Quantum computers are set to bring about many changes to cybersecurity and beyond, but why should companies start preparations for the quantum threat today?
By Ali El Kaafarani, CEO & Founder of PQShield
The development of quantum computers looms large on the horizon, offering many positive technological developments across a range of fields, from healthcare and drug discovery to finance and climate science.
However, when these powerful machines become a reality – which could be as soon as the end of this decade – they will also introduce an unprecedented security risk on a global scale. If we are ill-prepared to make the necessary changes to global security, then quantum computers could bring more damage than good.
The NSA issued a warning in 2015, and since then the National Institute of Standards and Technology (NIST), The White House, and a host of organizations have all followed suit, urging businesses to prepare for the upcoming threat to our security. The new NIST standards are set to be announced in a few weeks time, by the end of March 2022.
What is the quantum threat?
Quantum technology is no secret: a host of countries and businesses are working on building quantum capabilities, and are also exploring solutions for implementing quantum-safe security. The likes of JPMorgan and Citigroup have quantum initiatives and have also invested in quantum computing startups, ready to make full use of the developments that quantum technology can bring to finance. Alongside finance, there are several strategic sectors most likely to be targeted including, healthcare, transport, and defense.
Today, almost every business and device around the world relies on public-key cryptography to secure communications and data, but these algorithms will become vulnerable to the vast processing power of quantum computers – which could mean sensitive information getting into the hands of bad actors. Everything from government documents to business transactions and personal data are vulnerable to exposure, posing a huge risk to corporations, governments and individuals around the world. What is most concerning about the threat is that hackers are already gathering and storing encrypted data now, ready to decrypt it once quantum computers are viable, in what is known as a “harvest now, decrypt later” attack.
What is the best mitigation against the quantum threat?
Classical public-key cryptographic schemes such as RSA and Elliptic Curve Cryptography, are totally broken with the presence of scalable quantum computers, due to the fact that their underlying computational problems are easy to solve using Shor’s algorithm.
NIST, supported by intelligence agencies such as the US’ NSA, the UK’s GCHQ and Frances ANSSI, decided that the best mitigation against the quantum threat is to rely on a cryptographic field called post-quantum cryptography, which relies on mathematical problems that are still hard to solve even on a quantum computer and the standardization process is now hitting an essential milestone; NIST will announce the winner algorithms of the standardization process before the end of March 2022.
Post-quantum cryptography is not to be confused with other (quantum-based) technologies such as quantum key distribution (QKD) or quantum random number generators (QRNG). To clarify any misunderstanding, neither of QKD/QRNG is needed in order to transition and/or use post-quantum cryptography. While QRNG is not relevant to the quantum threat as classical hardware-based entropy sources are not affected by the advances in quantum computing, QKD might find some niche applications, but due its clear limitations (no authentication, device dependency, etc.), it simply shouldn’t be advertised, and can’t technically be used, as a replacement to public-key cryptography (think of bank cards, or any other advanced cryptography protocols such as end-to-end encrypted messaging, etc).
Public-key cryptography has been used for decades to secure National Security Systems (NSS) and will continue to do so for the foreseeable future, according to the NSA as of August 2021.
What can be done to protect against the quantum threat?
Despite the fact that we don’t have a viable quantum computer capable of breaking the current encryption standards, for a number of years, preparations for the threat need to begin imminently.
Governments are now taking necessary steps to prepare for a quantum-safe future. The White House recently issued a memorandum on improving national security, outlining the need for quantum-resistant protocols on a wide scale. They have advised that within 180 days from publication, companies should implement ‘a timeline to transition these systems to use compliant encryption, to include quantum-resistant encryption. Meanwhile, intelligence agencies from nations at the forefront of quantum technology, like France’s ANSSI, are issuing guidance to governments and businesses on the post-quantum cryptography (PQC) transition.
NIST is currently working on a standardization project that will set out algorithms suitable for implementing post-quantum cryptography. NIST has been working on these guidelines for the past six years, identifying a good starting point for companies to begin their shift away from classical security standards toward quantum security. Some algorithms are already available for use (e.g. hash-based signatures), but all NIST winning algorithms are set to be announced by the spring.
Replacing current encryption standards is not an overnight job, and some CISOs have already begun the transition to quantum-safe security as the shift in changing the security model can take anything from two to ten years.
Companies should begin preparing for the threat now, starting with a quantum risk assessment to evaluate which security measures within their organization need to be replaced. Once this is complete, they can set out a roadmap in implementing quantum-safe security e.g. post-quantum cryptography, by first identifying and evaluating the vulnerabilities in their systems and establishing which security methods may need to be replaced or upgraded, and a practical time frame for the implementation. With the upcoming publication of the NIST standards, there is no reason why we can’t be prepared for one of the most serious cybersecurity threats of the next decade.
About the Author
Dr. Ali El Kaafarani is the founder and CEO of PQShield, an Oxford University spin-out on a mission to secure the world’s data from attacks by quantum computers. Dr. El Kaafarani is also a research fellow at Oxford University’s Mathematical Institute and a former engineer at Hewlett-Packard Labs, with over a decade of academic and industrial experience. He is a leading authority in the cryptography community.
PQShield is a cybersecurity company specializing in post-quantum cryptography, protecting data from today’s attacks while readying organizations for the threat landscape of tomorrow. It is the only cybersecurity company that can demonstrate quantum-safe cryptography on chips, in applications, and in the cloud. Headquartered in the UK, with additional teams in the United States, France, and the Netherlands, its quantum-secure cryptographic solutions work with companies’ legacy systems to protect devices and sensitive data now and for years to come.
PQShield is principally backed by Addition, Crane Venture Partners, Oxford Science Enterprises (formerly OSI), Kindred Capital, and InnovateUK. Its latest white papers are available to read here.