A pressing concern for cyber security today is the imminent arrival of quantum computers. Quantum computers will crack all existing cryptosystems in the next five to 30 years. The odds of this happening within the next five years are more than 50%.
How can cyber security overcome the threat to established encryption systems such as RSA and ECC? Will post-quantum cryptography (PQC) change the balance in favour of cyber security?
How Traditional Cryptography is in Danger of Obsolescence
Cryptography involves encrypting plain text into cipher text and decrypting it for the intended end user.
In-vogue encryption systems such as ECC and RSA use cryptographic algorithms to encrypt data. These algorithms use large numbers or discrete logarithm patterns.
Attackers can theoretically apply brute-force attacks that try out every possible key combination. They may also use social engineering attacks to trick users into revealing their cryptographic keys.
The catch is that normal computers would take thousands of years to crack these codes, making the approach infeasible.
But quantum computers use qubits or quantum bits that can factor a 2048-bit RSA key in a couple of hours.
Normal computers process only one bit of information at a time. Quantum computers can explore multiple possibilities simultaneously.
The latest algorithms, such as Shor, designed for quantum computers, can easily break RSA and ECC encryptions.
Cybersecurity teams have some respite, though. Quantum computers have not yet reached the computational power to execute the Shor algorithm. But it is only a matter of a decade or two away when the possibility becomes real.
Bad actors resort to “harvest now, decrypt later” attacks now. They collect encrypted information in hopes that quantum computers will help them crack the encryption in the future. The obvious expectation is that shelf life of the data extends beyond such time.
What is Quantum Resilient Cryptography?
Quantum resilient cryptography or post-quantum cryptography features advanced algorithms. It applies sophisticated lattice-based cryptography, hash-based cryptography, and multivariate cryptography. These algorithms can withstand even the most advanced of attacks and do not crack even when under attack from quantum computers.
The Macro-Level Developments in Quantum Resilient Computing
Post-quantum cryptography is still a work in progress. Ongoing macro-level developments can impact how enterprises leverage the technology to develop quantum-resilient algorithms.
The Development of Post-Quantum Cryptography Standards
Different developers work on quantum resilient computing. Industry adoption of new developments depends on the evolution of standards.
The US National Institute of Standards and Technology (NIST) is at the forefront of developing such standards.
In 2022, NIST shortlisted four algorithms for standardisation. The CRYSTALS-Kyber algorithm deals with general encryption. The CRYSTALS-Dilithium, FALCON, and SPHINCS+ algorithms deal with digital signatures.
These NIST standards make explicit how to apply post-quantum cryptography.
Overcoming Hardware and Software Challenges
Quantum-resistant algorithms involve complex mathematical operations. Processing the same requires much more computational resources than classical algorithms need.
Devices such as smartphones and IoT devices have limited processing power. Running these resource-intensive algorithms on such devices becomes problematic.
Integrating post-quantum cryptography will need a significant upgrade of hardware and software and widespread user adoption of such new technologies.
Building Expertise
Quantum-resilient algorithms are complex, and implementation requires specialised expertise.
The talent to build on quantum technologies is not available today. Developing expertise would require enterprises to collaborate with the industry and academia.
Keeping Up with Tech Advances
Several ongoing projects involving enterprises, academia, and the government promise significant breakthroughs. One such ongoing project is the Open Quantum Safe (OQS) project. This project promises to develop and integrate quantum-resistant algorithms into existing cryptographic libraries. As such projects mature, the implementation of post-quantum cryptography becomes more viable.
Enterprises need to keep a close watch on such developments. They need to resist the temptation to go overboard and waste resources on something that might become stillborn.
How Enterprises Can Overcome the Roadblocks to Embrace Quantum-Resilient Algorithms
Forward-looking enterprises are busy planning roadmaps to upgrade their existing cybersecurity ecosystem. But they face several challenges and have their task cut out.
Audit Sensitive Data and Available Cryptographic Assets
As the first step, enterprises need to audit their networks. Apply the following best practices to such audits:
- Make sure the audit is comprehensive and covers everything from logins to legacy code and also the entire supply chain. In today’s interconnected business ecosystem, an enterprise network is only as secure as its weakest link.
- Define sensitive data. Sensitive data is enterprise-specific but almost always includes customer and transaction information.
- Take inventory of the existing cryptographic assets and dependencies. Have clarity on how each asset is used.
- Assess the existing protections against emerging quantum risks. Especially Identify how the existing cryptographic assets, if any, apply to sensitive data.
- Prioritise the implementation of post-quantum cryptography in the most sensitive areas first.
A thorough audit makes the transition to post-quantum cryptography more organised and smooth. The security team get clear insights on the extent and type of quantum-resilient cryptography needed. They can also apply the most appropriate quantum-safe algorithms to different types of data.
Becoming Crypto-agile
The effectiveness of quantum-resistant cryptography depends on the level of cybersecurity maturity.
The enterprise security protocols need to be “crypto-agile.”
Crypto-agility is adapting the available cryptographic resources fast, in response to changing threats.
The foundational pillars of crypto-agile systems include:
- Decoupled cryptography, or keeping cryptographic components separate from core system functionalities.
- Use of well-defined, standardised interfaces to swap algorithms as per the changes in the ecosystem.
- Flexible configuration mechanisms to adjust cryptographic parameters fast.
- A systematic approach to track the latest developments in quantum computing and cryptography.
Exploring Hybrid Approaches
Quantum computers are likely to be available to anyone, including bad actors, by 2030. But enterprises cannot afford to wait till then. “Hack now, decrypt later” attacks increase by the day. There is a pressing need to implement quantum-safe protocols now to stop such attacks. But technical challenges and lack of expertise become stumbling blocks.
At the same time, some enterprises get carried away and overlook clear and present dangers. The immediate dangers need priority attention even when working towards post-quantum cryptography. NIST estimates that 2048-bit RSA keys would suffice until 2030.
A popular option to overcome the challenges is the hybrid approach. Here, there is a quantum-resistant security layer atop the existing security layer. Such an approach delivers several advantages.
- It also enables a gradual transition to quantum-based security. An abrupt transition demands huge resources and causes big disruptions.
- It makes the security posture scalable and future-proof.
It is early days for quantum computing. But investing in post-quantum cryptography is no longer optional. Businesses that take the initiative now can thwart even the most potent cyber-attack threats. They reap rich competitive advantages.
