Proactively Preparing for Quantum Computing Threats

As anyone following the news knows, IT and security professionals are occupied with plenty of challenges nowadays. Given the frenetic state of cyber security affairs, do these experts and their organizations really need to start planning for a theoretical threat that may not even materialize for 5 to 10 years, if then?

For a growing number of security and risk-management specialists, the answer is an unequivocal “Yes.”

Why? Because the future threat – that of quantum computing – could easily crack some of the most pervasive cryptography methods now in use, including ubiquitous asynchronous public key schemes such as RSA.

The theoretical concepts behind quantum computers are decades old, but researchers in government and large corporate labs have recently started to make significant progress in building early generations of these machines. And, while the evolution and timing of advanced quantum computers remains uncertain, organizations should already be assessing the risks these machines may pose to their data security.

Quantum Computing Basics

As their name connotes, quantum computers harness quantum mechanics principles to gain capabilities beyond the scope of even the most powerful of today’s binary digital computers. Unlike the definitive 0 or 1 states of digital bits, quantum bits, or qubits, can simultaneously be in two states thanks to a property known as superposition.

Another phenomenon, quantum entanglement, affects how two or more qubits interact with each other. In essence, changing the state of one qubit alters the state(s) of the qubits with which it is entangled.

These core properties allow quantum computers to tackle certain categories of problems that are largely or wholly beyond the reach of classic digital computers. That can be a good thing if, for example, you’re trying to simultaneously test thousands of molecular structures to find the one best able to function as an effective pharmaceutical.

On the flip side, certain algorithms running on quantum computers can decipher encryption keys that are all-but unbreakable today. Most notably, one well-known quantum algorithm can rapidly factor integers. Unfortunately, public key cryptography relies on the use of large integers that are computationally intractable with today’s machines. A quantum computer containing several hundred qubits – still several years away, by most estimates – might be able to easily factor such integers.

These and other cyber security threats posed by quantum computers have catalyzed the field of post-quantum encryption, which aims to develop “quantum-resistant” encryption schemes. Among those organizations pursuing quantum-resistant algorithms is the U.S. Department of Commerce’s National Institute of Standards and Technology, which has organized an open competition for the creation and evaluation of such solutions.

Getting ahead of the Quantum Curve

As with quantum computing itself, the evolution and timing of quantum-resistant encryption algorithms is somewhat hazy. Successful algorithms will need to provide effective protection without imposing computational overhead and costs so onerous as to make them impractical.

Still, if some quantum-resistant methods gain traction, it may make sense for vulnerable organizations to begin deploying them sooner rather than later.

“It’s unlikely that one day someone will drop a large quantum computer in the field and every piece of encryption will be broken overnight,” acknowledges Dr. Saurabh Shintre, a senior principal researcher at Symantec Research Labs. But adversaries aren’t necessarily waiting for the advent of the quantum computing era, he notes. For example, some intelligence agencies are reportedly intercepting encrypted communications and archiving them, with plans to decrypt the messages once quantum computers are up to the task.

As organizations begin to grapple with the ramifications of the quantum computing trend, they should keep one core principle in mind. “Security is never implemented without understanding what you’re securing against,” Shintre says.

To that end, the first step organizations should take is to identify how their current assets are protected, and to determine if those protections are quantum resistant. “If not,” Shintre asks, “what would be the cost and time needed to upgrade these algorithms, and how should you prioritize upgrades to different assets?”

Fortunately, some encryption methods are already quantum resistant, and others can be easily made so. For example, making a 128-bit synchronous encryption key a 256-bit key would likely thwart even a powerful quantum computer.

Furthermore, the physics of creating and maintaining large-scale quantum computers are so daunting that the early iterations of these machines will approach the room-size footprint of early mainframe computers. There’s no near-term possibility of a portable quantum computer that, say, could be introduced into a local-area network and used to decipher the encrypted data within it.

Working against organizations, however, is the human tendency to ignore threats until they actually start wreaking havoc. Given that quantum computers could unlock vast troves of encrypted data in the not-too-distant future, smart organizations will do their best to prepare today for this brave new world of tomorrow.

If you found this information useful, you may also enjoy:

• NIST: The Race to Build a Quantum Computer