What would you say if someone told you that the foundational technology upon which most of your security protections are built will be completely nullified in 10 to 15 years? Sounds like FUD, but according to many experts, this day of reckoning is coming for modern cryptography as soon as a decade from now.
The danger lies in the power of quantum computing, which, once it becomes a practical reality, will have the computing firepower to easily brute-force today’s most advanced cryptographic methods. According to many experts, that reality is coming within 15 years—maybe sooner if breakthroughs like those announced this spring by Google with its Bristlecone quantum processor are any indication.
“If quantum computing were to succeed in breaking today’s cryptography, users would find that their most sensitive data was vulnerable,” said Chris Burchett, vice president of client security software for Dell, explaining that asymmetric encryption—the kind that powers Internet communication through SSL—would be particularly at risk. “This means that most ecommerce, online banking, VPNs or other secure internet communication would no longer be trusted to be authentic, secure or private.”
But the speed of quantum would even jeopardize symmetric encryption most commonly used for encrypted data when it is stored, Burchett said.
“In this way, quantum computing would jeopardize the security of both encrypted data in motion and at rest,” he said.
Granted, this kind of devastating quantum effect isn’t going to hit tomorrow. But, the fact is that new cryptographic methods take a long time to standardize, and a really, really long time to commercialize and implement in a practical way. And this is why many pundits in the security world say that we’re now in a Y2K-like race to make encryption right before quantum computing changes the world of data obfuscation.
One group helping to lead the charge to make systems secure in a post-quantum world is the Cloud Security Alliance (CSA), which has organized a Quantum-Safe Security (QSS) Working Group to help push this issue forward in the industry. The most recent update out of the group is a new report that breaks down some of the most compelling algorithmic classes that could potentially act as alternatives to today’s quantum-vulnerable encryption methods. The paper helps condense a lot of the recent findings from research submitted to NIST in its Post Quantum Crypography Standardization project.
While the CSA summarized only five major categories in its paper, the report’s lead author, Roberta Faux, offered perspective that this is a summation of approximately 80 submissions made to NIST. As she explained, there were 26 different kinds of lattice-based schemes proposed and 19 different code-based schemes alone.
What that means is that the industry has a lot of debates to go before even the academics are done figuring out the best theoretical models to put forward. And then the engineers need to take crack at putting them to use in the real world.
“Cryptographers are very focused on the security that the various algorithms offer, and we still need engineers to investigate the practical details of how algorithms can be efficiently implemented and used,” Faux said. “There is already a lot of software available in open source but there will be many unanticipated challenges with actual implementation. Many companies are already trying to commercialize but we need to wait for standards.”