These are anxious times. For the worriers among us 2020 has been a bumper year. We’ve had a global pandemic and the rise of Fascism in democratic countries. Not content with this, the techno-literate fretful have added ‘Quantum Supremacy’ (i.e. the point at which quantum computers outperform their digital traditional cousins) to the list of concerns.
It is easy to forget that an absolutely secure computer system does not exist. Public key cryptography like RSA, elliptic curve, Diffie-Hellman, etc. makes it absurdly difficult, but not impossible to circumvent its well-designed security measures. If it wasn’t for the small issue of the Heat Death of the Universe, a traditional computer could access your client’s private data in a mere few hundred billion years. That is to say vulnerabilities exist, but currently they are practically impossible to exploit. Inevitably the greatest threat to your encrypted data will always be bad cryptography practices and human error, but quantum computing, unbound by the limitations of traditional digital computation, makes cracking public key encryption entirely possible.
The Doom and Gloom
Depending on the quality of the qubits involved, 2048-bit RSA encryption can be cracked in 8 hours or, if you have a few thousand perfectly stable qubits, a handful of seconds. Symmetric cryptography might withstand a quantum attack but the effective keysize would be halved. The catastrophic consequences are unlimited. Think about how easy it would be to force a code update using a forged signature leading to the takeover of millions of devices. Billions of financial transactions are now insecure. Even if a standard solution to the post-quantum cryptography (PQC) problem is agreed upon, there is still the significant issue of rolling it out to millions upon millions of disparate devices. Here inertia and inattention always works in the favour of the malfeasant. For instance, despite vulnerabilities being identified over two decades ago, MD5 is still widely used. There is no reason to believe that PQC updates will be any less haphazard and incomplete. This leaves life-critical systems like our cars, phones, financial markets, national security and key infrastructure vulnerable.
The End is Not Nigh
We are not in a PQC world yet. The quantum computer with arguably the best publicity performance has been Google’s 54-qubit Sycamore, which claimed to achieve quantum supremacy in a very specific and very useless calculation. Quantum computing is complex, expensive, unstable and relies on near absolute zero temperatures. IBM’s quantum computer takes fourteen days to reach its operating temperature. After all that the largest number factored by IBM’s Q System One was 35. So your CEO’s whatsApp conversations are safe for the time being. Tech companies are eager to hype up the performance of their quantum computers and their progress has been steady. It is most likely that State agencies are also investing in quantum computing, but the electricity consumption is likely to give it away when used. There are also some experts who have argued that quantum computing is fundamentally flawed and will inevitably run up against fundamentals of computation due to the sensitivity of maintaining the superposition required and the error-prone nature of the approach.
Maybe a Little Nigh
Predictions about the future are a fool’s game and those who bet against progress doubly so. IBM has published a roadmap this year predicting a 1121 qubit processor in 2023. Besides the machines at Google and IBM, Intel, Microsoft Honeywell and many startups such as Rigetti and D-Wave are spending substantial resources with the belief that quantum supremacy for general computing is achievable. Predictions vary from five to twenty years before quantum computing can weaponize Shor's algorithm. In addition alternative approaches such as quantum annealing are already demonstrating results that could prove more threatening to our private keys.In 2016, NIST launched their competition to find algorithms that will resist quantum computers and have recently narrowed the field to three candidates with a draft standard to be published by 2022 or 2024. Interesting PQC approaches have included lattice- based, error-correcting and multivariate polynomial cryptography. There’s time but maybe not enough to completely disregard the threat of quantum supremacy.
Keep Calm and Carry On
I think the only obstruction to replacing RSA with a secure post-quantum cryptosystem will be will-power and programming time. -Peter Shor
So, is this a concern or not? A PQC vendor is going to tell you that you should definitely panic and to definitely install whatever algorithm or ‘crypto agility layer’ they’re selling but that isn’t surprising. However, some well-informed people are skeptical, such as Adi Shamir, one of the authors of RSA, he stated, "I think there is a higher chance that RSA could be broken by a mathematical attack." He believes any significant advances will be widely reported, which would provide sufficient time to address specific PQC vulnerabilities. The danger of a knee-jerk response to PQC was reiterated by Cryptosense’s own Graham Steel in an Economist article on the subject. He stated, "The maths that underlie post-quantum schemes have not been similarly battle-tested." A sentiment echoed by Adi Shamir. What they are both saying is that the cure might be worse than the disease. Without the rigor of a common, open standard, you run the risk of your security measures introducing an unidentified exploit, which would have truly end-of-the-world consequences for your company.
Smart CISO teams are using the time before the post-quantum armageddon to take control of their data protection. By identifying tools that allow them to gain an understanding of their cryptography use across their organization’s applications, network infrastructure, filesystems, and hardware, they put themselves in a strong position to act when the time comes, whenever that is. There are immediate benefits to these tools, such as finding data that should be encrypted but isn’t, identifying resilience issues (e.g. expiring hidden TLS certificates) and discovering vulnerabilities in the way you use cryptography today. By providing full visibility on your current cryptography use, they put you in a strong position to defend yourself against any threat, including quantum-based attacks.With full visibility on cryptography use provided by automated tooling and deployed in your CI/CD toolchain, you will be able to answer questions that would previously have taken laborious manual analysis, such as “is my cryptography use PCI or FIPS compliant?” or “where am I still seeing SHA-1 being used?”. And when the time comes, you’ll be well placed to define and execute a PQC migration plan. For more information on getting full visibility on the cryptography you're using today, read our white paper on 'Building a Cryptography Inventory'.