For several years, quantum computing has been a question of when, not if – but it’s accelerating fast, and organizations must start preparing now for its impact.
Quantum computing brings new security implications: because its compute power is significantly higher than that of conventional computers, it could decrypt the encryption that lies at the heart of digital security.
The National Security Agency (NSA) released an updated Commercial National Security Algorithm (CSNA) paper with recommendations and guidance on implementing post-quantum cryptography (PQC). The NSA is recommending that all organizations become post-quantum secure by 2030.
It’s an aggressive timeline that underscores the severity of the problem. And it highlights the reality that current encryption methodologies won’t suffice.
Quantum computing has changed the game
While quantum computers aren’t being developed with the goal of cracking existing cryptography, their potential computing powers mustn’t be underestimated. And as with any emerging technology, there will likely be bad actors who use this tech for malicious purposes.
Quantum computing represents a major threat to data security, as it can make attacks against cryptography much more efficient. There are two ways bad actors could use this technology. One is the “Store now, decrypt later” method, in which cybercriminals steal sensitive data and wait until quantum computers have the ability to break its encryption. This is particularly important for you to know if your organization retains data with a long confidentiality span.
The other method is to break the data’s digital signatures. A bad actor could “compute” credentials based on publicly available information, then impersonate someone with the authority to sign documents or approve requests. As with the above message, criminals can do this retroactively if older signatures are not updated.
Today’s encryption methods cannot stand against the capabilities of tomorrow’s quantum computers. When large-scale quantum computers are built, they will have the computing ability to decrypt many of the current public key cryptography systems. As mentioned earlier, this would have far-reaching consequences for the integrity and privacy of digital communications.
Current algorithms (like RSA or ECC)are designed to require thousands of years to decrypt using classical computing; quantum computers could do this work in a matter of hours. This significant difference is the core threat that quantum computing represents and the reason that the cybersecurity industry must address it.
Leveling up your cryptography for the quantum decryption age
According to NIST guidance, RSA-2048 – a widely used encryption system – is only considered secure until 2030. While quantum computing is still a few years away, the time to start planning is now. There are always people who doubt the timeline of quantum computer readiness, but the point isn’t whether or not quantum computers will exist with 100% certainty in 2030 to break today’s crypto.
Imagine you will have a Y2K scenario with potentially devastating effects to the whole of society in terms of finances, safety, revealed secrets and more. You don’t know when this “Q-Day” will be, but you do know that the likelihood of this day being in 2030 is NOT zero. What would you do? Almost everyone will agree that you have to start preparing now to avoid such catastrophic outcomes, whether anything will happen in 2030 or whether it happens later.
NIST notes that the goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers. Planning your post-quantum cryptography migration now is essential to ensure the long-term security of your data and applications. Quantum computers may be rolled out earlier than the current expectation of 2030, and cryptography discovery and migration will take time. In addition, legacy code and libraries will be around for a long time. Doing everything possible now is the key to ensuring data security.
Understanding PQC in practice: Two use cases
It’s useful to examine real-world use cases to drive home both the serious nature of the threat and the efficacy of the solution. The first example is using quantum-proof digital signatures and encryption for long-term secure satellite communication.
The CCSDS Space Data Link Security Protocol requires cryptographic algorithms for authentication, encryption and authenticated encryption. The algorithms and methods used were XMSS, including state handling (signatures), CRYSTALS-Kyber (the key encapsulation mechanism) and key injection for long-term secure firmware updates.
The second example is securing firmware updates for chips using post-quantum cryptography. The organization used the CRYSTALS-Dilithium (signatures) and CRYSTALS-Kyber (encryption) algorithms and the following methods:
- Generation of CRYSTALS-Dilithium key pair in the hardware security module (HSM)
- Cryptographic key injection (Public Dilithium key) during chip manufacturing
- Signature verification in the field
- Confidentiality achieved by encrypting with CRYSTALS-Kyber
This protocol solved the challenges of memory space on the chips and protection against side channel attacks.
Preparation is power
The cybersecurity sector has permanent job security because as long as there is new technology, there will be bad actors exploiting it for their evil purposes. Quantum computing is just the next technology that security professionals need to stay on top of. 2030 may seem like a faraway date, but some feel that it’s hardly enough time to make the transition to PQC. It’s important to begin that transition process now so that you can meet Q-Day with confidence, whenever it arrives.
About the Author
Nils Gerhardt is CTO at Utimaco. UTIMACO is a global platform provider of trusted Cybersecurity and Compliance solutions and services with headquarters in Aachen (Germany) and Campbell, CA (USA). UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions for regulated critical infrastructures and Public Warning Systems. UTIMACO is one of the world’s leading manufacturers in its key market segments.
