Quantum-resistant algorithms are critical to protecting your business


Utimaco CTO Nils Gerhardt outlines the threat that quantum computing poses to current encryption methods and suggests how cybersecurity can get ahead of the game.

The US National Institute of Standards and Technology (NIST) recently announced that after six years of testing, it has agreed on four algorithms that it believes will withstand hacking of quantum computers currently being developed around the world will. This may only seem interesting to computer science and security circles, but even if these algorithms remain unobtrusive in our lives and business, they will have a significant impact.

Quantum computing uses the laws of quantum mechanics to solve problems that cannot be solved by classical computers. These systems are already showing that they can perform calculations that would take prohibitively long to do on conventional computers.

Although the idea of ​​quantum computing has been around since the 1980s, it’s only in the last few years that we’ve seen working prototypes like IBM’s Eagle being developed. As early as 1994, scientists had determined that quantum computers could break the RSA encryption that underpins much of digital security to this day.

The threat to current encryption

While existing computers are theoretically capable of cracking RSA encryption, it would actually take around 300 trillion years to do so. According to a study published in the journal Quantum, a quantum computer using Shor’s algorithm with enough “qubits” or quantum bits could crack the same encryption in seconds.

That means attackers could soon be able to access credit card information, steal encrypted patient records, or compromise cryptocurrency security if we don’t adequately prepare for post-quantum security. Digitally signed documents created before the introduction of quantum-resistant algorithms are also vulnerable. If they cannot be re-signed by both parties in a format that uses quantum-resistant cryptography, millions of legal agreements could be invalidated. Even blockchains that power the $2 trillion cryptocurrency market and an increasingly large number of other applications could be compromised.

Digitally signed documents can also be subsequently modified in a post-quantum world. As digital documents replace hand-signed documents and even physical documents that are scanned and securely stored, any digitally signed document that does not have a physical equivalent could become legally unenforceable if modified by hackers. Additionally, some document signing companies have millions of leases and employment contracts on their servers. It is crucial that all of these documents are backed up again before quantum computing poses a massive threat.

Preparing for a post-quantum world

To determine where to implement post-quantum cryptography (PQC) and conventional cryptography, organizations need to understand which of their data needs to be protected and which is of no value to cybercriminals. Over time, some data becomes obsolete and worthless to hackers, but some data needs to be protected indefinitely.

Before an initial plan is created, a proof-of-concept can be created using PQC or hybrid data protection methods to roll out to an organization’s digital assets.

It can only be a change from one method to another. For example, transport layer security can be made quantum-resistant, and post-quantum cipher suites are already available from Amazon Web Services. This means that information being transmitted (i.e. credit card details sent from a customer to an e-commerce merchant) is secured for all future transactions. However, legacy systems may need to be significantly upgraded or even replaced.

Full adoption of quantum security in an organization can take years in some cases.

Stay one step ahead of the quantum hacks

When it comes to securing existing assets, there are two options. The first is to re-encrypt data using the new quantum-resistant algorithms. This can be time-consuming, especially when thousands or even millions of data need to be encrypted. When using “hybrid” encryption, on the other hand, the existing encryption must be retained and a layer of quantum encryption placed on top. This can prove difficult as files grow larger, and improperly implemented hybrid security can be just as insecure as regular non-quantum secure security.

Additionally, since quantum computers have not yet been fully developed, real-world testing could actually disprove the assumption that the four algorithms NIST identified are quantum-safe. It’s also worth bearing in mind that there will be more tiers of ratings, so some of the four may be dropped or added in the next round. This can discourage security professionals looking at a migration to quantum-resistant cryptography. They could possibly do everything in their power to migrate to an algorithm that has been shown to be unsafe by further testing or by testing with real quantum computers.

Rather than having a single dominant crypto scheme, as we do today where RSA is dominant, there will likely be multiple schemes, possibly including all current NIST candidates. There are many cases for crypto today, including IoT and cloud devices, so the size and performance characteristics of different schemes must vary. It also offers an extra layer of security by effectively hedging our bets. Bad actors may be able to crack one scheme, but they won’t be able to crack them all.

Everything from individual devices to entire organizations must become “crypto-agile” and work flexibly across many different schemes.

Through Nils Gerhardt

Nils Gerhardt is Chief Technology Officer at cybersecurity provider Utimaco and board member of the IoT M2M Council.

10 Things You Need to Know, straight to your inbox every weekday. Sign up for the Daily shortSilicon Republic’s Digest of Essential Sci-Tech News.


Comments are closed.