Quantum computing brings both opportunities for advancement and significant security challenges. Recent progress has sparked discussions, but current capabilities are still far from threatening encryption standards like 2048-bit RSA. Despite media hype suggesting potential for "cracking military-grade encryption," experts clarify that these achievements neither target nor compromise robust methods like AES, TLS, or other military-grade algorithms. While noteworthy, these developments are not cause for immediate alarm. However, advancements in post-quantum cryptography are crucial to counter future quantum threats.
It is essential to understand the risks posed by quantum computing, as future advancements could compromise today's encrypted data, opening new opportunities for threat actors. This article explores these threats, expected timelines, and steps organizations can take to prepare for a future where quantum decryption becomes a reality.
What is quantum computing?
Traditional computers rely on binary bits—either 0 or 1—to process data. Quantum computers use quantum bits, or qubits, which can exist in multiple states simultaneously due to a phenomenon called superposition. This allows quantum computers to perform complex calculations at speeds unimaginable for classical computers. To put things into perspective, Google claimed that its quantum system performed a complicated calculation within seconds which otherwise would have taken 10,000 years to compute by today's computing systems.
Quantum computing can rapidly process large datasets, benefiting fields like AI and machine learning, but it also poses a risk to current encryption by potentially decrypting secure data.
The threat to modern encryption
In December 2022, a team of Chinese researchers claimed to have developed a quantum algorithm capable of factoring large integers used in RSA encryption. They suggested that a 372-qubit quantum computer could break 2048-bit RSA encryption. While experts expressed skepticism, this underscores the urgency of transitioning to quantum-resistant methods to safeguard data.
A primary concern with quantum computing is its ability to break encryption standards essential to online communication, financial transactions, and secure government data. Asymmetric encryption, in particular, is vulnerable to quantum decryption due to quantum computers' capacity to solve complex mathematical problems exponentially faster than classical computers.
Attackers are intercepting and storing encrypted internet traffic in anticipation of future quantum decryption—a practice known as "store now, decrypt later." This approach poses a significant threat, as sensitive information transmitted today could be decrypted in the future. For example, in the financial sector, if a quantum computer breaks encryption on data in transit, a threat actor could access confidential information, resulting in severe financial and reputational damage.
Current efforts to address quantum threats
Recognizing these risks, organizations and governments are developing quantum-resistant cryptographic methods. The U.S. National Institute of Standards and Technology (NIST) is leading efforts to create new standards to withstand quantum threats. For general encryption, NIST has chosen CRYSTALS-Kyber, which offers small encryption keys and high speed, making it highly efficient for secure data communications.
-
CRYSTALS-Dilithium: Chosen for digital signatures due to its high efficiency and robustness.
-
FALCON: Suitable for digital signatures requiring smaller signatures, offering a balance between security and signature size.
-
SPHINCS+: Provides a backup option for digital signatures, using a different mathematical approach to enhance diversity and ensure long-term security. Companies like Apple have begun implementing these measures. For instance, iMessage has integrated Kyber-based post-quantum cryptography (PQC) to protect future communications. However, adopting quantum-resistant encryption requires significant resources, updates to infrastructure, and collaboration with partners, which needs to be well-planned.
Preparing for a quantum future: steps for organizations
-
Engage with manufacturers and third parties: Collaborate with vendors and partners to implement PQC solutions for essential services. For example, Palo Alto Networks has integrated PQC into its VPNs and next-generation firewalls to protect data in transit against quantum threats.
-
Ensure quantum-ready hardware: Require that new infrastructure device purchases, such as routers and firewalls, have quantum-resistant or upgradable firmware. Static firmware means that hardware must be replaced every time there is a security issue, which can be costly and inefficient. These purchases are often part of scheduled network maintenance, making it a cost-effective step toward future-proofing the organization.
-
Implement Defense in Depth: Use a multilayered approach to security by combining PQC with other measures like strong access controls, network segmentation, and intrusion detection systems. This ensures that even if one layer is compromised, additional defenses can mitigate the threat.
-
Adopt hybrid cryptographic approaches: Combine classical cryptography with quantum-resistant cryptography for added protection. Hybrid approaches leverage the strengths of both traditional and post-quantum algorithms, creating a robust defense. For instance, encrypting sensitive data with AES for efficiency, and then encrypting the AES key with CRYSTALS-Kyber, provides dual-layer security. If vulnerabilities are discovered in either classical or quantum-resistant methods, the additional layer of encryption still protects the data.
-
Establish a quantum-ready supply chain and stay informed: Form cooperative networks with data-sharing partners to transition smoothly and avoid security gaps. Stay informed by participating in conferences, reading relevant research papers, and following NIST's latest PQC guidelines to ensure preparedness.
-
Educate senior leadership: Educate senior leadership about the upcoming security risks of quantum computing. It is essential to have their buy-in before convincing the rest of the organization of the support needed to make systems more resilient.
Securing data in the quantum age
Quantum computing offers transformative advancements but also brings significant security challenges. Organizations must adopt proactive strategies now to protect data from future quantum threats. Reviewing NIST's quantum-resistant cryptographic standards can help future-proof data against quantum decryption. In addition to using PQC algorithms, integrating quantum key distribution (QKD) can further enhance security by making encryption keys more difficult to intercept. Although QKD alone isn't sufficient, combining it with PQC creates an additional layer of protection, requiring attackers to overcome both encryption and key distribution.
Collaborating with vendors to integrate PQC into relevant tools and services—such as firewalls, VPNs, and secure communication platforms—can facilitate a smoother transition and reduce costs, especially since technologies like QKD can be resource-intensive. Tools and controls that handle/touch data in transit should be prioritized, as they will be the low-hanging fruit when quantum systems capable of breaking today's encryption become a reality. By adopting quantum-resistant standards, implementing a defense-in-depth strategy, educating senior leadership, and leveraging hybrid cryptographic methods, organizations can protect their valuable data assets and be better prepared for the inevitable rise of quantum computing.
