As quantum computing draws near, cryptography security concerns grow
Quantum computing has just made a great leap forward, but there are dark clouds on the horizon. The new leap forward has dizzying security implications for the whole tech ecosystem. In this article, Dan Timpson asks if we should start the doomsday clock.
We now have the first proof of quantum computing’s superiority. When comparing the processing power of quantum and classic circuits, researchers at the Technical University of Munich conclusively demonstrated that quantum computers can solve problems faster and more effectively. This milestone marks not just an auspicious beginning, but a very ominous one too.
IBM, Google, and Boeing are already making massive investments into quantum computing. In fact, according to Gartner, 20 percent of all companies will be investing in this area within the next five years.
This means great things for technology; there’s a reason they call it a quantum leap! But sooner or later, it’s going to be used by people with bad intentions with devastating effects.
Why worry about quantum computing?
Classical computing uses memory composed of bits, which are capable of generating 1s or 0s. A quantum computer uses qubits, which can be composed of 1s, 0s or multiple values at the same time. That capability allows us to solve multiple problems concurrently, freeing us from the binary constraints of classical computing. Quantum computing promises to change the face of computing as we currently know it.
Much of the worry about quantum computing comes from the simple fact that it can defeat much of modern encryption. In fact, the U.S. National Institute of Standards and Technology (NIST) believes that quantum computing will break the most of the near-ubiquitous encryption protocols like RSA and Elliptic Curve public key cryptography that underpin so much of the modern internet. 128-bit encryption, for example, is used by governments, enterprises and home users alike. It is estimated that it will quickly buckle under the force of quantum.
Of course, nation states are likely to be the first to attain and use this kind of technology to catastrophic consequences. US Congressman Will Hurd, Chair of the Information Technology Subcommittee of the Committee on Oversight and Government Reform, characterized the shockwave that quantum would send in international relations in Wired last year. He said, “In the same way that atomic weaponry symbolized power throughout the Cold War, quantum capability is likely to define hegemony in today’s increasingly digital, interconnected global economy.”
Quantum computing could be commercially available in as little as 10 years. When hackers do get a hold of this technology, there will be trouble. That said, security adoption cycles can be slow – take a look at Heartbleed, for example. Organizations must start preparing now to face the new landscape that quantum computing will bring about.
SEE MORE: Will quantum computing break blockchain?
Putting up the barricades
The implications are profound for everyone from governments to the enterprise to the home user. Many organizations are developing quantum-resistant algorithms and public key cryptography to combat this future threat. NIST is already working on a cryptography standard for the post-quantum world. Unfortunately, cryptographic transformation is often slow. The decade it took to adopt Elliptic Curve is just such an example.
However effective these countermeasures might be, enterprises shouldn’t wait around for them. The first step towards quantum-resistance will be to identify your own encryption systems and assess whether they can stand up to that threat. While quantum will be able to break 128-bit encryption keys, it will not be able to the do the same for longer versions. AES-256 or SHA-512 are good choices to replace your quantum vulnerable keys.
Hash-based signatures also go a long way to resisting quantum-based attacks, even if they can only sign a finite number of things. NIST is expected to standardize hash based signatures next year, so it makes sense to get ahead of the curve here anyway.
Most of all, customers should be leaning on their providers to prepare for the arrival of quantum and to include Public Key Infrastructure in their developments.
The industry is already hard at work developing quantum-resistant tools, the first of which are already available. Blackberry, for example, has recently publicly launched quantum-resistant security tools. Their offerings include a code signing server which will allow software to be made resistant to quantum attacks.
For Digicert’s part, we have teamed up with Gemalto and ISARA to tackle quantum within the PKI industry. Using ISARA’s algorithms, Gemalto’s hardware security, and our PKI, this partnership aims to offer Quantum resistant certificates to protect against the oncoming threat of quantum computing.
Start preparing now
Any and every technological development brings with it these kinds of concerns. IoT, for example, has a plethora of legitimate uses and in many cases will be able to save lives in greater numbers due to those developments. However, our early experiences of such technology have also led to its illicit abuse, including the construction of vast and destructive DDoS botnets. Technology is ultimately an amoral, neutrally-charged tool that depends upon the intentions of the user to be helpful or harmful. If one side of the law is interested, you can be sure that the other is too.
Quantum powered hackers are not here yet, but we can now see their outline on the horizon. There is still time to prepare before it docks. Still, we should be sure to prepare for that day because when it arrives, everything is going to change.