In the last few years our IT security has increasingly come under scrutiny or attack from malicious individuals or groups from all over the world. However this may not be our biggest threat, with the rise of quantum computing our entire encryption methods may be at risk.
So how does it work? What can you do to protect yourself, and your organisation? And when do you need to start implementing this?
What is quantum computing?
Many may have heard the term but don’t have the strongest grasp on how these computers differ and what they can accomplish.
To begin with, the average computer (be it your pc, phone, watch, TV etc) will use a combination of 1’s and 0’s to emulate decisions and run its various programs. Think of all code as a giant mess of 1’s and 0’s that tell the device to go one of two ways based on if it is a 1 or a 0. This is why with standard mathematical computations, computers can smash out most problems very quickly as it follows the path of the 1 or 0, and each math problem has a right or wrong answer.
However, things start to get tricky when we involve probabilities and other scenarios where the answer may not be exactly one of two things (right or wrong), but rather a combination of lots of various scenarios that may impact each other (probabilities). Because the standard computer can only go down the set paths, it needs to calculate each individual probability, then compare it to each other one it has determined, and see how they impact and resolve each other resulting in a single answer.
This is how quantum computing differs, rather than the set paths, it can use something known as qubits. Rather than being a 1 or a 0, a qubit can be both! With probabilities set for each qubit as to if it would be a 1 or a 0 (e.g. 20% it’s a 1 and 80% it’s a 0) and it can store all the values it can possibly be within the qubit, rather than the single one answer normal bits would provide.
This means a value can be passed through a heavy probability calculation and, rather than it taking what would be thousands of years of calculations, it can store all the possible values within the qubit resulting in a calculation that could now take minutes.
How does this affect security?
Currently, nearly all security relies on cryptography which uses these immense calculations to encrypt our data that would take thousands of years to break, unless you have the key that provides the answer and can decrypt the message.
In essence, it allows us to gain a trustworthy response when using an untrustworthy network, i.e the internet. However, as mentioned above, if we were to use the powers of quantum computing it could break these cryptographic locks.
The actual individual areas of greatest concern are listed here:
- RSA, DSA, ECC, DH – the actual vulnerable algorithms
- TLS, SSH, S/MIME, PGP, IPSEC – protocols that depend on these vulnerable algorithms
- VPNs, Kerberos – protocols that may depend on these vulnerable algorithms
- Browsers, encrypted messaging, disk encryption, authentication schemes – applications that may use these protocols and vulnerable algorithms
So what would be the impact? It has been compared to breaking the enigma code in WW2 or the threat level of Y2K actually holding true. The other concerning point being that this is plausibly only a few years away from being implemented, not decades.
How long until it’s a threat?
Michael Mosca calculated in 2015 that the probability of 2048-bit encryption would be vulnerable with a 1 in 6 chance by 2027, giving us possibly a total of only 5 years. With a roughly 50% chance, it will be broken by 2031. Overall the time permitted is not enough to leave it much longer depending on the amount of data you keep and how long it needs to be secure.
The way this is calculated comes down to the number of qubits available in the current generation of quantum computing and how many would be required to break something like 2048 bit encryption.
Currently the record stands at around 433 qubits, while breaking 2048 bit encryption would require roughly close to a computer running 20 million qubits. However it should be noted that 3 years ago the standard quantum computer record for most qubits was 70, showing a roughly 2x increase per year.
Luckily you can determine when these need to be a concern for your business using this general calculation:
Y = time to deploy once standards have been agreed on
X = security shelf life (e.g. credit card may be 3 years till expiry, while medical data may be much longer)
Z = time to compromise
Y + X > Z
The solution? Post-Quantum Ciphers
With only maybe a few years’ notice, we need to protect our entire cryptographic system that the current world is built on or lose the ability for any privacy in any capacity online.
This is why already, for years, the security sector and NIST has been running competitions and rewards for those who can build post-quantum ciphers to protect against this threat.
A post-quantum cipher works on the principle that a quantum computer must not be able to crack the algorithm, but a normal computer in possession of the key should be able to encrypt or decrypt the data in a reasonable amount of time.
Since 2016, NIST has been working to build a list of the ciphers and slowly test and break them down so we can have a standard to be used across the globe. From an initial 82 submissions, 7 finalists and 8 alternatives were selected. Even from these finalists, 3 have already been broken, showing the immense value of starting this when they did.
For more information on some of the leading finalists you can read into the individual detail of their implementation and what mathematical elements they use to protect against the upcoming threat:
So from here on in, what should be your plan of action? Follow these basic steps to determine when you need to act:
- Determine if you are using any of the vulnerable cryptographic ciphers to encrypt your data at rest
- If you are, create a list of the data you need to keep private
- Work out your level of threat using the calculation to determine the amount of time it could take you to move across to these new models and how many of your systems you need to convert
- Keep a close eye on the leaders in the NIST competition and begin testing with some of the preferred candidates to determine a more accurate timeline
For now this is the best approach to keeping yourself protected until more results and findings come back from the NIST finalists.
Keep an eye out for a follow up piece where we will be deep diving into each of the major finalists so far to look into how they function and where each could be best utilised.