Cyber-security in a quantum age

Utimaco’s Nils Gerhardt asks, what’s next for post-quantum cryptography?

Y2K is remembered, when it is remembered at all, as a media-engineered panic: “The power in some cities isn’t working … and that means no heat, lights, or coffee in the morning, not to mention no televisions, stereos, or phones, which—even in places with power—aren’t working, either. Bank vaults and prison gates have swung open; so have valves on sewer lines” according to one contemporary article.

None of this came to pass of course, but the story is more complicated than newspapers declaring that the sky is falling, and it has implications for the next phase in the world’s response to the emergence of quantum computers. Looking at what happened almost a quarter century ago can answer the question of what needs to happen in 2024 to make the transition to a post-quantum world easier.

The current state of quantum computing

Quantum computing has made significant strides in recent years, pushing the boundaries of classical computing, and unlocking the potential for solving complex problems at speeds unimaginable by traditional computers.

However, this progress has raised concerns about the security of existing cryptographic systems. Classical encryption methods, such as RSA and ECC, rely on the difficulty of certain mathematical problems, and quantum computers have the capability to break these algorithms through algorithms like Shor’s.

In response to this looming threat, efforts have been made to develop Post-Quantum Cryptography (PQC) standards. These cryptographic systems - CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON and SPHINCS+ and others- are designed to withstand attacks from both classical and quantum computers. PQC standards have already been created, laying the foundation for a quantum-resistant future.

However, the journey doesn’t end here; continual improvement and refinement of these standards are imperative in the face of ever-advancing quantum capabilities.

Regulations in the realm of quantum computing are still in their infancy. Unlike the Y2K transition, where there was a race against time to mitigate potential catastrophic failures, the quantum computing era demands a proactive approach even while we don’t know when quantum computers capable of breaking common forms of encryption will arrive - perhaps around 2030 according to some estimates. 

What we can learn from the Y2K transition

The ‘Y2K bug’ was a computer flaw that resulted from the practice of representing years with only the last two digits – 1999 would just be ‘99’, for example, and when the clock struck midnight the year 2000 would be ‘00’, which would be no different from a computer’s point of view to 1900. As the year 2000 approached, there was a genuine fear that computer systems worldwide would fail to interpret the year 2000 correctly, potentially causing widespread disruptions.

While the ‘bug’ would have meant little to most home computer users and the majority of businesses, it is not entirely true that Y2K was a confected panic. For example, banks that calculate interest rates on a daily basis could have faced major disruption as their systems could deduct one hundred years of interest from accounts as it ‘believed’ that the year was 1900. Although planes dropping from the sky was not possible, it was possible that flights may have been canceled if two systems couldn’t agree on the date.

As you already know, these problems didn’t come to pass, and this wasn’t because they weren’t real but because governments, businesses, and individuals collaborated to ensure a smooth transition into the new millennium. This proactive and collaborative approach was essential in averting a potential catastrophe.

Similarly, as quantum computing advances, it is crucial for governments, industries, and the cyber-security community to work collaboratively, even if nobody can predict when quantum computers will be powerful enough to break existing cryptography. PQC standards must be continually assessed and improved upon, and regulations need to be developed to govern the deployment of quantum-safe technologies.

The lessons from Y2K underscore the importance of early preparation and a concerted effort to address potential challenges before they escalate.

Where will we go next?

The deployment of PQC in the real world is a significant step forward, but it raises questions about the readiness of various sectors for the emergence of quantum computing. What needs to happen next to ensure a seamless transition into a post-quantum future?

1. Education and awareness: As quantum computing becomes more tangible, there is a pressing need for education and awareness campaigns. Businesses, governments, and individuals must understand the implications of quantum computing on their existing security infrastructure. Training programs and awareness initiatives can empower stakeholders to make informed decisions and take necessary steps to enhance their cyber-security posture.
2. Collaborative research and development: The quantum threat necessitates collaborative research and development efforts. The quantum-resistant algorithms and cryptographic techniques must be continuously refined to stay ahead of potential adversaries. Public-private partnerships, international collaborations, and open-source initiatives can accelerate the progress in this critical area.
3. Regulatory frameworks for quantum computers: Governments play a pivotal role in shaping the regulatory landscape for quantum technologies. Regulations need to be established to govern the development, deployment, and use of quantum computing. A harmonised global approach will be essential to ensure consistency and effectiveness in addressing quantum security challenges.
4. Regulations for post quantum cryptography: Similarly, regulation needs to be developed for post-quantum cryptography and its global roll-out.
5. Integration of quantum-safe technologies: Businesses and organisations should proactively integrate quantum-safe technologies into their existing cyber-security infrastructure. This involves updating cryptographic protocols, securing communication channels, and adopting practices that align with PQC standards. Organisations will have to assess what cryptography they are using, determine the security needed and establish means like crypto-agility in order to migrate to PQC.
6. Global cooperation: Quantum security is a global challenge that requires a coordinated response. International cooperation among governments, industries, and research institutions is crucial to share knowledge, pool resources, and develop a unified strategy against quantum threats. Joint efforts can enhance the collective resilience of the global digital ecosystem. 

We are at a pivotal moment in the journey towards quantum security. The current state of quantum computing underscores the urgency for robust PQC standards and a comprehensive regulatory framework.

Drawing lessons from the Y2K transition, we must act collaboratively and proactively to prepare for the emergence of quantum computing. Many organisations have already invested in PQC, and by investing in education, research, regulation, and global cooperation, we can navigate the quantum era with resilience and ensure a secure digital future.

Nils Gerhardt is CTO at Utimaco, a global platform provider of trusted cyber-security and compliance solutions

Main image courtesy of iStockPhoto.com