Preparing for a Post-Quantum World

We continue to follow progress as the U.S. government and industries to prepare for a post-quantum world in which a powerful new breed of computers, capable of cracking current encryption algorithms in a matter of minutes, will be available for use. Some experts predict that quantum computing may be a reality within five years, which isn’t that far away. And even if quantum computing resources are not widely commercialized, those resources may still be accessible to large companies, research institutions, and government agencies.

When that happens, if new quantum-proof encryption algorithms have not been developed, tested, and implemented, information that is stored in network-accessible systems, or that traverses the public internet, will be as vulnerable as plaintext files.

If at First You Don’t Succeed…

Finding a new encryption standard that can stand up to a quantum computer is no easy task. The National Institutes for Standards and Technology (NIST) has been running a contest of sorts—think of it as America’s Got Talent for cryptography—to find such an algorithm. Recently the field had been narrowed to four finalists, but illustrating the difficulty of developing a post-quantum standard in a pre-quantum world, one group had its algorithm rejected when, according to Ars Technica, it was cracked in under an hour using a regular desktop computer.

As they say, “Back to the old drawing board.”

Despite the challenges NIST faces, other agencies are hard at work trying to raise awareness of the threats to information security associated with quantum computing. The Cybersecurity & Infrastructure Security Agency (CISA) just published a paper entitled Preparing Critical Infrastructure for Post-Quantum Cryptography. It opens with ominous context:

“Nation-states and private companies are actively pursuing the capabilities of quantum computers. Quantum computing opens up exciting new possibilities; however, the consequences of this new technology include threats to the current cryptographic standards. These standards ensure data confidentiality and integrity and support key elements of network security. While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats.”

Quantum Computing’s Ticking Time Bomb

The CISA paper is worthwhile as it describes the post-quantum threat in accessible terms, outlines a number of potential impacts associated with the obviation of current encryption standards, and outlines recommended actions based on where we are now in the evolution toward a day when the threat becomes reality.

One interesting scenario the paper addresses is that of what is known as the “post-quantum time bomb.” That is the harvesting of encrypted files containing highly sensitive information with a long shelf life: state and military secrets, intellectual property (IP), personally identifiable information (PII), and the like. Even though those files are unreadable now, when quantum computing becomes viable, those harvested files will be easily decrypted. Knowing that this practice is already happening in anticipation of those capabilities, it puts a premium on keeping data security practices up-to-date to minimize the threat of capture for future compromise.

Coviant Software recommends downloading the paper, if only as a primer on post-quantum and its implications. We will all be affected eventually. Knowing that, we have an obligation to be prepared.