Post-quantum cryptography must be applied now to prevent hackers from decoding today’s data when quantum computers become available.
Quantum computing promises revolutionary changes to the computing paradigm that the semiconductor industry has operated under for decades, but it also raises the prospect of widespread cybersecurity threats.
Quantum computing cyberattacks will occur millions of times faster than any assault conventional computing can muster. And while quantum computing is in an early stage of development, experts are now delving into how cyberattacks could become more powerful as quantum computing matures, particularly when it is teamed up with AI.
In quantum computing, it is difficult to fathom the concept of “fast,” especially when it comes to quantum supercomputers. The Frontier supercomputer built by Hewlett-Packard Enterprise is considered the fastest non-quantum supercomputer today. Located in the U.S. at Oak Ridge National Laboratory (ORNL), Frontier is capable of 2 quintillion (2 x 1018) calculations per second. However, Frontier would take 47 years to complete a number crunching task that the Sycamore quantum computer, built by Google, can do in a few seconds (although more work needs to be done to improve accuracy and qubit coherence). Put a different way, what a quantum chip can process in one second will take a conventional computer chip 10,000 years.
The dangers of quantum plus AI
The mind-boggling speed of quantum computing is a double-edged sword, however. On one hand, it helps solve difficult mathematical problems much faster. On the other, it would increase the cyberattack capabilities beyond comprehension.
“When you marry quantum computing and AI together, you can have an exponential increase in the advantages that both can offer,” said Dana Neustadter, director of product management for security IP at Synopsys. “Quantum computing will be able to enhance AI accuracy, speed, and efficiency. Enhancing AI can be a game changer for the better for many reasons. Paired with quantum computing, AI will have greater ability to solve very complex problems. As well, it will analyze huge amounts of data needed to take decisions or make predictions more quickly and accurately than conventional AI.”
Very efficient and resilient solutions for threat detection and secure management can be created with enhanced AI, transforming cybersecurity as we know it today. “However, if used for the wrong reasons, these powerful technologies also can threaten cybersecurity,” Neustadter said. “For example, it could automate the process of stealing or corrupting data, or increase the speed and efficiency of attacks. When quantum computers become more commercially pervasive, they are capable of breaking the public key cryptography used today to secure data on the internet. This is a significant threat because we use public key cryptography, like elliptic curve cryptography and RSA, pretty much everywhere in our digital communication for encryption, digital signatures, and communication protocols that rely on digital certificates for proof of authenticity.”
AI adds the ability to find patterns in cryptography much faster than conventional approaches.
“As AI becomes trusted for safety-critical applications like self-driving cars, the impact of a successful attack on those AI systems can be magnified enormously,” noted Steve Hanna, distinguished engineer at Infineon Technologies. “A successful attack on a self-driving car may enable the adversary to cause accidents by remote control. The security of AI systems — and, in fact, all computer systems — typically depends heavily on cryptography for secured communications, secure updates, and other functions. Thus, we can see clearly that safety-critical systems and critical infrastructure must transition to post-quantum cryptography, or include other appropriate and effective countermeasures, before quantum computing gets to the point where it can break classical cryptographic algorithms. Otherwise, the damage could be tremendous.”
Why quantum cyberattacks are so concerning
Today, users rely on passwords to protect their systems. Home Security Heroes, which provides services to prevent identity theft, discovered that more than half of the 15,600,000 commonly used passwords can be cracked using AI without quantum in less than a minute. More secure 12-character passwords with scrambled symbols would take 30,000 years to decipher using today’s computers. But with quantum computing, they can be cracked in seconds. By the same token, quantum computing could easily break the public keys commonly deployed today.
Barracuda, a network security company, reported that ransomware attacks using AI doubled from August 2022 to July 2023. Imagine the onslaught of attacks using quantum computing with AI. Such attacks would crush conventional cryptography. It would no longer be able to protect everything from emails and texts to online meetings, financial and banking information, online transactions, classified and sensitive materials, and digital signatures. State-sponsored cyberattacks aimed at high-value targets, such as government agencies and infrastructure, will be fierce.
However, because quantum cyberattacks are not an imminent threat, many may take the position of watching and waiting. Jim Alfred, vice president and general manager at BlackBerry Certicom, argues this is a mistake. “Many industries have pressed the snooze button on quantum computing risk, given that the timeline for this milestone is still relatively distant. What they fail to take into account is the time it takes to change a cryptosystem, or the minimal effort required to mitigate risks today.”
Marc Witteman, CEO of Riscure, agreed. “The industry is far from ready to counter quantum attacks,” he said. “But on the good side, work to address the problem has started. It is important to keep working on that to keep pace with the increasing attack capabilities.”
The post-quantum era
While commercial quantum computing deployment may be 10 to 15 years away, it is never too early to get ready for the enormous cybersecurity dangers that quantum computing’s power threatens. At a minimum, developers need to have a clear path of transitioning from the pre- to post-quantum (PQ) era.
In modern digital communication, including email exchanges, file transfers, and network connections, security keys are being used. Up to now, the two most secure and commonly used encryptions in public key infrastructure (PKI) management have been the RSA (invented by Rivest–Shamir–Adleman) and ECC (elliptic-curve cryptography) encryption algorithms.
The ECC key is more secure than an RSA key of the same bit length, but more complex to implement. In symmetric encryption, a single key is used for encryption and decryption, while asymmetric encryption uses two different keys. But neither RSA nor ECC will be able to withstand a quantum cyberattack. New quantum-safe cryptography will be required. That is also referred to as post-quantum cryptography (PQC).
“Asymmetric algorithms like the ECC and RSA encryption are included in most commonly used higher level protocols to set up secure communications,” noted Gijs Willemse, senior director of product management for security IP at Rambus. “Applications such as Teams chats, Zoom meetings, YouTube videos, or Google searches typically go through an Internet browser based on a TLS connection, which is the most widely used application layer (layer 4) security protocol that relies on key exchange to set up a secure communication channel. IPsec is the protocol used to protect a company’s networks, securing communication at the IP layer (layer 3) between two or more sites. Then, you have an even lower layer, at the MAC level (layer 2), a security protocol called MACsec is defined. This is typically used in data centers for protecting high-performance links between two servers. In the end, all of these protocols use ECC and RSA key exchanges, which means they are at risk from quantum cyberattacks.”
There are also multiple organizations working on PQC and setting standards. Perhaps the most visible is the National Institute of Standards and Technology (NIST), under the U.S. Department of Commerce. In 2022, NIST announced four encryption algorithms that will be part of NIST’s post-quantum cryptographic standard, to be released by 2024. Starting in 2016, NIST initiated the post-quantum cryptography standardization project, calling upon cryptographers from around the world to submit encryption methods that will be able to withstand post-quantum cyberattacks. Many submissions have been considered, with the top four chosen. The agency will continue to strengthen the new standard with other quantum-resistant algorithms.
These new quantum-safe algorithms are developed based on advanced mathematics for general encryption and digital signatures. For general encryption, public keys are used over the network for information exchange. The new algorithm can withstand quantum cyberattacks, and it is relatively small. Digital signatures are used for authentication in digital transactions or remote document signing.
NIST did not work in isolation. The agency cooperated with many other organizations in developing the PQ standard, including the following:
In addition, other organizations and companies are preparing for the PQ attacks. In August 2023, CISA, NSA, and NIST jointly published the Factsheet on Quantum Readiness to help the industry to prepare for quantum threats. In February 2023, the GSM Association published the Post-Quantum Telco Network Impact Assessment white paper, which helps Telco companies implement PQC.
The FIDO Alliance developed the FIDO authentication standards for web applications based on the public key cryptography. It is more secure than passwords and SMS OTPs (an authentication method used by mobile phones). To make it quantum-safe, Google announced in 2023, a hybrid algorithm that combined a classical elliptic curve digital signature algorithm (ECDSA), a digital signature algorithm (DSA) used for web connection, and the NIST-endorsed PQC Dilithium algorithm.
“Even though hackers cannot break data that is encrypted today, they still can collect the data now and decrypt it later when the quantum computers become available,” Synopsys’ Neustadter said. “What can be done today to build quantum safe solutions? Use bigger keys for symmetric cryptographic algorithms like AES and larger outputs for hashes. In addition, start creating agile public key solutions based on the latest NIST PQC algorithm candidates (e.g., Crystals Kyber/Dilithium, Falcon, SPHINCS+, XMSS/LMS), which can adapt with the standard’s evolution, ideally with minimal to no hardware changes.”
Additionally, she advised looking at the Commercial National Security Algorithm suite, CNSA 2.0, from the U.S. National Security Agency (NSA), which recommends the specific quantum-resistant algorithms to be used for commercial applications for software and firmware updates, public key, and symmetric algorithms, as well as specific transition timeline targets. “For example, for software and firmware signing, the recommendation is to begin the transition to CNSA 2.0 immediately, support and prefer it by 2025, and use it exclusively by 2030. Synopsys has been working on solutions in these areas, including agile public key IP. Comprised of RTL and embedded firmware and software, it allows efficient upgrades as PQC standards evolve, and can be configured for specific application targets for optimal performance, power, and area (PPA).”
PQC migration
Still, there are no straightforward answers on how to proceed. Developers must define their own migration paths to implement PQC based on their own needs. Overall, the security architecture does not need to change, and basic cybersecurity design rules such as root of trust still need to be observed.
Infineon’s Hanna recommends a number of steps to prepare for the time when quantum computers can break today’s cryptographic algorithms. “First, design systems so they can transition smoothly from classical cryptographic algorithms, such as RSA, to post-quantum cryptography (PQC),” he said. “This is known as ‘crypto-agility,’ and it’s always a good idea. Second, migrate firmware signing to PQC algorithms as soon as possible. The NSA encourages vendors to begin adopting NIST SP 800-208 signatures XMSS and LMS immediately. In some cases, two signatures can be used — a classical algorithm and a PQC algorithm, where both signatures need to be verified. This protects you if either algorithm is broken. Finally, when choosing suppliers for cryptographic software or hardware, choose companies that are already PQC experts. Infineon has decades of experience with cryptographic hardware. Some recent Infineon products include support for PQC, and more will be added in the near future.”
Further, there are different ways to transition. One is to switch directly from old to new. The other is to combine old and new, to have some form of safety net. “Around the world, different bodies have made different recommendations for this,” said Axel Poschmann, head of product innovation and security at PQShield. “Regardless of the transition approach, in the foreseeable future both old and new standards need to be supported, which increases the requirements for area and memory further. This will be a challenge for cost-sensitive and resource-constrained environments.”
All of these considerations have implications on the chip and system architecture, and the way cryptography needs to be addressed by designers.
Integrating PQC
Integrating the NIST-recommended PQC algorithms is a good starting point, and now is a good time to review the current cybersecurity system designs and algorithms to ensure they are up to date on basic design principles, including root of trust. Because some chips have long lifecycles, taking a long-term view to future-proof the security chips with new IP is critical.
“As interest in quantum grows, adversaries are already beginning to steal encrypted data and store it until quantum is more widely available, which would enable them to decipher the encryption,” said Andy Rose, vice president technology strategy and fellow at Arm. “This attention has caused governments and industry bodies worldwide to ask companies to start (or in some use cases, finish) their journeys to post-quantum cryptography (PQC) by 2025.”
Arm believes that any connected device needs to be secure and built on a root of trust.
“We support our partners with ecosystem initiatives such as PSA Certified, to cryptographic support in our CPU IP, as well as upstreaming software support in Mbed TLS, TrustedFirmware, and Linux Kernel,” Rose said. “If a product uses asymmetric cryptography today, we recommend as a minimum first step enabling solutions with crypto-agility via a conservative but quantum-safe firmware update mechanism, which will allow subsequent upgrades to full PQC. If the lifetime of a system and/or the lifetime of captured data extends more than a few years into the future, it will soon become compulsory to support PQC, so it is an important proactive step to take now to ensure companies can protect themselves in the future.”
Rambus’ Willemse agreed. “One thing developers face today is the fact that chips have a long lifecycle. You would prefer to have a quantum-safe engine embedded without needing to design a completely new chip. There are two considerations. You should be able to securely boot your system with the quantum safe algorithms, such as LMS and XMSS, which leverage existing cryptographic functions and run on the existing hardware.”
However, a quantum-safe chip will require replacing ECC and RSA key generation, exchange and encryption algorithms, he said. “In most cases, today’s chips have dedicated hardware to accelerate ECC and RSA because these algorithms are very compute intensive, and the CPU itself is not fast enough to perform all the calculations to set up all these secure connections. You can imagine that for a data center Alphabet hosts to support YouTube or Google, the amount of connections that need to be set up, or the daily amount of Google searches, is tremendous. Each one of these requires a key exchange under ECC and RSA encryption. Thus, dedicated hardware to set up connections and to do the mathematical calculations is highly desirable. In the post-quantum era, these current encryption algorithms are no longer suitable. Integrating a new quantum-safe engine, a new IP next to the one performing ECC and RSA, will be able to accelerate these new encryption algorithms and protect your next-generation chips against attacks with quantum computing.”
Fig. 1: A quantum safe engine includes new IP for the hash core, sampler, and the poly/vector blocks to accelerate computing speed of these new algorithms. Source: Rambus
Quantum-safe VPN
VPN is another consideration, noted Andersen Cheng, chairman of Post-Quantum. “One of the ‘lowest impact, highest reward’ steps you can take now is to upgrade to a hybrid, quantum-safe VPN to protect data flowing between your sites. A VPN is a technology that enables us to have safe and private connections through the public Internet network.”
Researchers and developers continue to explore ideas of quantum safe design ideas and chips. Perhaps, in the future, researchers may come up with ideas that data will encrypt themselves automatically.
“One of the promising trends in this area is fully homomorphic encryption (FHE),” observed Frank Schirrmeister, vice president of solutions and business development at Arteris. “As an encryption scheme, FHE enables computation on encrypted data. There is no decryption of data, ever, and no use of keys. Data remains encrypted at all times, and FHE is believed to be quantum-safe. One of the most significant drawbacks of homomorphic encryption is that it is computationally intensive and slow. Encrypting, decrypting, and performing ciphertext operations are significantly more resource-intensive than plain texts are. Cornami’s CEO, Wally Rhines, pointed out in his recent DAC 2023 keynote that the FHE-related data-movement challenge eliminates existing hardware architectures. Future chip requirements for FHE acceleration will include wide-word processing with 10,000+ wide words, massive parallelism on distributed memory, and an enormous number of cores in small footprints. As a result, data-movement related building blocks on and between chips, like memory interfaces and networks-on-chips (NoCs) will have to evolve accordingly.”
Conclusion
Quantum computing is both a useful technology and a security threat. On one hand, it helps solve difficult mathematical problems much faster. On the other, it would increase the cyberattack possibilities.
Expert opinions vary regarding when countermeasures will become commercially available. The general consensus is 10 to 15 years from now, but that could happen sooner. The best time for developers to prepare for the future quantum cyberattacks is now. Because every situation is different, it will take time to define a clear path to implement PQC.
NIST and other organizations have provided some very important and useful information on PQC for developers to adopt. What most developers may not realize is the fact that some previous data may have a long lifecycle, so the same content may be used 20 years from now. Applying PQC today will prevent hackers from decoding the data when quantum computers become available.
Related Reading
Post-Quantum And Pre-Quantum Security Issues Grow
Experts fear secure data harvested now will be compromised in the future when quantum computing is mainstream.
Developing An Unbreakable Cybersecurity System
New approaches are in research, but threats continue to grow.
There are actually two cyber defenses at the post-quantum generation. One is to keep searching for newer, more complicated, heavy-duty cryptographic algorithms that require complex calculations. The other one is simply making the file disappear on that device (as discussed with Dr. Merrick S. Watchorn, who commented that this is possible) while having more copies stored throughout the Internet (distributed storage).
The file is encrypted with thousands of thousands of keys (an idea that General Gregory Touhill likes), where there is no key management. Accessing the file (decrypting the file) requires another identification and authentication (IAM) system, which uses biometrics plus one sensor variable, verifying a user’s real identity. Dr. Ron Ross is looking for “systems thinking” and “systems engineering” to build trustworthy secure systems. The patent US 10972256, which has been examined by three USPTO examiners, including Ms. Darnell Jayne, is designed specifically targeting this concept.
It is urgent to address the “download now and decipher later” tactics that hackers are using right now. The concept of a computing architectural secure system (CASS) is revolutionary, and the technology is mature in the market, while quantum computing technology requires many complicated and uncertain technologies to develop (10 – 15 years). Most of all, quantum computing could not possibly be deployed to every device, even after decades, where CASS is an ASIC chip and easily embedded into every computing device.