With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world.

This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against quantum and classical computer attacks already exist.

The National Institute of Standards and Technology (NIST) recently announced such alternatives following the completion of the third round of the post-quantum cryptography (PQC) standardization process. In total, four PQC algorithms have been selected by NIST, one for key establishment (CRYSTALS-KYBER) and three for digital signature (CRYSTALS-Dilithium, FALCON and SPHINCS).

While this is encouraging, the major challenge ahead is transitioning today’s encryption implementations to quantum-safe encryption (QSE). This article describes how quantum computers impact encryption and outlines an approach for guiding organizations to transition to QSE.

Impact on Asymmetric Encryption

Encryption algorithms typically protect sensitive data in storage, transit or use. For instance, processes such as securing data communications, signing financial transactions in blockchain and signing software for secure distribution all use asymmetric encryption. It’s now becoming clear that asymmetric encryption algorithms based on factoring large integers (e.g., RSA) and those based on discrete logarithms (e.g., Diffie-Hellman) will need to be replaced by quantum-safe alternatives such as CRYSTALS-KYBER and CRYSTALS-Dilithium.

Effective security strength (shown in Table 1 below) suggests that the strength of RSA and elliptic-curve cryptography (ECC) is weaker or comparable to advanced encryption standard (AES) on a classical computer, but is null on a quantum computer. This is because Shor’s algorithm can perform integer factorization in a polynomial time.

In other words, what requires millions of years with classical computers would only take minutes on a large-scale quantum computer.

Impact on Symmetric Encryption

Unlike asymmetric encryption algorithms, symmetric encryption algorithms do not face an existential threat. One still needs to perform a brute-force attack to break them. However, a large quantum computer running Grover’s algorithm could provide a quadratic improvement in brute-force attacks on symmetric encryption algorithms such as AES. This translates into a need to double the key size to support the same level of protection.

For AES specifically, this means using 256-bit keys to maintain today’s 128-bit security strength, as depicted in Table 1.

Table 1: The effective security strength of key encryption algorithms.

Transitioning to QSE

Given the ubiquitous use of cryptography in our digital world, the transition to QSE will be a large endeavor for global organizations. While not an exhaustive list, Table 2 gives a good indication of the number and type of systems and applications that need to change across the four core cryptographic areas: key exchange, digital signature, authentication and data encryption.


Table 2: Example use cases that require a transition to QSE.

An Approach for Transitioning to QSE

As with any major endeavor in cybersecurity, the transition to QSE will involve people, processes and technology. Because the technology in this area is still emerging, our focus today is on the technology required for helping organizations transition to QSE. A solution in this space ought to cover four pillars: find, assess, prioritize and remediate.

Figure 1: The four pillars for transitioning to QSE.

Pillar 1: Find

The first objective is to collect the inventory of cryptographic assets used by the organization. This includes algorithms, keys, certificates, protocols and libraries. It typically consists of a scanner capable of scanning an application, a host or a network and an inventory of cryptographic assets.

To be effective, the scanner technology needs to meet two key criteria: breadth and automation. Breadth is to ensure that the scanner can support the various flavors of operating systems, networks, file systems and programming languages (for applications) that are in use in any organization today. A gap in the support here would mean a blind spot in the cryptographic inventory. Automation is to ensure that the scanners can easily be deployed within the organization. Integrations with tools such as Tanium typically address this concern.

Pillar 2: Assess

The objective of this pillar is to look for vulnerabilities across the collected cryptographic inventory. We believe that the need to transition to QSE provides an excellent opportunity to modernize encryption implementation overall. Therefore, the vulnerabilities this pillar uncovers would not be limited to finding usages of algorithms that are not quantum-safe. They would include any cryptographic vulnerabilities.

This pillar discovers two main types of vulnerability. The first type represents vulnerabilities that do not require an application change to fix them. These include rotating expired encryption keys, renewing expired certificates, restricting a keystore’s file permission and others. The second category represents vulnerabilities that require an application change to fix them.

For example, an application that creates digital signatures using RSA must be changed to use a quantum-safe alternative such as CRYSTALS-Dilithium. Similarly, an application that establishes a key exchange protocol using Diffie-Hellman (DH) must be changed to use a quantum-safe alternative such as CRYSTALS-KYBER.

Pillar 3: Prioritize

This pillar aims to prioritize the vulnerabilities discovered based on risk so that the organization addresses the highest risks first. This risk-based prioritization requires enrichment data.

Consider the following example: the “assess” pillar discovers that two databases, A and B, are encrypted with two encryption keys, K1 and K2, which must be rotated. Additionally, suppose that K1 and K2 are each stored in a local keystore for which the file permissions must be restricted.

Which issue should the organization address first? It is hard to tell without enrichment data. Suppose that database A contains classified information, while database B contains public information. The data classification information is an example of enrichment data. The “prioritize” pillar uses this context to prioritize fixing the issue for database A, which poses a higher risk.

Pillar 4: Remediate

Lastly, the “remediate” pillar automates the remediation of those prioritized issues. The remediation procedure would be different depending on whether the issue requires an application change or not. For issues that do not require an application change, this pillar integrates with external systems to drive a resolution. For example, integration with a ticketing system such as ServiceNow would pass the issue on to the appropriate stakeholders for resolution. Similarly, an integration with a certificate management system would automate the renewal of an expired certificate.

For issues that require an application change, we propose moving away from the classical model where encryption is tightly coupled with the application to a new paradigm where encryption is consumed as a service. Under this new paradigm, the application would consume the cryptographic functions it needs from a cryptographic service provider through a set of application programming interfaces (APIs) that abstract away the encryption details from the application. Where a change is needed, only the cryptographic service provider must be updated. This saves time and resources for the organization as the application does not need to change. We refer to this concept as crypto
agility.

Deploying PQC Algorithms in Production Environments

While NIST has announced the PQC algorithms selected for standardization, the organization will not announce the actual PQC standard before 2024. Additionally, the selected algorithms will undergo significant updates before the standard is published. This begs the question: Should organizations go into production with the PQC algorithms now?

The guidance from NIST and the Cybersecurity and Infrastructure Security Agency (CISA) is that organizations should wait until the official release of the PQC standard to implement the PQC algorithms in a production environment. However, NIST and CISA also recommend that organizations start preparing for this transition now. We share this view and recommend that
organizations take the following steps:

  • Educate the organization’s workforce about the upcoming transition.
  • Implement the find, assess and prioritize pillars to build an inventory of cryptographic assets and prioritize vulnerabilities.
  • Remediate any issue that is not related to switching quantum-unsafe asymmetric algorithms with their quantum-safe alternatives. For example, it is fine to change any usage of AES 128 to AES 256. This is good practice irrespective of quantum computing.
  • Test the new PQC algorithms in a lab environment. However, wait until NIST publishes the PQC standard before deploying them in production environments.
  • Validate and test any products, systems or applications you acquire from a third-party vendor to ensure they incorporate the PQC standard when it is published.

The Future Requires Crypto Agility

Encryption is the bedrock of our digital world. While the transition to QSE will be a major endeavor for organizations across the globe, this is also an excellent opportunity to modernize and fix current encryption implementation. Crypto agility will enable organizations to react faster to cryptographic vulnerabilities and future changes to cryptographic standards.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…