What you can do today to protect against quantum computing
- By Bill Becker
- Nov 21, 2016
The launch of the Chinese “quantum satellite” early this year was heralded as the start of nearly hack-proof communications. Unfortunately, the truth is bit more complicated, and the downsides are potentially frightening.
Quantum computing, which promises to solve complex problems vastly faster than today’s machines, clearly offers groundbreaking technological advancements in communications and scientific research. Encryption technology, however, has yet to match these advancements. As quantum computing technology progresses, the chances are that public-key cryptographic systems, the foundation of encryption, could be at risk. The possible result? Cracking of supposedly uncrackable encrypted data.
What we’re talking about here sounds like science fiction – namely quantum information science. Yet QIS is rapidly becoming a reality. This past October, the federal government identified QIS as an area of strategic importance in a White House Office of Science and Technology Policy forum held that month.
It’s true that advancements in QIS will help advance high-performance computing technology. According to IBM, “quantum computing will be among the technologies that could usher in a new era of innovation across industries.” But that level of innovation leaves open the possibility of quantum computers being used to attack cryptographic algorithms.
In response to this possible threat to security, the National Institute of Standards and Technology began requesting comments in August on a new way to standardize quantum-resistant public-key cryptographic algorithms. NIST noted that “if large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”
NIST is not alone in this concern. Cisco, for example, has stated that if (or when) quantum computers become a reality, “they would pose a threat to crypto standards for PKI (RSA, ECDSA), key exchange (DH, ECDH) and encryption (AES-128).”
That’s especially troubling because these cryptographic algorithms are considered the gold standard for encryption today. Consequently, common sense dictates that both government agencies and their technology providers must start now to protect themselves from this emerging threat.
Current government strategy: Crypto-agility
Among government security experts, quantum-resistant algorithms are an ongoing topic of interest. The problem is that until the technology is fully realized, the best that can be done to mitigate the potential threat from quantum hacking is to be ready to jump to a new encryption scheme when the time is right. NIST’s recommendation for the near term is to have organizations focus on "crypto agility," which is the capability to rapidly switch out whatever algorithms they are using for new ones that are safer.
Other organizations concur. The Committee on National Security Systems’ Advisory Memorandum Information Assurance 02-15 also acknowledges the need for such algorithms. Until there’s sufficient market penetration, however, CNSS concedes that the best strategy is to proceed with traditional encryption algorithms using larger size keys. In conjunction with the CNSS Advisory Memo, the National Security Agency has replaced its Suite B crypto recommendation with guidance to use the Commercial National Security Algorithm Suite to protect classified and unclassified data. Still, the agency is working with vendors to implement new algorithms, and it plans to transition to quantum-resistant algorithms in the near future.
Checklist for mitigating risk today
What can a government organization do today to be better equipped to thwart quantum computer data hacking? Here are a few places to start:
- Monitor and participate in government and industry activities. While this may sound like a no-brainer, it will provide information on the latest developments in quantum computing so officials can recognize the best way to deal with potential problem areas.
- Evaluate current and future product options to evolve to quantum-resistant solutions. Develop the “easy solutions” first, but at the same time establish a roadmap for the “hard solutions” that will require more sophisticated protection.
- Strengthen current deployments by implementing traditional encryption algorithms with large key sizes, according to agency guidance such as NSA’s CNSA Suite.
- Monitor research and development to replace public-key algorithms and move to protocols/systems that use symmetric keys.
- Implement quantum-resistant algorithms and protocols into encryption technologies once they are standardized and become available.
- Because future quantum-resistant systems will likely rely on large numbers of traditional symmetric keys along with the next generation of quantum resistant algorithm keys, deployment of a cryptographic key management system is more important than ever in order to manage and protect those keys.
It’s easy to get caught up in the whirlwind of enthusiasm for the future of secure communications promised by new quantum technology. But as each new innovation gets us closer to the reality of quantum computing, we must be ready to protect sensitive government data from the potentially devastating hacking threats that loom just beyond the horizon.
Bill Becker is technical director of SafeNet Assured Technologies.