Getting Quantum Ready and What This Means for Cryptography

Quantum computing is now real. While the technology is still in the early stages of development, researchers are making impressive progress in developing quantum devices and exploring early use cases in chemistry, finance and machine learning.

Besides research and development in the private sector and academia, big investments are also being made in the public sector. In the future, this could enable quantum computers with much greater computing power than they have today.

How Will We Protect Our Data From Quantum Attacks?

Quantum computers could potentially offer unprecedented capabilities to tackle problems that classical computers cannot solve today. These systems will also change the way we approach cybersecurity. In 1994, Peter Shor showed that a large-scale quantum computer would be able to break today’s most-used public key crypto algorithms, such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman and Elliptic Curve Cryptography, by using Shor’s algorithm.

Since most of our communication (e.g., bank transactions, web traffic, remote connections, email, etc.) relies on such algorithms, in essence, all of it would be at risk. This extends to all data encrypted with secret cryptographic keys that are exchanged in one way or another using the aforementioned algorithms.

Not surprisingly, researchers have been working hard on alternative methods for protecting our data as quantum computing progresses.

One set of methods is quantum cryptography, which is mostly known for quantum key distribution (QKD) — e.g., the BB84 protocol. QKD is implemented by encoding the secret key in quantum states, which are sent in the form of photons (light particles) across optical fibers or free space. To protect against wiretapping by an eavesdropper, we exploit fundamental quantum mechanical properties such as Heisenberg’s Uncertainty Principle and the fact that, in the quantum world, it is impossible to observe something without impacting it (i.e., its quantum state). Even though distance limitations of QKD may be overcome today by launching satellites into space, we are currently constrained by low bit rates and the fact that initial authentication still requires a classically pre-shared secret.

Another method is quantum-safe cryptography, which involves a new set of classical encryption algorithms based on mathematical problems that are believed to be hard to solve on a quantum computer (as well as on a classical computer). Such algorithms are considered resistant to quantum attacks. The main advantage of quantum-safe cryptography is the possibility of implementing it on top of existing infrastructure (e.g., by updating the Transport Layer Security protocol), which is why it may be considered the most feasible way forward.

How to Prepare Your Organization for Quantum-Safe Cryptography

Multiple standardization efforts for quantum-safe cryptography are already ongoing. For example, the National Institute of Standards and Technology (NIST) is leading a quantum-safe cryptography standardization program and recently announced the candidates for the second round, including submissions from IBM that are based on lattice-based cryptography.

In parallel with standardization efforts for quantum-safe cryptography, there are plenty of things that companies should start doing today to avoid losing their competitive advantage when future standards of cryptography become widespread. Below are four of the most important steps to get started.

  1. Manage your data:
    • Identify and classify your most valuable data by defining your crown jewels.
    • Understand the security time value of your data, or how long you will need to keep your data protected.
    • Define data owners and a life cycle for your data.
    • Understand how cryptography protects your most valuable data.
    • Know where all your valuable data is stored, how it flows within your organization, and how it is transmitted to locations outside of your organization.
  1. Manage your crypto:
    • Create an inventory of your existing cryptography. Understand which protocols and algorithms are currently used in your organization.
    • Identify hardware and software components related to cryptography.
    • Understand how your applications use cryptography and to what degree cryptography is currently hardcoded.
    • Understand how cryptography protects your most valuable data.
    • Know how legacy components depend on cryptography.
  1. Improve your crypto-agility:
    • “Abstract out” cryptography to the extent possible.
    • Update your development life cycle to rapidly account for new cryptography standards.
  1. Upskill crypto and quantum resources:
    • Offer employees educational resources about cryptography and quantum computing.
    • Make use of external services that can keep your organization up to date on the latest technology trends in cryptography and quantum computing.

Even though quantum computers are still in development, the above activities can help prepare your organization for the long-term impacts these systems may have on cryptography. We strongly advise you to start this journey now to prepare for when new quantum attacks emerge, advanced crypto-threats arise and new crypto technology becomes available.

Contributor'photo

Joachim Schäfer

Managing Security Consultant, IBM

Joachim is a security consultant within IBM's European Data and Application Security team with a focus on cryptography....