Preparing for the Post-Quantum Era: How Quantum Computing Threatens Modern Cryptography

Quantum computing isn’t just science fiction; it’s already here, with practical machines coming sooner than we might think. With this technology come big changes in the way that we should protect our data, as most of our classical encryption methods could be cracked by powerful quantum machines.

‍

However, with all the buzz in the industry, it can be hard to separate fact from fiction. What exactly is quantum computing? How will it affect your business? And most importantly, what should you be doing now to prepare for a potentially post quantum future?

‍

In this post, we’ll cover the current state of quantum computing, explore the fundamentals of post-quantum cryptography, and discuss how to create a post-quantum cryptography readiness plan.

‍

What is Quantum Computing?

‍

Quantum computing uses quantum physics to process information in a different way than traditional computers. 

‍

Traditional computers use bits, which can have a value of 0 or 1. When a traditional computer is performing a computation, it has to switch the value of certain bits to change the value in memory. For large computations, this may entail billions of value changes, each of which takes some amount of time. This makes it infeasible to calculate certain types of problems, because the amount of time to calculate each value adds up to a very long amount of time.

‍

Quantum computers, however, use qubits. Using a phenomenon known as quantum superposition, qubits can be both 0 and 1 at the same time, allowing them to compute multiple values at the same time. This allows them to perform certain types of calculations much faster than a traditional computer, making certain problems feasible to compute; potentially having implications on modern cryptography.

‍

Understanding the Quantum Threat to Cryptography

‍

Quantum computing could potentially impact both kinds of traditional cryptography; asymmetric and symmetric.

‍

Traditional asymmetric cryptography is based on one of three mathematical approaches: integer factorization, the discrete logarithm problem, and the elliptic curve logarithm problem. These problems are considered infeasible to crack for classical computers, which makes modern encryption methods like RSA and ECDH secure today. 

‍

Solving integer factorization, the basis for RSA encryption, involves searching through multiple random values to find the involved prime factors; a process that would take traditional computers an impractical amount of time. However, using the quantum superposition trick with an algorithm called Shor’s Algorithm, quantum computers can test all of these random values at once; making cryptographic attacks feasible.

‍

While the greatest impact is on asymmetric encryption, symmetric encryption is also at risk from quantum computers. Grover’s Algorithm allows quantum computers to crack symmetric algorithms like AES in roughly the square root of the time required by a traditional computer. Fortunately, this risk can be mitigated by simply doubling the key size—for example, using AES256 instead of AES128.

‍

All of these attacks are currently just theoretical. When will practical quantum computers be here?

Quantum Computing: Current State and Timelines

‍

Fortunately, even the most advanced quantum computers available today are not yet capable of breaking any existing cryptographic schemes. However, the field is rapidly advancing.

‍

Quantum particles are highly sensitive to their environment, which can cause them to quickly lose their quantum state. This loss in information can happen within microseconds, making error correction a huge problem. As quantum computers get larger and computations get longer, this problem only gets worse; maintaining reliable operations may require millions of physical qubits to support just a few thousand logical qubits.

‍

However, both Google and Microsoft have announced new quantum chip architectures in the past year that are designed to improve error correction. If these breakthroughs work as expected, even smaller quantum computers might be able to break today’s encryption much sooner than anticipated.

‍

It is estimated that around 20 million physical qubits, or 4000 logical qubits, are required to crack RSA. The most powerful quantum computer today is IBM’s Condor, with only 1121 physical qubits. IBM has, however, announced a plan to get to 200 logical qubits by 2029.

‍

Estimates for when quantum computers will become practical vary, but most experts agree that it is likely to happen within the next 10 to 15 years. So why worry today? Two reasons:

‍

1. Harvest Now, Decrypt Later

Well funded threat actors are already recording encrypted traffic, anticipating that quantum advancements will make decryption possible. This means that highly sensitive workloads are already at risk; any encrypted data intercepted today could be exposed once quantum computers improve.

‍

2. Cryptography is hard to replace

Transitioning legacy software to new cryptographic standards can be complex and time-consuming. Beginning the migration today ensures you aren’t caught off guard when quantum attacks become possible.

‍

What comes next after quantum computers are here?

‍

Post-Quantum Cryptography: Still a Work in Progress

‍

Mathematicians have been developing cryptographic algorithms that are designed to resist quantum computer attacks. These algorithms are based on problems that are thought to be hard for quantum computers to solve.

‍

NIST has recently finalized the standardization of the first three post-quantum cryptography (PQC) algorithms: ML-KEM, ML-DSA, and SLH-DSA after an extensive eight-year vetting process.

‍

Despite this recent accreditation, there are still many issues with post-quantum cryptography: 

‍

1. Increased Performance and Resource Constraints

Current post-quantum cryptographic algorithms use key sizes that are much larger than those of traditional cryptographic algorithms. As a result, storing, transmitting, and processing encrypted content can be substantially more expensive.

‍

2. Lack of Maturity

New cryptographic schemes should always be treated with caution. Unlike current cryptographic algorithms that have been hardened over decades of use and research, there’s still much uncertainty about the security of current post-quantum cryptographic schemes.

‍

3. Compatibility

Many legacy systems and protocols lack compatibility with post-quantum cryptographic schemes. Updating legacy systems to support these new cryptographic standards may require significant changes and create interoperability challenges.

‍

Given all of the above drawbacks, it may not be best to update all your code just yet. However, there are steps you can begin taking today to get ready for the post-quantum world. 

‍

Recommendations

Ten years may seem far away, but it will arrive sooner than you expect. To prepare for the future, here are a few things you can do today:

‍

Inventory Cryptographic Usages

• Catalog every instance of cryptography in your software. Understanding your current cryptographic footprint is essential for planning any future upgrades.

‍

Create a CBOM

• A Cryptographic Bill of Materials (CBOM) extends the Software Bill of Materials (SBOM) standard and is an industry best practice to formalize your cryptographic inventory. As the industry standard, it could even increase customer trust. 

‍

Create a Cryptography Resiliency Plan

• Prepare a plan for switching cryptographic implementations in your code. This may involve resizing database tables, increasing network bandwidth, provisioning server resources, and achieving zero downtime during migration. Having a plan in place will help ease the transition when the time comes.

‍

Keep up with Industry Standards

• Quantum computing news can be sensationalized, so it might be hard to separate actual breakthroughs from hype. It’s better to focus on developments in post-quantum cryptography, especially updates from NIST, as this is the most reputable source on current industry standards.

‍

Contact an Expert

• Cryptography can be hard, requiring complex review and knowledge of rapidly changing standards. Engaging reputable partners to assess and improve your software’s cryptography and security posture is highly recommended.

‍

Preparing Today for Tomorrow’s Risks

Quantum computing may still be some years away, but its effects are already shaping today’s security landscape. Taking proactive steps to prepare, such as mapping your current cryptographic footprint, planning for future transitions, and engaging expert guidance, can position your organization securely for the future. 

‍

Reach out to Cloud Security Partners today for help reviewing your organization’s security posture and setting you up for a more secure future. 

‍