Quantum computers may be here sooner than we thought, according to a survey of more than 900 quantum professionals released this month by quantum computing company QuEra.
Just over half of the respondents said that quantum technology was progressing faster than they expected, and 40% said that it will surpass classical computing for some workloads within the next five years.
For enterprises, this means that some commonly used encryption methods, such as the RSA encryption, will be at risk sooner than they thought.
But most companies aren’t paying attention. According to a Forrester survey released last month, only 21% of more than 3,000 security decision makers survey consider quantum computing a concern – trailing behind generative AI’s 26%. Cloud computing was the highest concern, at over 30%.
“The problem is that building a quantum-resistant infrastructure, your algorithms, network communication tools, databases, everything, is just a ton of work,” says Forrester analyst Andras Cser, the lead author of the report.
Companies need to understand what data they are encrypting and discover its value to hackers, nation-states and whoever else might be interested, Cser says. “And that is gigantic work. If you look at all the systems you have, all the libraries, all the libraries that vendors use – it won’t happen overnight. And there are other operational fires you have to fight, and this may be put on the back burner.”
It doesn’t help that an official set of standards for quantum-safe encryption still hasn’t been released. NIST has been working on one for a few years, and the final recommendations are due out this summer.
NIST’s first request for comments about post-quantum cryptography went out in 2016, the first draft went out in the summer of 2022, and the most recent public comment period closed in November of 2023.
“They wanted to be as inclusive as possible and take as many comments as possible,” says IBM cryptography researcher Vadim Lyubashevsky. “It really takes time to dot the i’s and cross the t’s.”
The latest enhancements were mostly on the interface side, he added, not related to the fundamental math of the new algorithms. For example, should inputs be hashed before or during the signature? “And there’s a lot of other small things,” he added.
Since it’s the asymmetric encryption standards that are primarily at risk, it is vital to get all the implementation arrangements worked out. Asymmetric encryption involves two keys – a public key and a private key – and is used to encrypt online communications, banking transactions, and other messages that involve multiple parties.
Symmetric encryption, by comparison, uses the same key for both encryption and decryption, and is commonly used to secure stored documents. Symmetric encryption is less reliant on agreements between multiple parties, and it is also inherently more secure against quantum computers.
Classical versus quantum-resistant algorithms
The classic public key encryption algorithm involves the problem of factoring large numbers. It is very easy for a traditional computer to multiply two prime numbers together. But it is very difficult to get those original prime numbers back again. This difficulty is what makes asymmetric encryption possible.
But quantum computers can factor primes. In fact, there’s already a known strategy for doing it – Shor’s algorithm.
Still, they can’t solve every difficult math problem. Not, at least, as far as we currently know.
“Let’s say I give you a thousand random numbers, each a thousand digits long,” says Lyubashevsky. “And I tell you, ‘I actually summed up 500 of them and here’s the sum.’ Which numbers did I sum up? That’s the basic problem, a combinatorial problem.”
And it belongs to a class of problems that quantum computers are not good at solving, he says. That’s not to say that this challenge will never be solved, he adds. “This is something cryptographers have to live with.”
Tomorrow’s quantum, today’s risks
For enterprises, there are two big challenges that come with quantum computers.
First of all, we don’t know when the day will come when a quantum computer breaks classical encryption, making it hard to plan for. It would be tempting to put off solving the problem until the quantum computers are here – and then it will be too late.
Second, there is the ‘collect now, decrypt later’ threat. Major intelligence agencies may be – and almost certainly are – collecting any and all data they can get their hands on, planning ahead for a future where they can decrypt it all.
“They’ve been doing it forever,” Lyubashevsky says. Even before quantum computing was a possibility, there was always the chance that a new technique or better processors could make prior encryption obsolete. That means that information with a long shelf life needs to be protected now rather than later.
No encryption is guaranteed safe
Quantum computing isn’t the only threat to cryptography. As computers got better, the world has had to upgrade its crypto multiple times.
For example, NIST published the SHA-0 hashing algorithm in 1993 and replaced it with SHA-1 after a weakness was discovered. Then, doubts about SHA-1 started to emerge in 2005, and Google definitely broke it in 2017. NIST officially retired the SHA-1 algorithm in 2022 and recommended the adoption of SHA-2 or SHA-3.
Government agencies will have to stop purchasing technology that uses SHA-1 by 2030.
Similarly, NIST recommended a key length of 1024 bits for RSA since 2002 and upgraded the recommendation to 2048 in 2015. That key length will be superseded by 4096 in 2030.
And it’s not just about the algorithm itself, says Lyubashevsky. There might also be weaknesses in how the encryption is implemented he says, allowing for, say, side channel attacks.
So it’s important for enterprises to upgrade their infrastructure to make it easier to swap out encryption when they need to, he says. “Five years ago, it seemed like a trivial thing,” he says. “Take out RSA and put in whatever you’re standardized on, and it’s done. Turns out, it’s harder.”
One problem, he says, is that encryption is often buried deep inside code libraries and third-party products and services. Or fourth or fifth party. “You have to get a cryptographic bill of materials to discover the cryptography inside – and that’s not easy,” he says.
And that’s just the first challenge. Once all the encryption is identified, it needs to be replaced with a modern, flexible system. And that’s not always possible if parts of the system that are beyond your control have older encrypted hard-coded.
That’s what happened when Google upgraded its Chrome browser with post-quantum encryption earlier this year. “They found that 5% of connections didn’t work because they were hard-coded,” says Lyubashevsky.
Even SHA-1 is still being used in some places, even though it’s known to be insecure, he says. “Even that simple transition wasn’t done properly – and quantum-safe is a much more complicated transition that will take time. This is not something you can do one year before you’re required to.”
Post-quantum transition paths
Anything using symmetric encryption, such as AES, can be saved for later, says Lyubashevsky. “It seems that you would need an extremely, extremely powerful quantum computer to break AES.”
And not all encrypted data is equally valuable. Some transactional data, for example, loses value in days or even minutes.
It also helps if you use a hybrid approach that can switch back to older encryption if necessary.
Meta, for example, is prioritizing components that are vulnerable to the “store now, decrypt later” threat, and only for internal communications where both endpoints are under its control. In addition, it uses a hybrid system for this transition, combining classical and post-quantum encryption. The company said that it’s waiting for industry standardization and major browser adoption before expanding its use of post-quantum encryption.
When a single party controls both sides of a communication, it’s easier to upgrade the encryption method.
Apple, for example, plans to upgrade all iMessage communications to quantum-safe encryption by the end of this year. Signal began upgrading its messaging app last year. Zoom began supporting post-quantum end-to-end encryption in May.
In 2022, Cloudflare began securing connections between its servers and website visitors, but only for users whose browsers support post-quantum cryptography. Cloudflare began securing the connections between its servers and those of its enterprise customers in late 2023.
Cloudflare also analyzes internet traffic and tracks post-quantum encryption adoption. According to its latest data, usage rose from less than 1% last October, to nearly 3% this March, to more than 17% in June.
Johannes Ullrich, dean of research at the SANS Institute, recommends that most companies wait until the finalized standards are released before going all-in on post-quantum encryption. “I’m a little opposed to deploying it now, before NIST makes the final determination,” he says. “Encryption is hard. That’s why NIST has this long, elaborate process.”
But companies can already use this as an opportunity to reconsider how much data they actually need to send in the first place. “Payment cards use tokenization, where you basically eliminate the critical data,” says Ullrich. “That’s the safest approach. What you don’t send can’t get stolen.”
And enterprises should also start talking to their vendors about migration paths as soon as possible, he adds. “Definitely ask your vendors: what is your roadmap?” That includes database and storage vendors as well as other internal enterprise vendors.
“Where public key encryption is used is often surprising,” says security guru Bruce Schneier, lecturer at Harvard Kennedy School and member of the Association for Computing Machinery. “Asymmetric key encryption is often used as part of key management systems.”
Flexibility is key
No algorithm is guaranteed to be secure forever, Schneier says, so agility is going to be key going forward, even for symmetric encryption. “Sometime, someone will break AES,” he says. “There could be some smart PhD student. It’s unlikely that AES is the pinnacle of human creativity.”
But if a company has architected its internal systems and its software supply chain to be flexible when it comes to encryption methods, it will be prepared.
“What I want for everyone is to make sure that their systems are crypto-agile,” Schneier says. “So that whatever the problem is, we can solve it.”
Read more about quantum computing
- Error-correction breakthroughs bring quantum computing a step closer
- What Microsoft’s error-correction milestone means for usable quantum computing
- Proof-of-concept quantum repeaters bring quantum networks a big step closer
- Commercial quantum networks inch closer to primetime
- PSiQuantum to build first utility-scale quantum computer in Australia
- What is quantum computing good for? XPRIZE and Google offer cash for answers
Source:: Network World