March 23, 2020 •
Cryptography is the most indispensable device in the modern cybersecurity toolbox, bar none. It helps organizations protect the confidentiality of their sensitive data by rendering them meaningless to anyone without a secret key (through encryption). It elegantly facilitates secure communication between parties that have never met before (using public key exchange). It is used to check the integrity of messages (by hashing), and at the same time, authenticate and irrevocably link such messages to the person who sent them (signing).
So, what’s the problem? The current set of NIST-approved cryptographic algorithms is quite safe against cybercriminals of the present; however, these algorithms are not safe for the quantum computers used by the criminals of the future.
Classical computers make use of the traditional binary state of transistors or silicon circuits, which at any moment are in one of two memory or computational states: one or zero. With only two possible states, a bit can only be used in one calculation at a time. On the other hand, quantum computers—while not yet perfected—make use of subatomic particles that are capable of existing in multiple states simultaneously, therefore representing a seemingly infinite number of values.
Using this phenomenon of superposition, a quantum computer can perform an incredibly large number of calculations simultaneously, called parallelism. While it is not possible to read the outcomes of every calculation, it is possible to read the overall state resulting from all calculations. And armed with a well-designed quantum program logic, all but the desired result can cancel each other out, resulting in an overall state that provides extremely useful information for the quantum computer operator.
Even though the most advanced quantum computer prototypes today can only hold a few dozen quantum bits—or qubits—of data (enough to do very trivial calculations), it is only a matter of time before these computers are able to hold enough information to break even the strongest of today’s asymmetric encryption algorithms.
The good news is that the smartest cryptographers around the world are already working to solve this problem. In 2012, the NIST Post-Quantum Cryptography (PQC) project was announced to aid in preparation for these inevitable attacks. In 2016, the PQC competition was announced and since last year, the 26 remaining submissions have been undergoing evaluation for recommendation as the next quantum-safe algorithm(s). The PQC expects to release the draft standards in the next two to four years.
So, while quantum computers are still a few years out, so are the algorithms and key management schemes that will solve this problem. Even so, it’s important to begin thinking now about their future impacts to our crypto systems. How can we begin to prepare our systems to quickly meet the challenge of tomorrow’s adversaries?
There are four important things we need to be thinking about when building crypto-agility into our applications and systems for the coming quantum era:
There are online resources available, such as https://openquantumsafe.org/, that can give you access to some of the early-selection algorithms. While not yet selected by NIST, these algorithms can help you understand the types of data you will need to be able to support in your post-quantum crypto systems.
Have questions regarding the security of your organization’s encryption capabilities? Give ControlScan a call at 800-825-3301, ext. 2. We’re happy to help.