The Impact of Quantum Decryption

1. Executive Summary

Quantum computing’s rapid progress poses a significant threat, potentially rendering current encryption methods and nearly all encrypted data vulnerable. This includes sensitive data that has already been stolen or leaked. Some of this data is being stored in anticipation of future decryption capabilities. This is typically referred to as “harvest now, decrypt later.” Its eventual decryption could lead to severe financial losses, major security breaches, and vast global consequences. To counter this threat, an urgent migration to post-quantum cryptography standards (PQC) is imperative.

1. Introduction: The Quantum Horizon and Encrypted Data

Quantum computing presents a fundamental challenge. Its theorized capabilities cause concern because they challenge the backbone of digital security and may render many if not all of our current encryption standards obsolete. These concerns are further amplified due to the large amounts of encrypted data already stolen via data breaches. In 2023, IBM estimated the average data breach involved 4.35 million records, 83% of which included encrypted data. IBM also estimated that 83% of those breaches included encrypted data. Such figures suggest over 10 billion encrypted records may be stolen annually. There are likely several petabytes (1 petabyte = 1,000 terabytes) of encrypted data already stolen.

III. The Quantum Threat to Modern Cryptography

1. Principles of Quantum Computing

There are two key quantum mechanical phenomena, superposition and entanglement, that enable qubits to operate fundamentally differently than classical bits. Superposition allows a qubit to exist in a probabilistic combination of both 0 and 1 states simultaneously, significantly increasing the amount of information a small number of qubits can hold. Entanglement, links the quantum states of two or more qubits together in such a way that they become correlated, regardless of the physical distance separating them. These capabilities allow quantum computers to explore a vast number of possibilities concurrently, potentially offering exponential speedups over classical supercomputers.

1. The Land of Encrypted Stolen Data
2. Today’s Common Encryption Methods Used

The vast majority of sensitive data is protected using prevalent encryption algorithms. Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) are widely employed for public-key cryptography. Advanced Encryption Standard (AES) is a widely adopted symmetric encryption standard used to encrypt large amounts of data.

1. Types of Sensitive Data Targeted

A wide range of sensitive data, including financial records, Personally Identifiable Information (PII), intellectual property, and government secrets, is encrypted and stored by individuals, organizations, and governments. This information is highly sought after by malicious actors for purposes such as financial fraud, identity theft, corporate espionage, and compromising national security. Consequently, a market exists on the dark web where various types of stolen data are sold at different prices. For instance, personal data profiles can cost $10-$100, financial details like credit cards range from $5-$120, compromised corporate databases can fetch $500-$100,000, and government credentials like passports may sell for $500-$3,000, with prices varying based on the data’s sensitivity and completeness.

1. The “Harvest Now, Decrypt Later” (HNDL) Strategy

These marketplaces highlight the viability of the strategy called “harvest now, decrypt later” (HNDL). CISA warns that threat actors, particularly nation-states, are collecting encrypted data now, anticipating future decryption via quantum computers. The data types most likely targeted are those with enduring value, such as government secrets, intellectual property, and sensitive personal or financial records.

1. Unlocking the Past: The Impact of Quantum Decryption
2. Cryptographically Relevant Quantum Computers

Predicting when quantum computers can break current encryption standards remains complex. Some experts are forecasting the first quantum computer capable of breaking RSA-2048 encryption will be available within the next 5 to 10 years, potentially as early as 2029 or 2030. However, some other experts believe this timeline is further out, suggesting it might take until 2034 or even 2044 for such a quantum computer to be available.

1. Implications and Time Sensitivity

Quantum decryption of data stolen using current standards could have pervasive impacts. Government secrets, more long-term data, and intellectual property remain at significant risk even if decrypted years after a breach. Decrypted government communications, documents, or military strategies could compromise national security. An organization’s competitive advantage could be undermined by trade secrets being exposed. Meanwhile, data such as credit card information will diminish over time due to expiration dates and the issuance of new cards. However, compromised personal information poses long-term risks like identity theft and fraud, even years after exposure.

1. AI’s Role in Enhancing Quantum Decryption Capabilities

Artificial intelligence (AI) further amplifies the threat to encrypted data. AI could potentially optimize quantum decryption algorithms. AI could also rapidly analyze decrypted data, helping threat actors identify and exploit valuable information. This synergy between quantum computing’s decryption power and AI’s analytical capabilities could significantly increase the impact and effectiveness of cyberattacks.

1. Post-Quantum Cryptography
2. Leading PQC Algorithm Solutions

Several families of PQC algorithms have been selected by The National Institute of Standards and Technology (NIST) as replacements for current vulnerable methods.

Lattice-based cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium) is a key encapsulation mechanism (KEM). Lattice-based cryptography relies on two difficult mathematical problems. The first, Learning With Errors (LWE), gives a set of linear equations with small errors added. This makes recovering the original value extremely difficult. The second, Short Integer Solution (SIS), requires finding a small nonzero integer solution that satisfies the given equation. These two mathematical problems attempt to make this cryptography quantum proof.

Stateless hash-based cryptography (SPHINCS+) utilizes cryptographic hash functions and Merkle trees to create digital signatures that are believed to be resistant to quantum attacks. This is believed to be quantum resistant due to the hash functions designed to be one-way and highly linear. This means they do not have an algebraic structure that can be as easily exploited by quantum algorithms.

1. Challenges of PQC Adoption and Implementation

To navigate the new complexities PQC presents, organizations need to prioritize “crypto agility,” the ability to quickly and seamlessly switch between cryptographic algorithms as threats evolve and new standards emerge. This will likely require infrastructure upgrades across various systems and applications. During the transition period, some organizations might also consider adopting hybrid cryptographic systems that combine existing and post-quantum algorithms to provide an added layer of security.

VII. Potential Financial Damages

1. Potential Impacts

Quantum decryption of stolen personal and financial data could trigger a surge in identity theft and financial fraud, as criminals exploit previously inaccessible information. Furthermore, the exposure of sensitive personal details, such as medical histories and private communications, could cause significant erosion of personal privacy.

For organizations, the ability of quantum computers to decrypt previously stolen data could result in substantial financial losses due to data breaches, corporate espionage, and potential legal liabilities. The exposure of sensitive corporate information, such as trade secrets and strategic plans, could provide competitors with an unfair advantage, leading to significant financial harm. Organizations could face significant reputational damage and a loss of customer trust if their previously secured data is exposed due to quantum decryption.

1. Quantifying Potential Future Damages

Quantifying financial damages from future quantum decryption is challenging, but existing reports offer insight into the potential scale of the impact. A report from the Hudson Institute’s Quantum Alliance Initiative estimated that a quantum-enabled attack on the Federal Reserve’s payment system could result in a direct loss of 10-17% of US GDP and between $2 and $3.3 trillion in indirect losses. While these figures represent current data breach costs and specific potential scenarios, they highlight the immense financial risks associated with the future decryption of sensitive data.

VIII. Potential Global and Geopolitical Implications

1. National Security Risks

Quantum decryption poses significant national security risks and the potential for substantial intelligence advantages. Nations that achieve this capability first could gain unprecedented access to sensitive government and military communications, defense strategies, diplomatic negotiations, and intelligence operations. This could lead to significant shifts in geopolitical power and potentially destabilize international relations.

1. Reputational Dangers for Organizations

The security of e-commerce, online banking, digital communication platforms, and critical infrastructure all rely heavily on robust encryption. If this security is compromised by a quantum computer, it could undermine public confidence, potentially disrupting the economy and societal norms. Alternatively, if an organization in this field implements post-quantum encryption standards and withstands attacks, it could exponentially bolster their reputational standing in the industry.

1. Geopolitical Power Shifts and International Relations

The development of quantum computing technologies are becoming critical factors in the geopolitical landscape. Major global powers are engaged in a “quantum race” to achieve technological superiority in this domain. The nation that first develops a robust and scalable quantum computer capable of breaking encryption could gain a decisive strategic advantage in intelligence gathering, cyber warfare, and overall global influence.

1. Recommendations and Strategic Initiatives
2. For Individuals

Individuals should adopt proactive data protection practices to mitigate the potential future impact of quantum decryption. This includes using strong, unique passwords for different online accounts and enabling multi-factor authentication wherever possible. For individuals, multi-factor authentication will continue to be one of the best tools to mitigate against data breaches and account takeovers. Individuals should also regularly update software and operating systems on all devices to patch known vulnerabilities. Individuals should be cautious about sharing sensitive personal information online and should regularly monitor their financial accounts and credit reports for any suspicious activity. Individuals should remain aware of updating encryption standards and tools as these services actively transition to the post-quantum cryptographic standards. Adopting encrypted messaging services or platforms that offer post-quantum encryption standards when available would be valuable. While these measures may not directly prevent the decryption of already stolen data, they can significantly reduce the risk of future data breaches.

1. For Organizations

Organizations must recognize the urgency of transitioning to post-quantum cryptography to safeguard their sensitive data against future quantum threats. Imminently, organizations should conduct organization-wide audits to identify where legacy encryption methods and data are most vulnerable. Organizations should establish a committee or task force to oversee the “quantum readiness” implementation and migration. This task force must remain up to date on quantum-secure technologies such as post-quantum VPNs and quantum key distribution solutions. Implementing robust data minimization policies to reduce the amount of sensitive data stored long-term will also limit the potential impact of future decryption. Building “crypto agility” into their systems is crucial to enable a smooth and efficient transition to new cryptographic algorithms as they become standardized and available. Utilizing a phased migration that combines classical and quantum-resistant cryptography standards will assist with ensuring a smooth transition. Organizational audits should assist in identifying and prioritizing the most at-risk data, systems, and encryption standards within the organization so these can be monitored heavily until they are moved to a post-quantum cryptography standard.

1. For Governments

Governments must invest in and expedite PQC research in standardizing efforts for post-quantum cryptography. International cooperation in establishing global quantum security standards and protocols is essential given the transnational nature of cyber threats. Raising public awareness and providing education about the potential quantum threat and the importance of adopting quantum-resistant security measures will also be crucial for a coordinated global response. The government must foster partnerships between private enterprises such as cybersecurity firms and research institutions to further accelerate quantum security adoption.

1. Conclusion: Preparing for the Quantum Decryption Reality

Quantum computing’s potential to break current encryption poses an imminent threat to the vast amounts of encrypted data that have already been stolen or leaked. The potential for severe financial repercussions, significant security breaches, and profound geopolitical consequences underscores the gravity of this situation. As we stand on the cusp of the quantum era, it is imperative that individuals, organizations, and governments recognize the urgency of this challenge and prioritize the transition to post-quantum cryptography. Proactive security, data minimization, and international collaboration are key to preparing for the quantum decryption reality and safeguarding our digital future.

About the Author

Alyssa Walton has 10 years of experience in Information Technology and Cybersecurity. Her diverse professional background includes roles as Senior Information Security Analyst, Security Engineer, Information Technology Manager, and Systems/Network Engineer.

Alyssa’s academic qualifications include a Master of Science in Cybersecurity and a Bachelor of Science in Information Systems. Alyssa can be contacted via email at [email protected] or via LinkedIn at https://linkedin.com/in/alyssawalton001.