Post-quantum encryption: the time to act is now
Although current quantum computers don’t have enough processing power to break classical encryption, scientists believe that next-gen systems might do it.
Cybersecurity experts believe that a new kind of computer could break most modern cryptography, which is used for protection of sensitive data and communications in almost any industry.
The potential consequences for modern technological society could be dramatic: if encryption algorithms are broken, every application and service that relies on them will be no more reliable. In such a case, the concept of digital identity won’t be trustable any longer, as long as it’s based on processes that use current encryption models.
Ready for the future?
The good news is that the research community is ready for the changes introduced by quantum computers and has been working to develop encryption algorithms that could resist code-breaking efforts leveraging quantum computing systems.
Organizations such as the US National Institute of Standards and Technology are already evaluating new algorithms for “post–quantum cryptography” (also called quantum-resistant cryptography).
The goal of post-quantum cryptography is to develop a new family of cryptographic systems that are resilient against attacks carried out through both quantum and classical computers, and which are able to interoperate with existing communications protocols and networks.
NIST is already soliciting, evaluating, and standardizing one or more quantum-resistant public-key cryptographic algorithms.
“Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,” reads the post published by the US NIST.
The EU Cybersecurity Strategy, presented by the European Commission and the High Representative of the Union for Foreign Affairs and Security in Policy in December 2020, states that AI, quantum computing and encryption are key technologies for achieving resilience and building operational capacity to prevent, deter and respond to cyber threats.
Some IT giants, such as IBM, claim to have already begun offering solutions that implement “post-quantum cryptography.”
However, the replacement of current systems with post-quantum cryptography solutions will require a massive effort. Thus, threat actors could benefit from the delay in adoption of new solutions that could be resilient to a new generation of attacks carried out through quantum computers.
Quantum computing is attracting millions of dollars in investment, with tech giants like Google, Microsoft, IBM, and Intel being at the forefront of the research in the development efforts when it comes to efficient quantum computers.
Finding post-quantum cryptography algorithms
NIST is adopting an open approach that requires the involvement of academics, businesses, and government experts to conduct a deep analysis of the “post quantum” algorithms that will be used to protect our sensitive information.
Cyber security experts also warn of another potential risk associated with the future use of quantum computers: threat actors, especially nation-state actors, could collect massive amounts of protected traffic now, and attempt to crack it later, with quantum computers exposing gigantic troves of sensitive data.
This means that the content of protected communications that is captured today could be revealed in the next decade, exposing government and organizations to serious risks.
Is it possible to prevent disruptive use of quantum computers?
First of all, let’s distinguish between Post-Quantum Cryptography (PQC) and Quantum Cryptography:
- PQC refers to the process of designing cryptographic solutions that can be used by non-quantum computers that we use today to make them resistant to both conventional and quantum cryptanalysis.
- The term Quantum Cryptography is used to refer to cryptographic solutions that take advantage of quantum physics to provide certain security services.
Quantum computers pose a significant threat to the security of modern systems, and government experts agree that the best mitigation against this specific threat is post-quantum cryptography.
The US NIST launched the Post-Quantum Cryptography Standardization Project, which is now in its final stages., while both the UK NCSC and the US NSA consider post‐quantum cryptography as the proper solution to address the risks associated with attacks carried out by quantum computers.
Currently, most research teams and scientists are focusing their efforts on developing PQC algorithms that could protect our systems. With that said, even when they will have selected the most robust ones, their adoption won't be a simple switch. In most cases, it will have a technological impact on the design of the systems, including the billions of IoT devices that surround us.
“It is critical to begin planning for the replacement of hardware, software, and services that use public‐ key algorithms now so that the information is protected from future attacks,” states the NCCoE.
“As a general rule, cryptographic algorithms cannot be replaced until all components of a system are prepared to process the replacement. Updates to protocols, schemes, and infrastructures must often be implemented when introducing new cryptographic algorithms. Consequently, algorithm replacement can be extremely disruptive and often takes decades to complete,” states the NIST.
A study published by ENISA in May 2021 presents the five main families of quantum resistant cryptographic algorithms - viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based - that are proposed as potential candidates to provide post-quantum security resilience.
ENISA experts proposed hybrid implementations to protect systems against quantum computing attacks. Hybrid implementations use a combination of pre-quantum and post-quantum schemes, and the mixing of pre-shared keys into all keys established via public-key cryptography to create resilient systems.
The post‐quantum cryptography standards that will be chosen by government agencies will likely become a requirement for any project and activity that will involve private businesses and government agencies within a few years. This means that companies have to be prepared for the implementation of these new standards to make their infrastructure resilient to quantum-based attacks.
With all that in mind, in order to mitigate the risk posed by quantum computing technology, it is crucial to prepare for a smooth migration to PQC and the time to act is now!