Jason Soroko at Sectigo explains how the Quantum Apocalypse threatens to destroy common encryption techniques and how organisations around the world are developing new quantum-safe crypto algorithms.
Quantum computers by their nature will be better suited to certain tasks than traditional binary computing architectures — in some cases much better. The computations needed to break the RSA and ECC algorithms that underpin much of cyber security are examples of tasks that will be performable many orders of magnitude faster by a quantum computer, when that day comes.
RSA and ECC are the cryptographic algorithms used in the “public key” X.509 certificates that assure confidentiality on all popular software and hardware platforms. This means that, once quantum computers are available to potential bad actors, any secrets encrypted with either of these two algorithms are open to compromise.
The day of the quantum computer: Z-day
Quantum computers use quantum physics to create a new computing paradigm. Instead of the bits and bytes of traditional 0/1 gated computers, they run on quantum bits, or qubits. These can superpose and entangle themselves to perform many processes simultaneously, drastically cutting processing time.
Using clever processes defined by Shor’s algorithm, which can find prime factors for large numbers, quantum computers will break existing encryption. When such techniques become fully operational and fall into the wrong hands, the existing RSA and ECC cryptographic algorithms will become obsolete. This will mean that many systems that are central to everyday life will be open to breach.
The exact date when that happens, known as Z-Day, is expected within the next decade. Credit card transactions, passport validations, and electric grid control systems could be cracked open with ease. The effects are predicted to be so dire that the event is called the ‘Quantum Apocalypse’.
To achieve this, quantum computing need not be perfect or mature. Decryption doesn’t have to happen in real-time to cause serious damage and compromise the information. As long as it can break current cryptographic algorithms in a reasonable period – perhaps a day, week or month – large-scale data breaches will still happen.
After that a bad actor could steal the files of a high-value target, store them in an encrypted state and wait until they can get a quantum computer to break the private key when the technology has caught up. For sensitive information, such as cutting-edge research, it makes little difference whether it is available today or in a week.
Some targets will be safe: today’s active credit card numbers are easily and often changed, so will be inactive when quantum technology becomes available. But other confidential information, such as industrial or state secrets, can be devastating for its owners if leaked, even in a decade.
Despite this dire-sounding prognosis, the Quantum Apocalypse can be stopped. Academic, technology, and public sector organisations across the world are redoubling efforts to discover and implement new quantum-safe crypto algorithms.
Among the main players is the National Institute for Standards and Technology (NIST), a US federal agency. The institute’s Post-Quantum Cryptography project is identifying and vetting next-generation cryptographic schemes, and recently narrowed the field from 69 candidates to 15.
The aim is to create one or more algorithms which can be reliably shown as immune to advances in quantum computing. The task is technically difficult, but not impossible. Staving off the apocalypse will require a complete retooling of public key infrastructure systems through industry to enable the use of these new crypto algorithms.
While the cryptographic community works to standardise quantum-safe algorithms, free sets of resources can help enterprises and other certificate users understand the quantum cryptographic situation and maintain security as we enter a new age.
The quantum apocalypse may be a daunting prospect, and the threat to digital systems is very real. But with advancements in cryptography, it is a threat that can be defeated.
Jason Soroko is CTO-PKI of SSL certificate authority and PKI solutions provider Sectigo.
Main image courtesy of iStockPhoto.com