Today, the comfort of our modern living is driven by advances in information technology: think of the mobile banking apps on your phones, the proliferation of blockchain technologies, and the various electronic sensors and components that are powering your home appliances, cars and the electricity grid, hospitals, and the list goes on. As a mental exercise, what if:
- The banking and e-commerce encryption are broken and your bank balances and transactions become freely viewable on the internet;
- The electricity grid and traffic lights stop working, and hospitals are receiving ransomware demands as their life-saving equipment has been planted with malware.
The above are not scenes from sci-fi movies. The very scenarios can happen to our society thanks to the advances in quantum computing. While quantum computing may give rise to a significant improvement in AI’s capability, or dramatically shorten the development time of new drugs, the same technology can pose a serious threat to the public key cryptography that protects the credentials and communications of the financial and industrial applications that power our modern society.
The root cause of the problem
Public key cryptography is widely used to protect the credentials and operation of TLS/SSL, IPsec, SSH, etc., which underpins the personal and business applications of today. The security behind this is based on the difficulty in solving hard mathematics problems such as factorization for RSA algorithms, or discrete logarithm problems with DSA, Diffie-Hellman, and Elliptic-curve cryptography. Although these mathematics problems have proven difficult to solve using classical computers of today, hackers who have access to sufficient quantum computing power will be able to weaken the cryptography dramatically, as was explained in the article on Shor’s algorithms that was published in the 1990s.
Here’s a quick illustration of the speed improvement of solving specific problems with quantum technique. In 2019, Google has claimed its quantum computer only needed 200 seconds to solve a problem that would take the world’s fastest supercomputer 10,000 years to figure out. A year later, a team from China reported that its quantum computer is 10 billion times faster than Google’s. With computing power taking such quantum leaps, all current digital measures that are deployed to protect our mobile banking, e-commerce, Internet of Things, digital signing and code signing will soon succumb to attacks by quantum means, resulting in device take-over, eavesdropping and public disclosure of sensitive information. Estimates of the time to the cyber apocalypse varies among scientists. But many in cybersecurity circles predict that this can happen within the next 5-20 years if nothing is done now.
What are the solutions?
There are four areas that CISOs, system architects and application developers should look into:
- Quantum-safe algorithm: (also called “Post Quantum” or “Quantum Resistant” algorithms). Components rely on digital certificates and have a lifespan extending into the post-quantum era should safely migrate from the current cryptography to the use of quantum-safe algorithms. Certificate authorities, document signing and firmware code signing are good candidates here.
- Crypto-Agile implementation: In the likelihood that the quantum computing reality hits, one would want to be in a position to be able to make quick changes (hopefully through some changes to configuration file) that forces the application to switch over to either using quantum-safe algorithms or larger-sized keys. It will be much more disruptive for one’s business if the business processes have to be stopped just because those supporting applications cannot be easily changed to newer/safer algorithms and key sizes. Another consideration is that the equipment (not just software) making use of any cryptographic processes or supporting cryptographic processes (say, hardware security modules or secure key management systems) should be field upgradable so that the investment is future-proof as much as possible.
- Quantum random number generation: The resulting high entropy of the random number generated by a quantum source is suitable to re-seed a certified deterministic random bit generator algorithm on a frequent basis. This ensures symmetric keys will have a higher randomness.
- Quantum key distribution: Key distribution using this technology relies on transmission of polarized quantum bits. The transmission takes place over the air, or more commonly, over optical fibers. There are network encryptors in the market that can incorporate both quantum random number generation and quantum key distribution, and thereby benefit from the enhanced security of both technologies.
Preparedness is the key
Good progress has been made in post-quantum cryptography. Commercial solutions are now becoming available in the market that users can start to adopt. However, before investing in any major solution revamp, users are advised to assess their risk exposure in the post-quantum era. Templates of these assessments are available in the public domains. According to the Global Risk Institute, the methodology for Quantum Risk Assessment includes the following steps:
- Ensure you have a current, thorough organizational inventory that includes details of embedded cryptography that may exist in a variety of products;
- Monitor your environment for threats, and ensure that you conduct regular risk assessments;
- Conduct a quantum risk assessment as part of or subsequent to the regular risk assessment process;
- Understand your telecommunications and security vendors’ posture on quantum computing, which of their products will be affected and their preparations to manage this risk;
- Evaluate quantum readiness as part of your current procurement processes for network and security systems, and ask your current vendors to discuss the state of their quantum planning;
- Work with an informed partner to track developments in quantum computing and quantum-safe solutions, and to establish a roadmap to quantum readiness for your organization.
Having gained the situational awareness, users can then start to strategize their post-quantum implementation plan. The task to become post-quantum resistant is not trivial. But the reward in terms of customer satisfaction, resilience to business disruption, and beating the competition, can far exceed the cost of moving slowly in the quantum game. The time to act is now.
Author’s note: The authors would like to acknowledge valuable discussions with Michael Gardiner of Thales. Readers are welcome to share thoughts on the subject with the authors, Welland Chu (Welland.Chu@thalesgroup.com) and Rana Gupta (Rana.Gupta@thalesgroup.com).