My initiation into the world of quantum cybersecurity began when my son offered me the excellent “The Code Book” by Simon Singh. The science and logic behind quantum key distribution is really compelling: it uses the laws of physics to protect data instead of “just” math! Little did I know that this topic was soon to become all-consuming. Indeed, while I was still working through the book, I coincidentally received a call from a former colleague. He was wondering if I would be interested in joining a leading quantum cybersecurity company, QuintessenceLabs! How about that for quantum randomness?
The five years since have been an amazing ride. As the threats to our data have escalated and regulations been put in place, so too have the solutions. Encryption has become the norm, interoperability protocols such as KMIP have matured allowing the integration of stronger centralized key management into existing architectures. Key managers now come with embedded HSMs and some even integrate high quality key generators to avoid the Achilles heel of weak keys.
Another transition is currently playing out; the growing awareness of the development of quantum computers and their implications on security. People are now more aware of these devices and how they are very different to classical computers. While the latter encode data into binary digits (bits) that are either a “0” or a “1”, quantum computers use quantum bits, or qubits, which can represent a “0” and a “1”, simultaneously. Simplistically, since their processing power increases exponentially with the number of these qubits, they will have extraordinary capabilities that will revolutionize computing and enable dramatic improvements in many areas such as chemistry, AI and weather forecasting. But on the downside their impacts on cybersecurity mean that we have to fundamentally rethink some parts of our data protection strategies and, equally importantly, start taking action on that now.
Asymmetric algorithms such as RSA are used to share symmetric encryption keys which in turn protect data. Quantum Computers put these asymmetric algorithms at serious risk. Their security is founded on the huge processing time that classical computers would need to break them. However once quantum computers mature, that robust protection falls apart, since these particular algorithms will be broken in seconds. As a result, the way we currently exchange encryption keys – as well as digital certificates, blockchain and cryptocurrencies — will no longer be safe.
It’s still an open question when a general-purpose quantum computer of sufficient scale will be available to threaten our security. Most guesses range from seven to fifteen years, but it’s thought we should plan for ten years. “Planning” in this case is a tall order; it means that we should prepare for the total breakdown of all currently used key exchange systems within a decade, and put in place a strategy early enough to protect sensitive data for its full security life. The unfortunate truth is that for some data it may already be too late: “harvesting attacks” could already be intercepting data today for decryption when quantum computers mature.
So, what can be done? Here are a few pointers to guide you along that path:
• Use full-entropy random numbers. These are foundational for all quantum-resilient cryptography.
• Use longer keys for symmetric encryption: these will need to be twice as long as those used today to allow similar protection.
• Use long, truly random symmetric keys to wrap stored or replicated keys, protecting them from quantum attacks even today.
• Require that your suppliers’ key managers are “crypto-agile”, i.e. able to work with longer keys and new quantum resistant algorithms.
• Explore key exchange solutions such as quantum key-distribution (QKD) and keep abreast of NIST’s selections of new quantum-resistant encryption algorithms (QRA).
• Use secure links between key management nodes, protected by QKD and/or quantum resistant algorithms.
If you need more information, feel free to reach out to me at [email protected] In any case, good luck as you proceed along the path to quantum safety.