Security 411: Impacts of Quantum Cryptography

Here’s what you need to know about quantum computing and what you can do to protect your business

Photo by Kaleidico on Unsplash

Encryption is a foundational piece of computing. Quantum computing promises to break today’s encryption, but quantum-resistant key algorithms are largely unproven and non-standard.

So how serious is the risk? And how do we protect our businesses and data?

Cryptography basics

Cryptography is described as “the study or process of using algorithms to scramble or hide data, validate messages and digital signatures, etc., in order to secure digital information against unauthorized access or corruption.” It relies on complex mathematics that most people don’t understand, applied in a way that even advanced mathematicians have difficulty understanding or explaining. (If you don’t believe me, ask a mathematician to rigorously prove an algorithm is secure.)

An oversimplification of this field describes cryptography as hiding a needle in a haystack — a very tiny needle in an unimaginably large haystack. With current technology, the estimate is that it would take thousands of computers billions of years to find that needle.

Cryptography creates a very big haystack.

We trust cryptographic methods enough to regularly encrypt confidential information—such as the passwords to your bank and your password vaults—and send it over the internet billions of times a day. When your passwords could be revealed all at once (i.e., breaching your password vault), multi-factor authentication suddenly seems important, doesn’t it?

Still, cryptography isn’t perfect. Over the years, we’ve found flaws (implementational and algorithmic) in cryptographic schemes. When a flaw is identified, really smart people figure out how to fix it, we patch our systems, and the world moves on. Sometimes the solution is to increase the size of the figurative haystack (making it even harder to find that needle) and other times we introduce new ways to hide the needle (algorithms).

Despite these flaws, cryptography has held up pretty well. The most long-lived is RSA, named after the original inventors’ last names — Rivest, Shamir, and Adleman — who published their famous public-key cryptosystem in 1977. RSA is one of the algorithms in the crosshairs of decryption via quantum computing.

At least that was the case until someone discovered a practical application for the behavior of subatomic particles in cryptography. For most of us, that sentence invokes some form of, “What??”

Yes, it’s true. The counterintuitive behavior of subatomic particles — the existence of which we know about because someone thought it would be useful to smash atoms — wrecked our confidence in traditional cryptography, meaning all that is secure can be read by bad actors, or could be.

Going deeper: The power of primes

Part of what makes an encryption algorithm effective is that it’s relatively cheap to use (in terms of processing power) when you have the correct key, but prohibitively expensive otherwise.

The RSA algorithm essentially multiplies two very large prime numbers. While it’s relatively easy to multiply large numbers, starting with a huge number that’s the product of two large primes and trying to find the original factors is essentially impossible with today’s computers.

Estimates suggest it would take a classical computer approximately 300 trillion years to reverse the RSA-2048 encryption algorithm and the world is now using RSA-4096.

The reality of quantum cryptography

RSA key-breaking with quantum computers doesn’t work today. One source summarized, “[It] is clear that the current level of technology is still nowhere near RSA-breaking point.” The behavior of subatomic particles means they’re modeled as moving waves with statistics sprinkled in (probabilistic functions). So while the application of math in traditional cryptography is complex, quantum computing (QC) takes that to a whole new level.

Particles acting like waves and being in more than one place at a time—along with entanglement — open the door for even more mathematical complexity. The sheer impenetrability of the physics and math combines with the pre-infancy reality of quantum computers to create a lot of fear, uncertainty, and doubt.

There are even those who wonder if QC could end up being a lot of smoke but no fire.

Going deeper: Quantum entanglement

One real world example of entanglement was the transmission of quantum encrypted information in 2017. Chinese and Austrian scientists sent entangled quantum particles from a satellite to two ground stations over 1200 kilometers apart in the Tibetan mountains. While this feat was achieved on a particle level, it opened the door for further expansion in both distance and information volume.

The main reason QC concerns governments is that if (or when) it becomes a reality, bad actors will find the needle in the enormous haystack in a fraction of the time. It will be like bringing in a powerful magnet to pull the needle from the hay (and the imaginary needle is ferromagnetic).

The magic ingredient is a “qubit,” or quantum bit. Unlike a traditional computer “bit,” a qubit can handle more than zero or one. That opens the door for orders-of-magnitude reductions in computational time and what was once an impossible math problem might take only days or even hours to solve with quantum computing. In theory, an implementation of Shor’s Algorithm — an algorithm that relies on quantum mechanics — could break the encryption standards in which we’ve placed trust globally.

So, what is the reality of quantum computers in 2022?

• They have high error rates, especially when using more than one qubit at a time. According to IEEE, “Current state-of-the-art quantum platforms typically have error rates near 10^-3 (or one in a thousand), but many practical applications call for error rates as low as 10^-15.”
• They offer very few useful qubits for performing calculations and a portion of those have to be dedicated to error-correction algorithms.
• Some algorithms may produce unreliable and incorrect answers (like Grover’s search), meaning even simple jobs may have to be run repeatedly before they converge on a result (there’s a reliance on probability).
• Quantum decoherence means quantum computers can’t operate for more than seconds at a time, though some argue tens of seconds is an eternity in the quantum world and more than enough to be useful.
• The National Institute of Standards and Technology (NIST) is working on quantum-resistant cryptographic standards (post-quantum cryptography or PQC) and recently announced four quantum-resistant cryptographic algorithms, noting:

“…selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.”

Don’t misunderstand — despite these challenges, really smart people are working at companies spending millions of dollars on QC and there’s a good chance QC is the future. The real unknown is time. Nobody knows when we’ll get there, which means we have time to take well-considered, preventive steps.

What is the real risk?

Today, there are entities — governments, corporations, and others — collecting the encrypted data we share so freely, patiently waiting for the day when they can decrypt it.

Are you convinced that information from 20 years ago is of no value? If so, you might be right — at least about your own transactions. Or, maybe you’re ready for all your private doings to be made public. But can you say that of all people and all data from all sources?

Photo by Elijah Hail on Unsplash

We live in a world where information and knowledge are power. Because of this, many entities strongly believe that confidential data should remain that way.

What would happen if someone produced a functional quantum computer without telling anyone and started decrypting data? How would that affect individuals, business, and governments? It’s this kind of “what if” scenario that leads individuals and organizations to invest large sums of money in QC.

As with most new advances, technology itself is not inherently dangerous. Bad actors make it so, meaning that quantum computing poses a threat only in cases where an adversary has access to data. QC does not, for example, make it easier to guess passwords to a site unless the attacker has the password hash or intercepted network traffic that contains that password.

In other words, quantum computing can’t decrypt data it can’t access.

What can I do about it?

As the old saying goes, an ounce of prevention is worth a pound of cure. We have collectively trusted traditional security for so long that many organizations have difficulty identifying all the places they use cryptography. Add in that NIST’s post-quantum cryptography standard isn’t yet ready and it can feel like we’re being asked to “hurry up and wait.”

“While the standard is in development, NIST encourages security experts to explore the new algorithms and consider how their applications will use them, but not to bake them into their systems yet, as the algorithms could change slightly before the standard is finalized.”

Photo by Brett Jordan on Unsplash

So, what can you do today to keep your organization’s data secure?

1. Update your keys and protocols to use the latest industry standards (e.g., FIPS, RSA 4096, etc.). Do not replace your existing cryptographic keys with those from unproven algorithms. Separate from the four leading quantum-resistant candidates, NIST has a list of “alternative” algorithms, one of which was cracked in August 2022 by a traditional computer. In an hour. With a single CPU.
2. Start identifying all the places you use cryptography for data at rest and in flight (transmission).
3. Know which algorithms you’re using and which ones are most vulnerable to quantum computing (e.g., RSA, Elliptic Curve Cryptography or ECC, and Diffie-Hellman).
4. Use industry best practices and methodologies like Zero Trust Architecture to restrict access to data and systems. Bad actors have to get to your data before a quantum computer can hurt you. Quantum computers are primarily a threat to intercepted data.
5. Use key rotation. Even if someone is capturing your data for future decryption, changing keys means they have to work harder to access data captured over longer periods of time. Quantum computers make it possible to decrypt what was previously impossible, but decryption still has a cost and takes time.
6. Understand key enveloping. Some key rotation mechanisms only encrypt the enveloping key, but the key used to actually encrypt the data (the data encryption key or DEK) remains the same. There are legitimate reasons to do this, but understand them and the tradeoffs before settling on a key rotation method (read a discussion on this topic).
7. Devise a break-glass plan. What would you do if tomorrow someone announced they had a practical, operational quantum computer and had broken RSA? Consider:

• How long it would take to change existing keys for ones using newer algorithms (once available).
• What would break if you changed protocols (e.g., your clients).
• How you’ll prevent protocol downgrade attacks (where you’re supporting vulnerable protocols as a fallback for older clients).

Conclusion

Is QC a security threat? Many experts think so. In a risk matrix, QC is listed as “critical” or “catastrophic” in severity, but “unlikely” or “rare” in probability, making it a “medium” risk rating (depending on the matrix).

Adapted from Wikipedia

I recommend performing a no-holds-barred risk assessment in your environment and address the potential threat. Take prudent steps like the suggestions above to reduce your risk. Quantum computing is still developing, so stay informed and adjust you plan as necessary.

Slalom is a global consulting firm that helps people and organizations dream bigger, move faster, and build better tomorrows for all. Learn more and reach out today.