With the current pace of technological advancements, prioritising data security is paramount. There are many techniques for guaranteeing data security at all organisational levels, and cryptography is the foundation of all those. It is the bedrock for safeguarding sensitive information such as electronic exchanges, passwords, digital signatures, and sensitive records such as financial and health data.
However, during the last few years, we have witnessed a proliferation of sophisticated cyberattacks, an emerging awareness of their negative impacts on individual institutions, such as downtime of operational technologies, and indirect costs, such as loss of trust, with the broader concern for a nation’s economy and society when considering critical infrastructure being targeted.
Moreover, advancements in other emerging technologies, such as the IoT (Internet of Things) and 5G networks, underscore and highlight institutions’ criticality in implementing resilient and agile cryptographic systems, particularly at the edge of networks and through partnered third parties.
Furthermore, an additional threat appears on the horizon. As quantum computers mature, the fear of quantum decryption on security standards is threatened, sending the cybersecurity landscape into a state of concerned alert.
Cryptographically Relevant Quantum Computers (CRQC) could have the unique capabilities to break current public key encryption protocols, thus posing a serious threat to current encryption systems, particularly those reliant on specific algorithms such as RSA.
However, this is not a problem of the future: eavesdroppers and data miners are currently intercepting cryptograms that are incapable of being decrypted and they store these encrypted communications for later decryption when quantum decryption can break into sensitive information. This is of particular relevance in sectors where secrets must be kept for a very long time, such as governmental secrets, health records, military secrets, or critical industrial secret.
In response, there is a pressing need to prioritise the development of products and infrastructures that can provide long-term security assurances and enhanced computational capabilities on a global scale. This is crucial for fostering sustained socio-economic growth and avoiding expenses incurred by malicious actors, and it starts by familiarising yourself with encryption.
Understanding Encryption and Its Threats
When discussing encryption, it is essential to differentiate between two main types: symmetric and asymmetric. Symmetric encryption requires the sender and the receiver to share identical keys to exchange information between the two parties. In contrast, asymmetric encryption employs a publicly accessible key, enabling individuals to encrypt messages meant for a recipient who uniquely holds the private key necessary to decrypt them.
A combination of both is typically used in standard protocols: the asymmetric protocol generates a shared key between both parties, and symmetric encryption algorithms use that key. These protocols include Transport Layer Security (TLS), which combines public key (asymmetric) and symmetric key algorithms to secure communications.
The asymmetric algorithm’s operation relies on computational challenges that are impractical for classical computers to crack, such as factoring large prime numbers. Solving these algorithmic problems may take a current supercomputer many thousands of years. However, if a cryptographically relevant quantum computer is developed, could reduce this timeframe significantly to even days or less.
Current encryption standards are just one targeted area; other security measures, such as authentication, could also face new quantum threats. The three areas potentially threatened by quantum computation are described below.
Asymmetric public key
A large-scale, practical, and reliable quantum computer capable of running Shor’s algorithm could see significant speed-ups compared to classical computers in factoring large numbers into their prime components.
Keys based on standard algorithms like RSA and ECC (Elliptic Curve Cryptography) are widely used for digital signatures and key establishment. However, they would no longer be secure if Shor’s algorithm could be sufficiently run on quantum computers. be sufficiently run on quantum computers.
Many key exchanges are vulnerable to “harvest now, decrypt later” attacks, meaning adversaries can infiltrate networks and databases now and store the encrypted data for when quantum decryption becomes viable.
Authenticating digital signatures from Shor’s algorithm also carries an added risk. If realised, bad actors could release fraudulently signed documents that cannot be distinguished from the genuine source document.
Asymmetric public key decryption is the greatest threat future quantum computers pose. Therefore, it is essential for institutions to prepare early and proactively, mainly if they operate as critical infrastructure.
Symmetric key
Although not as affected as asymmetric key algorithms, symmetric key algorithms face challenges due to the advent of Quantum Computers. A similar large-scale, practical, and reliable quantum computer capable of running Grover’s algorithm holds the potential for a quadratic speed-up over classical computers.
A quantum computer could search and identify specific information through a large, unsorted data set using Grover’s algorithm. This would allow quantum decryption to identify the public key used in symmetric encryption, break it and make it public.
These flies in the face of the norm that doubling key sizes is comparable to higher protection against a quantum attack. However, this could not be the case with Grover’s algorithm. Further, not all applications can hold larger key sizes due to memory limitations, especially on legacy systems, and even newer, compact Internet of Things (IoT) devices must turn to alternative security measures.
Authentication
In line with Zero Trust principles, authentication is necessary to verify a user’s identity before they can access either information, device, or location. Authentication schemes use the same public key signature (symmetric) protocols described and are potentially susceptible to quantum-based attacks. Message authentication code, or MAC, and authenticated encryption with associated data (AEAD) modes in these schemes are at risk of an attack by Grover’s algorithm.
Post-Quantum Cryptography
Without ‘quantum-safe’ encryptions, quantum computing can attack cryptographic algorithms far faster than its classical counterpart, cybercriminals could use quantum decryption to attack operations across industries ranging from automotive to defence and the financial sector.
Any business or government planning to store data must evaluate the risks of this emerging and new computation paradigm. Robust defences on historical data take many years, so it is advisable to start migration now. Connected to this, the American public agency, The National Institute of Standards and Technology (NIST), has been developing classical encryption standards designed against quantum computing, such as Shor’s and Grover’s algorithms, and the official standards will likely be published in 2024.
NIST calls these new security standards post-quantum cryptography (PQC) and refers to classical encryption techniques designed to be quantum resistant and possibly safe against quantum attacks.
For institutions to adopt or experiment with PQC encryptions, it is advisable to have a crypto-agile information security system right now. This means a security platform that can quickly switch between multiple security standards and encryption algorithms, irrespective of encryption key size and signature. By adopting crypto agility, organisations can experiment with new security methods such as PQC while keeping industry standard encryptions that are often regulatory mandated.
NIST proposed eight alternate algorithms for PQC. These are used to secure data across a public network and provide identity authentication using digital signatures.
Distinguishing Between Quantum Cryptography and Post-Quantum Cryptography
Quantum Cryptography and Post-Quantum Cryptography are fundamentally different. The PQC standards are classical algorithms designed to combat quantum decryption. In contrast, quantum cryptography uses quantum computation and other quantum technologies, such as Quantum Key Distribution (QKD), to ensure safety against quantum attacks, requiring a reliable quantum infrastructure.
Quantum-Resistant Cryptographic Techniques
There are various categories of quantum-resistant cryptographic techniques. Below are five fundamental techniques that are described in more detail.
- Lattice-Based Cryptography: This approach hinges on the computational complexity of lattice-related problems in multi-dimensional spaces. Security in lattice-based schemes relies on the difficulty of problems like the Shortest Vector Problem (SVP) and Learning with Errors (LWE), which are believed to remain challenging for quantum computers. Notable examples include NTRUEncrypt and Kyber.
- Code-Based Cryptography: Code-based cryptography derives its security from the hardness of decoding random linear codes. The McEliece cryptosystem is a well-known example that relies on the intractability of the information-set decoding problem, believed to resist quantum attacks.
- Multivariate Polynomial Cryptography (MPC): The complexity of MPC originates in the difficulty of solving multivariate polynomial equations, potentially offering quantum resistance due to its computational challenges.
- Hash-Based Cryptography: This approach focuses on the computational difficulty of breaking hash functions. Cryptographic techniques like hash-based digital signatures and Merkle trees are considered post-quantum secure, relying on hash functions resistant to quantum attacks.
- Supersingular Isogeny Diffie-Hellman (SIDH): SIDH is an innovative approach built on elliptic curves and isogenies. Due to the unique mathematical properties of isogenies, SIDH is believed to resist quantum attacks.
Challenges and Adoption
We are currrently seeing a roboust development of quantum-resistant cryptographic techniques. Three key challenges should be considered.
- Standardisation: Establishing standardised post-quantum cryptographic algorithms is crucial for widespread acceptance and interoperability. Organisations like NIST, BSI, and CCN are spearheading efforts to create a framework that governments, industries, and organisations can follow to implement quantum-resistant security measures consistently.
- Performance Optimization: Some quantum-resistant cryptographic algorithms can be computationally intensive, impacting their performance in resource-constrained environments. Researchers are actively working to optimise these algorithms for real-world applications. Having enough memory and entropy availability is also critical for these algorithms.
Transition Period: The shift from classical to quantum-resistant cryptography is complex, requiring careful planning and execution. Organisations must phase out existing cryptographic systems while implementing quantum-resistant ones.
Harvesting Data Today to Decrypt Tomorrow
The main concern of reliable quantum computing is the safety of decrypted data that has been intercepted and stored. Imagine transmitting encrypted information using an algorithm vulnerable to quantum attacks. Malicious actors could intercept and store this encrypted data until a reliable quantum computer becomes available.
Once a quantum computer with the necessary processing power is built, it could be employed to decrypt and access any previously stored information. This means that sensitive data, whether classified government information, financial records, or healthcare data, could be at risk if intercepted today and decrypted in the years to come.
The Importance of Quantum-Resistant Cryptography Today
These growing threats are why government agencies, including Departments of Defense, and critical infrastructure such as financial institutions, Telcos, and healthcare providers, are concerned about adopting quantum-resistant cryptography sooner rather than later. Information that needs protection now requires measures to face quantum threats today,.
Organisations looking to secure their data in the post-quantum age can begin with the following steps.
Step 1: Practice Crypto-Agility
A solution based on crypto agility enables an institution to experiment and adopt different encryption algorithms. This means utilising compliant security standards based on regulatory requirements while experimenting with novel security techniques that adapt to the changing threat landscape.
Step 2: Undertake a Quantum Risk Assessment
The second step is to fully understand the threat of quantum decryption and where in your organisation you are vulnerable. A quantum risk assessment means auditing your entire network and partners, highlighting where increased security in your operations is required.
We recommend starting your audit with business-critical infrastructure before working your way out from there. An approach based on Zero Trust principles means securing all edges in your network, from backend providers to branch locations and remote workers.
Step 3: Protect Applications with Quantum Random Number Generation
Quantum Random Number Generators (QRNGs) provide high randomness levels and generate a trustworthy entropy source by leveraging principles from quantum physics. The ‘quality’ of randomness that forms the basis of encryption algorithms, in part, dictates its security level. As a result, QRNG are key and necessary to increase the protection of operations like cloud computing and internet-enabled devices (IoT).
Step 4: Implement Quantum Resistant Algorithms
Quantum Resistant Algorithms (QRAs) are algorithms designed to remain secure in a post-quantum world, such as Post-Quantum Cryptography (PQC) algorithms.
A standard approach combines classical and PQC algorithms in a hybrid system. Unique to the hybrid, classical-PQC system is its dual security. Its PQC element is meant to protect against quantum decryption. Conversely, in the event of an unforeseen classical exploit in the new Post-Quantum Cryptography (PQC) algorithms, the reliable classical component of the hybrid system would remain steadfast. This hybrid approach simultaneously maintains necessary certifications and compliance standards.
In theory, the hybridisation of classical and post-quantum algorithms is straightforward. For key-encapsulation mechanisms or KEMs, the algorithms’ output is fed to a key derivation function to produce the key for symmetric encryption. For signatures, the message is signed twice by the classical and the PQC signature, and the verifier only accepts the message if both signatures are valid.
Quside’s Solution
Quside designs, engineers, and commercialises quantum random number generators (QRNG). These QRNGs are the foundation of the Quantum-Resistant cryptographic stack needed for Classical, Quantum, and Post-Quantum Cryptography protocols and primitives.
Our devices use phase-diffusion technology, which has advanced technical strengths and is based on the widely studied quantum mechanical principles of spontaneous emission and phase diffusion. This technology enables ultrafast operation (Gb/s) and permits monolithic integration with standard semiconductor processes. It offers one of the highest quantum-to-classical noise ratios, permitting high-quality entropy assessment. Also, the deep knowledge of phase-diffusion allows us to measure the unpredictability of the randomness produced and, therefore, verify the quality of the QRNGs. This key information can be exposed as actionable information for the Security and Network Operation Centres. Quside’s QRNG utilizes this advanced technology to protect data as threats become more sophisticated.
Conclusion
Immediate threats of quantum computing may or may not happen tomorrow, but the potential consequences of ignoring this issue could be nothing but detrimental to tomorrow’s economy. Fortunately, there are clear and straightforward steps you can take today to safeguard sensitive information against ‘harvest now, decrypt later’ attacks and future quantum threats. Adopting quantum-resistant cryptography and a proactive approach to security increases the likelihood that your data remains secure even as the quantum computing landscape evolves.
Protect your data now for the challenges, and contact Quside for a non-committing call to learn more about implementing quantum-resistant solutions.
