Tim Callan at Sectigo describes the potentially catastrophic effects on security of quantum computing and outlines the remedies
Every day, quantum computing inches closer to becoming a reality. Recently, the Financial Times broke the news that Goldman Sachs believes quantum computing is a mere five years away from use in markets.
However, while quantum computing undoubtedly holds immense potential for a number of use cases, it also presents potentially catastrophic cyber-security risks.
The public and private sectors need to invest in creating systems that can withstand the unimaginable power of quantum computing. Otherwise, the basic security that governs every aspect of our modern infrastructure will be rendered useless overnight.
Quantum computing: the ins and outs
Quantum computers take advantage of the nature of quantum physics to create an entirely new computing paradigm different from the traditional 0/1 binary-based, gated computers we have been using since the 1950s.
Instead, they run on quantum bits (known as qubits), which can superpose and entangle themselves in order to perform multiple processes simultaneously. A qubit can represent one or zero, or also a third condition which represents a ‘coherent superposition’ of the two. By not being restricted by the two positions of the traditional digital binary, each new stable qubit added to a quantum computing system makes it exponentially more powerful than its traditional counterpart.
This gives quantum a significant advantage over traditional digital computing for specific tasks. One of those tasks is factoring large numbers down to their primes, and another is calculating elliptic curves. This is important because the cryptographic algorithms used to encrypt data throughout our global digital infrastructure depend on these mathematical functions. These encryptions are created through two algorithms, which have served us well for the last 70 years: the RSA algorithm and the Elliptic Curve Cryptography (ECC).
- RSA depends on prime numbers. Large prime numbers are very difficult for traditional computing platforms to factor. They thus are tremendously time-consuming as the computer has no option but to go through all combinations linearly, one by one.
- Elliptic Curve Cryptography works by finding two points on an elliptic curve that intersect perfectly to ‘unlock’ an encrypted asset. Solving for two points in this curve is likewise difficult for traditional computers.
The quantum apocalypse
The fundamentally different architecture of quantum computing vs. traditional computing means that the factorization based RSA and ECC algorithms are orders of magnitude easier to crack for a quantum computer along with a technique known as Shor’s algorithm. The real problem comes with the fact that once these algorithms are compromised, the foundational security of all our digital systems will be insecure. Our modern systems of finance, commerce, communication, transportation, manufacturing, energy, government, and healthcare will, for all intents and purposes, cease to function, as the encryption they rely on crumbles.
This is especially concerning if the first quantum computer were developed extralegally, which would grant bad actors with a computing power more extreme than anything at the disposal of any government or enterprise.
This outcome is so severe that it is often referred to as the “Quantum Apocalypse.”
However, it’s not all doom and gloom. To protect ourselves from the Quantum Apocalypse, governments and organisations need to migrate the global public key infrastructure (PKI) away from existing RSA- and ECC-based functions to new quantum resistant cryptographic approaches that are more resilient to the power of quantum computing and Shor’s algorithm.
As of now, experts in the security industry, academia, and government are working on this problem, seeking to discover, define, and codify the best encryption, algorithm or algorithms to replace RSA and ECC. Leading the effort is the National Institute for Standards and Technology (NIST) in the USA.
Overall, more than 20 potential algorithms are already being scrutinised by NIST, though it is too early to know if even one of them is suitable for the task. For an encryption algorithm to meet our needs, it must be:
- Fast to encrypt for a traditional computer
- Fast to decrypt for a traditional computer using the private key
- Prohibitively difficult to decrypt in a brute force attack for either a quantum computer or a traditional computer
- Able to produce encrypted data that is efficient in size and not so “bloated” that it is impractical to use
- Compatible with the staggeringly complex array of hardware, software, and services that depend on our standards-based PKI systems today
- Well enough tested and understood that we could be confident it won’t prove highly vulnerable to future, unknown attacks.
The PKI industry has also introduced technologies such as hybrid certificates which will enable the transition from RSA and ECC algorithms to the new quantum resistant algorithms. The time is now to start engaging with these technologies as toolkits have been made available.
Time is of the essence
“There will be a point in time when quantum computers reach a stage in development when they’re fast enough to break our current ECC and RSA encryption algorithms. Fortunately, we are still in the early days of quantum computing, and researchers are getting ahead of this imminent threat. And, despite the work of Google, NASA, and IBM (some of the leaders in quantum research), the computers that will break our algorithms are not yet with us today.
However, as science-fiction-like as it may seem, these machines are only years – rather than decades – away, so now is the time to make sure our basic PKI encryption is quantum-resistant. In order for our digital lives to function in a post-quantum world, and for us to safely take advantage of the computing power available to us, time is of the essence.
Tim Callan is Chief Compliance Officer of Sectigo
Main image courtesy of iStockPhoto.com