Article content
In Tartu, the river walks next to Emajõgi have housed cultural and academic excellence for hundreds of years. In recent years, real estate was erected atop this prime riverfront. A modern multi-story academic hub called the Delta Centre has a lengthy façade lined with golden vertical stripes. Standing outside this remarkable edifice in winter, it’s almost as if looking at the physical manifestation of computing, as if the whole structure was built of zeroes and ones instead of metal, glass, and concrete.
The industrial part of the Delta Centre now houses the slightly larger half of Cybernetica, an Estonian IT company with a storied past where eyes are always on the future. I say somewhat larger because, as Dan Bogdanov, Cybernetica’s blue-suited research director, informs me upon entry, 51 per cent of the company’s workforce of over 200 people are employed in Tartu. The other 49 per cent are based in Tallinn.
This is a point of pride, not only because of the eternal rivalry between Estonia’s two largest cities but also because the future of post-quantum cryptography is being developed right here, in this university town tucked away amidst the frontier plains and forests of the south Estonian countryside.
“Estonia is, compared to its size, one of the few countries in the world rolling so much of its own,” notes Bogdanov. Most countries get their technology from Apple or Google, he says, and build out the backend with solutions from AWS or Huawei. They are greatly dependent on tech firms. But in Estonia, the expertise is in-house. They are being created in our universities and companies, and this house is in Tartu.
“A German professor once said that Estonia is the land of exotic, gourmet cryptography,” remarks Bogdanov.
These advancements in mathematics and engineering are not all born on a luminescent screen, at least not at first. According to Peeter Laud, a computer scientist who has been on staff at Cybernetica since it was founded in the late 1990s, he uses paper and pen to make calculations or writes them on a whiteboard.
The best ideas, he says, do not come while walking or in the shower but through persistence.
The post-quantum challenge
Cybernetica is, in part, a spin-out of the Estonian Institute of Cybernetics, established in 1960 within the Estonian Academy of Sciences. In the 1990s, when maintaining the institute became untenable, the company Cybernetica was established. Its focus from the get-go was to solve the problems of the fledgling Estonian state, focusing on creating solutions for technical challenges in e-governance security and maritime security. Laud joined the team early and was a co-author of the first Estonian cryptography paper published by his Cybernetica colleagues.
“The Estonian state needed information security, so the researchers back in the day bought and read the books, learning how to build the future of e-government,” says Bogdanov. “We did cryptography before, and it was cool.”
Cybernetica is one of these spots in Estonia where one senses how the ideas hatched between a handful of thinkers have had a far-reaching impact in Estonian society and abroad. Cybernetica is the progenitor of the security design of X-Road, the data exchange layer, which serves as the backbone for all of Estonia’s digital services. The company also created the technology that underlies Estonia’s internet voting system in 2005. In 2017, its SplitKey mobile identity technology, offered as Smart-ID by SK ID Solutions, another Estonian IT company, was launched.
According to Laud, it took two years for Cybernetica to move SplitKey from idea to rollout.
Part of this attitude stems from how Cybernetica is organised, as engineers and scientists mix freely. “We have great math and engineering people talking to each other under the same roof near the water cooler,” says Bogdanov. We have multiple water coolers,” he adds. That has made us successful, so we can pull this stuff off more quickly—sometimes, even too early when the market is not ready yet.”
While Smart-ID’s path to implementation was speedy, the issues around post-quantum cryptography will take years, if not decades, to address. Most computers cannot perform the complicated mathematics required to break the codes that protect the data in Estonia’s systems. However, with quantum computers exploiting quantum mechanical phenomena, most encryption schemes could be decrypted, maybe within days or a year. It’s hard to know because nobody has created a cryptographically relevant quantum computer. Such a computer, should it exist, would take up much space and require energy and cooling systems.
“It may need to be located in a big house, like a nuclear reactor,” says Bogdanov, “possibly needing the power of one to break one cryptographic key, at first.”
We all agree that the idea of a quantum computer housed in a cave, volcano, or other such place sounds like an Ian Fleming novel. Plus, once such a computer is up and running, an adversarial power could use it to hack Estonian elections and crack Estonian ID cards—or threaten to do so.
But given the breakneck pace of technology adoption, governments are not hedging their bets. They need cryptography that can withstand the mathematical prowess of a quantum computer a decade in the future. That’s what the Cybernetica team has been working to develop for years.
Concerns about digital identity, internet voting, and post-quantum cryptography are currently raised. For example, data collected now could be decrypted by a quantum computer one day soon. “This would be the harvest now, decrypt later kind of attack,” says Bogdanov.
To offer the best cryptography to its customers, including governments worldwide, Cybernetica must have different solutions ready. This is what they are striving toward.
The post-quantum guideline
Cybernetica’s clients are everywhere. Its website’s government case studies section shows the Cybernetica team in Aruba, Malaysia, and Namibia. They are also in Brazil and Benin. In 2023, Cybernetica delivered a vessel traffic management system to Gibraltar. In Greenland, the data exchange framework is called “Pitu,” the connecting clasp of the dog sledge utilised in Kalaallisut.
“We build e-governance solutions all over the world,” states Bogdanov. Not all Cybernetica’s clients have a post-quantum roadmap yet, but some are anxiously waiting for one.
“We have customers who want post-quantum digital identity by 2030,” says Bogdanov. For Cybernetica, they need to not only create the solution but also pilot it and get it certified before it can be introduced. “It is tomorrow, basically,” he says.
The first hardware chip enabling post-quantum ID cards has just been certified in Europe. Building solutions on top of them will take more time. Creating solutions for post-quantum internet voting is also underway. However, it could take another decade to roll out, as they will require consensus among technologists and society. “This is something that can’t be rushed,” says Bogdanov.
He acknowledges that a post-quantum ballot-casting prototype exists while a tallying mechanism is developing. “For internet voting, there is more math to do,” Bogdanov says, ” but I’m sure we will manage.”
He underscores that Cybernetica is “on time” to help Estonia with its post-quantum transition. Even if the threat is somewhere in the future, be it from a James Bond villain with a quantum computer in an Arctic lair who wants to fix the Estonian election results or just iterations on the technology that makes it more accessible and quickly to various bad actors, the future will soon be now and Cybernetica, from its perch beside the Emajõgi River, is preparing.
“Everyone is going to transition to post-quantum,” says Bogdanov. “Estonia is special in that many countries do not have the advanced cryptographic ecosystem we do,” he says. “So as we go into the post-quantum realm, we can build on everything we have done before.”
