Experts fear secure data harvested now will be compromised in the future when quantum computing is mainstream.
General-purpose quantum computers will be able to crack the codes that protect much of the world’s information, and while these machines don’t exist yet, security experts say governments and businesses are starting to prepare for encryption in a post-quantum world. The task is made all the more challenging because no one knows exactly how future quantum machines will work, or even which materials will be used.
Unlike traditional computers, in a quantum computer the unit of information is a quantum bit or qubit. Qubits can have a value of 0, 1, or a superposition of both values at the same time. A broadly useful computer will need qubits that are more reliable, error-corrected, longer-lasting, and more numerous than what can be produced today.
Once developed, the power of these machines could be harnessed to accelerate discoveries in fields like AI and pharmaceuticals, not to mention security. The mainstreaming of quantum cryptography is expected to usher in a new age of data security as experts explore quantum key distribution (QKD) and other methods of cryptography based on quantum mechanics.
The flip side of this is certain encryption methods based on classical computing principles will be obsolete in a post-quantum world. That, in turn, will leave countless systems vulnerable to attacks.
But the concerns are more immediate, as well. Experts are preparing for “harvest now, decrypt later” attacks. As the name suggests, HNDL threats involve hackers collecting encrypted data now with the assumption that further developments in quantum computing will allow them to decrypt that information in the future. A recent Deloitte poll found that half of professionals at organizations considering quantum computing benefits believe their organizations are at risk of such attacks.
The solution to securing existing cryptographic algorithms is straightforward, but problematic.
“All we need to do is replace those algorithms with newer versions that are quantum-resistant,” said Marc Witteman, CEO of Riscure. “Unfortunately, that is easier said than done.”
The extent of the challenge is illustrated by recent developments at the National Institute of Standards and Technology. In 2016, NIST asked the public for help creating and identifying cryptography standards that can withstand quantum threats. In July, NIST announced four winning algorithms and four algorithms under consideration. Then at the end of the month, researchers said they were able to break one of the four algorithms under consideration — variously called Supersingular isogeny Diffie–Hellman key exchange, SIDH, or SIKE — using only a laptop.
Witteman says SIKE’s failure is actually a good thing because it proves the necessity of NIST’s rigorous review and testing process, and shows that researchers are doing their jobs by trying to crack codes under consideration. “The design, implementation, validation, and adoption of new cryptographic algorithms is a slow and painful process.”
Fig 1: NIST plans to finalize post-quantum crytopgraphy standards in 2024, but it could take between five and 15 years after that for the industry to fully adopt those standards. Source: NIST.
As the Advanced Encryption Standard was being pushed out for adoption, it took five years to replace the Data Encryption Standard in the early 2000s, but another decade for industry to adopt the new standard. This is because proving algorithmic security is hard or sometimes impossible, and updating all the relevant applications and protocols takes a massive amount of time. “Both hurdles are more painful in hardware than in software, since fixing vulnerabilities and functional updates in hardware typically requires replacement of the device,” Witteman said.
Dana Neustadter, senior product marketing manager for security IP at Synopsys, said quantum computing will be a particular threat to the public key infrastructure, which currently protects a wide swath of sensitive information across the internet and elsewhere, because quantum computers can be used to crack elliptical-curve cryptography (ECC), and Rivest–Shamir–Adleman (RSA) cryptosystems — algorithms that are technically solvable but would require an impractical amount of time to do so with classical computing methods.
“Hence, manufacturers of devices and systems with longer life cycles, or targeting more sensitive applications, must start implementing a path toward quantum-safe systems,” Neustadter said. “While the standardization effort is still ongoing, there is a large spectrum of candidate algorithms, some of which may be broken before or after being standardized, and knowing that a migration to a post quantum safe world will be much more complex than transitions witnessed in the past.”
However, there are paths forward. “First, symmetric cryptographic algorithms can be quantum-safe by using large keys, and hash algorithms by using larger output sizes. With regard to public keys, traditional and post-quantum cryptography algorithms will have to coexist for a while. Crypto agility in protocols and implementations will be required to be able to replace/update algorithms more seamlessly. Agility in software via firmware updates is much easier than agility in hardware. However, just like today’s algorithms, hardware acceleration and hardware implementations are required for post-quantum cryptography to meet the performance and security targets.”
Concurrently, George Wall, director of product marketing for Tensilica Xtensa processor IP at Cadence, said it is imperative for SoC designers to think about quantum security at the hardware architecture level. “By the time devices being designed today are ready for the market, it may no longer be sufficient to rely mostly on software techniques for securing sensitive algorithms or data,” he said. “There are companies focused on adopting quantum-based techniques for encryption, such as using the unique characteristics of a single silicon device to generate a unique and unclonable signature.”
Beyond cryptography
The concept of security in the quantum era also goes beyond cryptography.
Michael Osborne, CTO of IBM Quantum Safe, said during a recent webinar, “We understand quantum-safe as being safe in the quantum era. Part of that is replacing the cryptography that we use. The other part is making sure that unencrypted data becomes encrypted, or that we apply things like ‘zero trust’ to quantum. When we talk about the cryptography side, then it’s really about understanding where cryptography is being used and where it is not safe as we enter the quantum era. It’s really a more holistic perspective that we have in terms of being safe in the coming era.”
Adoption of the new algorithms does bring a risk, but waiting longer also increases risk. “Organizations that consider this change should carefully weigh the importance of keeping data confidential for a longer time to justify a transition right now,” Riscure’s Witteman said.
Those that choose to do so will find themselves in an enviable position compared with other organizations that do not see the advent of quantum computing on the horizon.
According to many experts, useful quantum computers are likely still about a decade away, but such predictions are difficult to make.
“Many companies have ambitious roadmaps that they’ve either shared publicly and intentionally, or unintentionally because they’re going public and have to release something to investors,” Eric Holland, director of strategic growth initiatives at Keysight, said in a recent presentation. “As a listener, you’re trying to figure out if they’ve improved the quality, the quantity, or the speed. If you aren’t seeing progress on those, then that implies that the device they have probably isn’t more powerful or a big step forward.”
Still, as recently as six years ago Holland encountered investors and end users who were convinced not only that quantum computing wasn’t on the horizon, but that it was actually a scam. “Those skeptics have been quelled.”
Conclusion
Like most other disruptive technologies, quantum computing has the potential to both fundamentally alter the world for the better, as well as for the worse. These powerful computers could vastly accelerate the pace of scientific innovation, but they also will render some previously sufficient encryption methods useless. HNDL attacks allow malicious parties to harvest sensitive data now and decrypt it later after the quantum computing field develops further.
Many experts agree the solution is to develop quantum-safe encryption methods, but that can be a slow and painful process. The failure of SIKE, one of the post-quantum encryption standards under consideration by NIST, proved both the difficulty of creating such standards and the necessity of doing so through a rigorous process. There are activities organizations can complete now to begin quantum-proofing their data, such as using large keys on symmetric cryptographic algorithms and larger output sizes on hash algorithms. Cryptographic agility in protocols and implementation also will be useful, and hardware acceleration and hardware implementation will be crucial. There are non-cryptographic steps to take, as well, such as encrypting unencrypted data and applying zero trust methods to quantum.
What about quantum bots ?
Thank you all expertises suggest good solutions. There are several points I want to emphasize.
– HNDL: harvest now and decrypt later is a concept appears after my architectural security system ASS (US 10972256, US 8509424) was issued by USPTO. ASS has capability to make a file removed or disappeared from a device. Thus makes HNDL useless.
– Using large keys on symmetric cryptographic algorithms, which my system uses AES cryptographic algorithm and key stream to encrypt data file where a file could have hundreds thousands of unrepeated keys. It is a design beyond “large keys”.
– Cryptographic agility in protocols: I think an on-the-fly key switching cryptographic protocol is better than cryptographic agility, for cryptographic agility needs to change system configuration, and sometimes needs more hardware to cover its agility.
– Zero trust: ASS has an identification and authorization management (IAM) subsystem, which allows an encrypted file controls who has right to access the file. Nobody could access it without its creator. Thus achieves zero trust.
– Quantum bots: I think with IAM subsystem and data/file removed or disappeared characteristics in ASS makes the system quantum resistant and quantum bots impossible.