap between the things we experience as true (a ball is dropped, and reliably, it falls to the ground, as in classical physics) and how absurd our world is at a subatomic level. Electrons and photons, which are massless or nearly massless particles transmitted through fibre (photons) or air (electrons), can sometimes exist as waves or be in two places at once. They can become entangled, influencing the state of each other immediately across space and time. The act of observing or measuring a particle can alter its behaviour. We don’t perceive these things—they’re minute, unseeable, and completely at odds with what we know about the world.
It’s this uncertainty of the quantum world that Bennett and Brassard wanted to exploit. They were a radical pair—the cryptographer and the physicist, each measuring reality in his own way. Brassard was teaching computer science at the Université de Montréal, and Bennett was a fellow at IBM Research in Yorktown Heights, New York. That afternoon in San Juan sparked years of flights and car rides, allowing these two to stay connected and continue riffing on the places where quantum and cryptography intersect and how they could use both to prevent eavesdropping. “We kept visiting each other,” says Brassard.
In 1983, Bennett and Brassard wrote a paper together on using quantum effects for secure communication. Their idea was that a message would be encrypted in a quantum signal so that if an eavesdropper tried to intercept it and measure the photons, the photons would be irreversibly and detectably disturbed. It was an ingenious way to use the seemingly irrational quantum quirk, which is that simply measuring these tiny things—electrons, photons, atoms—changes their existence.
But it was also horribly impractical to send a message in single photons over fibre across any significant distance. “Most of them won’t get there,” says Brassard. “If at the end Bob only gets 1 percent of the message, it’s not so good.”
They submitted the paper to a computer science conference. It was rejected. But then they had another idea: What if, instead of sending the message itself, they used a quantum signal to share a secret, single-use encryption key—one that couldn’t be intercepted without detection?
This moment sparked the birth of BB84, the first quantum cryptography protocol for quantum key distribution, or QKD. BB84 officially debuted to limited fanfare at the International Conference on Computers, Systems, and Signal Processing in Bangalore, India, in 1984. “The general reception was either: ‘That’s a very cute idea, but it’s still not going to work’ or ‘It doesn’t even make sense,’” says Brassard.
Bennett and Brassard then built a prototype with John Smolin from Yorktown IBM and two of Brassard’s students, François Bessette and Louis Salvail. The device was roughly the length of a dinner table. In late October 1989, they sent the world’s first secret quantum transmission. It travelled only 32.5 centimetres, but it was proof of concept. They used something called a Wollaston prism to polarize the photons—think of it as turning the photons at different angles to establish an encryption key. The problem was, the power supply used to run the device made a different noise for each polarization, so an eavesdropper could memorize the different tones and decode the key.
The experiment allowed them to publish in Scientific American, drastically expanding their readership. It’s hard to imagine this moment didn’t sting a little. It wasn’t their beautiful QKD theory that brought them recognition; it was a gimmicky QKD prototype built in a borrowed lab that finally got BB84 some traction.
Today, Michele Mosca is considered a world leader at the intersection of quantum computing and cryptography. He’s built a handful of start-ups, including evolutionQ Inc., which helps organizations transition from quantum-vulnerable systems and practices to quantum-safe ones. But in 1989, while Brassard and Bennett were building the BB84 prototype, Mosca was still in high school, racking up awards in math competitions.
Math meant the world to Mosca. Raised by Italian immigrant parents in a rural area outside Windsor, Ontario, his aptitude earned him a scholarship to the University of Waterloo, where he got into cryptography. Computers were becoming ubiquitous, and data was increasingly being exchanged digitally. The world needed encryption more than ever. It felt like Mosca’s career trajectory was set.
He met Brassard at Crypto ’94, a cryptography conference in Santa Barbara, California. “I knew he was a star,” says Mosca. He asked Brassard what he was working on. “He was like ‘quantum this, quantum that.’ I’m like, wow, he’s really gone off the deep end with this quantum stuff.”
At the same conference, Mosca talked to Don Coppersmith, an American cryptographer and mathematician, who was working on quantum algorithms. Coppersmith told Mosca about how a quantum computer can trap ions and manipulate them with lasers. (This is important: Trapping ions is a critical process in using qubits, the fundamental units of information in quantum computers.) Blasting ions with lasers sounded outlandish to Mosca. “I thought he was joking,” says Mosca. “I even made some smart aleck comment like: Where are you going to publish that, the National Enquirer?”
This was in the same year, 1994, that Peter Shor, an American theoretical computer scientist, developed what became known as Shor’s algorithm, which showed that a cryptographically relevant quantum computer—that is, a quantum computer with enough computational power to run algorithms—didn’t need the universe’s lifespan to crack a code. Actually, it could do this quite efficiently.
Two years later, Lov Grover, an Indian American computer scientist, developed an algorithm that could drastically reduce the number of encryptions a hacker would have to try in order to break a privately encrypted key. Grover’s algorithm halved the security level of the leading encryption standards, says Atty Mashatan, founding director of the Cybersecurity Research Lab at Toronto Metropolitan University and a member of Canada’s Quantum Advisory Council. But Shor’s algorithm created a definite threat. Mashatan says it was enough to send cryptographers “back to the drawing board,” albeit twenty years later.
Mosca moved on to the University of Oxford in 1995 for his master’s degree, continuing to work on making and breaking codes with classic cryptography. He was being stubborn, still living in the land of if—if we build a quantum computer, if we can reach the computational capacity with said computer . . . if, if, if. From his vantage, quantum computing was asking for a future that couldn’t exist.
But that’s the thing with the future: it swerves.
Mosca’s supervisor, Dominic Welsh, a British mathematician, introduced him to Artur Ekert, a Polish professor of quantum physics who had explored the idea of quantum key distribution using entangled particles. Ekert invited Mosca to Turin to meet a small but growing community of quantum computing pioneers. That sit-down was enough to convince Mosca of quantum’s inevitability. “I realized this [was] decades away, but it’ll work,” says Mosca. He became confident that someone in this group would build a quantum computer.
During his doctorate studies, also at Oxford, Mosca refocused his research on quantum computers and how they’d redefine what was secure and what wasn’t. Together with Brassard, Peter Høyer, and Alain Tapp, Mosca co-authored a highly cited and now pivotal paper on Grover’s algorithm that helped crystallize part of the quantum threat. The paper was published in 2000.
In 2001, IBM and Stanford University researchers worked together to implement Shor’s algorithm on a seven-qubit processor—a combination of molecules in a test tube, each molecule a tiny quantum computer. This test tube computer processor was able to successfully factor the number fifteen, a small but challenging math problem and a monumental breakthrough in running a quantum algorithm, starting the timer on the clock of classic cryptographic obsolescence. The big, impossible “if ” didn’t become “when? ” It became “how soon? ”
Quantum research hubs started to take shape. In 2002, Mosca and Raymond Laflamme, whose PhD supervisor was Stephen Hawking, banded together with a few others to establish the interdisciplinary Institute for Quantum Computing—IQC—at the University of Waterloo. Mike Laziridis, the Greek Canadian founder of BlackBerry creator Research in Motion, got involved. “Mike said, ‘I’ll give you $1 for every $2 that the university spends on this,’” says Mosca. Laziridis’s personal investment grew to over $100 million, giving the quantum group the power to fundraise and start hiring.
But it would take nearly a decade and a half for quantum threat awareness to have its breakthrough moment. In 2015, the National Security Agency in the US, a group focused on signals intelligence and cybersecurity, announced it was switching to quantum-resistant cryptography. Around the same time, Mosca, Mashatan, and Ken Giuliani, a cryptography consultant with CIBC, helped form a quantum working group to suss out the quantum threat to the financial industry.
This group evolved into the Quantum-Readiness Working Group, working under the Canadian Forum for Digital Infrastructure Resilience, whose membership includes Google, Accenture, Amazon Web Services, and BlackBerry, alongside critical infrastructure stakeholders such as Canada’s major financial institutions, the Financial Services Regulatory Authority of Ontario and the Bank of Canada. Between 2020 and 2024, they released an annual guide to Quantum-Readiness Best Practices.
Last year, the National Institute of Standards and Technology, a US federal agency that plays a central role in setting cybersecurity and encryption guidelines, released the first completed version of its post-quantum cryptography standards. They’re quantum resistant and designed to run on conventional computers. “They’re not 100 percent bulletproof,” says Mashatan. “We think they’re going to resist the power of a quantum computer, [but] we don’t have a cryptographically relevant quantum computer.”
In January, the Canadian Space Agency announced it was awarding QEYnet, a quantum communications satellite start-up in Maple, Ontario, over $1.4 million to attach its milk carton–sized photon-beaming payload onto a microwave oven–sized satellite and then fling it into space. The technology will use QKD to beam encryption codes between satellites and ground stations. The plan is to launch the satellite over the next twelve months. “We are implementing BB84 in our hardware,” says Cordell Grant, QEYnet’s chief executive officer.
It won’t be the first time the BB84 protocol has made its way to space; in 2016, China sent a quantum microsatellite to test QKD using the protocol and quantum entanglement over long distances, successfully creating a secret key between China and Austria the following year. But QEYnet’s ambitions are broader: it wants to get QKD into more hands. “We’re trying to commercialize,” says Grant.
QEYnet’s demo is a leap from Brassard and Bennett’s high-voltage-humming BB84 invention in 1989. It’s also intensely technical. For one, the QKD beaming device has to be small; it can’t overload the satellite. But it still needs to be able to receive a single photon beamed from hundreds of kilometres away.
There are a couple of applications for this technology. It can facilitate quantum-safe communication with satellites mapping real-time data in a battlefield, for example. And it can also be used to protect the satellite’s -payload data from the satellite itself—these satellites are, after all, often launched by third-party space companies.
Projects like QEYnet represent the current limit of QKD technology, both physically and technically. They also raise a question: How do we build our hierarchy of secrets, and which secrets are worth beaming photons from satellites to protect?
In the decades before Brassard and Bennett developed BB84, exchanging secrets had a different meaning. They were traded by spies and heads of state, decryption keys often clandestinely passed through harrowing feats. Today, we exchange secrets every second we hold our favourite glowing screens in our hands and hit “Send” on a text or email. The secret we send doesn’t matter—banking information or meme, it’s protected and, mostly, still indecipherable.
Until the whole thing falls apart.
Brassard doesn’t want to be asked how far away we are from a quantum computer. It would be a guess anyway. Again, no one knows exactly when we’ll have this technology. “But it’s really coming up,” he says. “There are no major obstacles anymore.”
From his perspective, the damage has been done. We can tell by the growing volume of data breaches that who we are, what we’ve said, and what we’ve done is out there, stored in some nefarious archive for future exploitation. “There’s nothing you can do to save the past,” says Brassard. We do have some possible solutions. It’s just that we have to wait for the unknown to unfold in order to see if they work.
“This uncertainty will always exist,” says Mashatan. We live with it. As we careen toward Q-Day, we accept it. It’s that all too human incapability to resist the urge to pursue greater capability—more impressive computers, on our desks, in our palms—knowing that capability could, in the wrong hands, dismantle everything. As Mashatan says, we will probably never be able to completely prevent quantum computing from cracking our codes. “Our best hope is to make it harder.”
