Adopting Quantum-Safe Cryptography: Why Y2Q Will Be Too Late

Standards bodies, government organizations and research centers are weighing in on preparing for the threat that quantum computers pose to encryption. The latest from the National Institute of Standards and Technology (NIST): “The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch.”

The institute has been in the process of evaluating and standardizing quantum-safe algorithms for key establishment and digital signatures. NIST recently selected the final round of post-quantum cryptography candidates and plans to release the initial standard for quantum-resistant cryptography in 2022, saying that Round 3 will last 12 to 18 months. When it comes to migration, that’s a blink of an eye!

“Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now,” warned Arvind Krishna, director of IBM Research, in a ZDNet article.

Quantum computers will be able to break the asymmetric encryption and signature algorithms we currently rely on in our networks and security infrastructure. Most experts project that a large-scale quantum computer capable of breaking our encryption will be built sometime within the next seven to 15 years. Meanwhile, Google and IBM both claim they can build quantum computers as soon as in the next five years, according to The Telegraph.

Organizations that rely on classical cryptography, such as RSA or ECC, will need to migrate their security infrastructure to a quantum-safe state to offer adequate protection in the new technology paradigm. As RSA or ECC-based systems are essentially ubiquitous around the world today, this represents the largest, and most difficult, technology migration in human history.

Governments and organizations around the world, including significant threat actors, are pouring vast amounts of money and resources toward the development of large-scale quantum computers and related quantum technologies.

Taking Action Sooner Rather Than Later

Quantum-safe migration planning can be extremely complex and resource-intensive. Organizations must create and execute plans to protect their networks, infrastructures, digital assets and more from quantum-enabled attacks. This quantum-safe planning involves:

• Understanding where the organization currently uses cryptography.
• Understanding the security dependencies throughout the organization and its supply chains.
• Understanding where and how their systems are vulnerable to quantum-enabled attacks.
• Deciding on exactly how to migrate current systems to next-generation technologies.
• Allocating budgets and receiving leadership approval.
• Executing the migration.

Many organizations, especially government agencies, have taken 10 to 15+ years to complete smaller cryptographic migrations in the past. In comparison, the quantum threat and subsequent migration required is unprecedented in scope and scale.

The European Telecommunications Standards Institute (ETSI) has published multiple reports investigating various aspects of quantum computing, including an analysis of different case studies and deployment scenarios, as well as a general assessment of the quantum threat. Examples of security threats caused by quantum computers include “harvest and decrypt” attacks, whereby encrypted data is captured in transit and stored until the attacker has access to a quantum computer capable of decrypting it.

If encrypted sensitive data is stolen today, it can be “saved” and will be accessible once a sufficiently powerful quantum computer is available. If sensitive data—client information, financial data, healthcare data, trade secrets, classified information—needs to remain confidential for seven years or longer, then it should be considered at-risk, requiring quantum-safe protections today. Harvest and decrypt attacks are an issue for data transmissions that contain information that extends beyond that. This implies that the quantum threat is a highly relevant concern for many of today’s secure communications, including TLS or VPN protected sessions.

NIST concurs, noting that once quantum computers are in place, “individuals can record and capture current information and communications and gain access to the raw content once quantum computing technology is available. This includes all recorded communications and stored information protected by those public-key algorithms.”

According to a 2020 report by the RAND Corporation, “There is little to no margin of safety for beginning the migration to [post-quantum cryptography] PQC. The vulnerability presented by quantum computers will affect every government body, critical infrastructure, and industry sector.” (Post-quantum cryptography is often referred to as quantum-safe cryptography.) Organizations need to ask themselves what will need to be upgraded and when.

Let’s take a look at satellite manufacturers, for example. Satellites take years to develop and are often expected to operate for a long time. A satellite launched into space today without some sort of embedded quantum-safe security will essentially be space junk well before the expected end of its useful life if it cannot be trusted to secure data transmissions. What if the satellite’s sensitive communications are compromised by quantum-capable attackers, or if confidentiality requirements are threatened by harvest-and-decrypt attacks?

Similar examples can be seen in the enterprise space. A small organization with limited infrastructure and relatively uncomplicated systems should easily be able to identify where they use cryptography today and form an actionable strategy to ensure it has adequate quantum-safe protections. This includes ensuring that vendors in the organization’s supply chain are also adding the necessary quantum-safe protections to their products. Of course, this action plan must also address transitioning the security of internally developed systems to quantum-safe states in a relatively short amount of time.

The same cannot be said for larger enterprises running vast networks, possibly with integrated cloud capabilities and disintegrating network security perimeters—due to parameters such as BYOD policies, increased volume of remote workers, high employee or contractor turnover and so on. Discovering and documenting where cryptography is deployed in large enterprises can take years, even with significant resources invested in the project.

Determining how to upgrade systems to ensure they are protected from quantum-enabled attacks also adds several additional years to the migration plan. Add in the budget considerations, testing requirements, compliance obligations, proof of concept projects and the actual eventual deployment, and suddenly the migration timelines for many organizations extend beyond the expected advent of large-scale quantum computers.

What Are Quantum-Safe Options for Organizations?

There are five different branches of mathematics that are currently believed to yield quantum-safe asymmetric cryptographic algorithms. Most are represented in the current NIST PQC project. These math derivatives are based on lattices, hash functions, supersingular isogenies, coding theory and systems of multivariate quadratic polynomials. Each branch has its own advantages and disadvantages, and the current candidates vary greatly in terms of key and data sizes, power consumption and algorithm runtimes (for key generation or encapsulation, signature generation, signature verification, etc.).

Once NIST publishes initial standards, organizations will have to be careful in selecting algorithms most suited to their own requirements. Importantly, this involves understanding exactly what the needs and requirements of the organization are.

This leaves us with a chasm between today and when standards-compliant implementations can be certified and accredited. We recommend that organizations investigate hybrid (classic and quantum) or crypto-agile solutions. Crypto agility means that cryptographic components of systems or their sub-systems can be easily removed and replaced with minimal disruption to the rest of the system. In terms of executing any sort of cryptographic transition, not just one from classic to quantum-safe cryptography, crypto agility provides an attractive method to substantially reduce technology switching costs.

There is a small margin of error for beginning the quantum-safe migration. If organizations wait until NIST finalizes standards before they start investigating or implementing quantum-safe solutions, they very likely will not have enough time to properly form and execute their migration plan, leaving them susceptible to quantum-enabled attacks. For organizations that require standards before they can deploy new algorithms in their infrastructures or production environments, it is critical that they engage in proof-of-concept planning now to ensure they are ready to roll out the new technologies in a responsible timeline.

Here are the initial migration steps we recommend as organizations transition to a quantum-safe state:

1. Discover where the organization is using cryptography and catalog what type of cryptography it is and what information it’s protecting. Intuitively, this should be easy enough to do, but in practice, this discovery phase may be prohibitively complex and expensive. Many organizations have given this task little attention to date and don’t know where to start. For organizations with large shadow IT departments or poorly documented cryptography, even a large audit might not guarantee complete coverage.
2. The discovery and audit process should also investigate the need for quantum-safe protections for partner organizations or vendors in the supply chain. An organization can do everything it can to make itself quantum-safe, but if it is integrating OEM components that are not quantum-safe into their own products or services, then the organization might still be quantum-vulnerable.
3. Once an audit is completed, the next steps include determining how to upgrade, transition or migrate vulnerable cryptography to versions certifiable as quantum-safe. Again, this step includes working with partners and suppliers.

The work required to become quantum-safe ready is vast and could take years to accomplish, depending on the organization’s network and infrastructure complexity.

Making the relevant inquiries now is essential to minimize the amount of time it will take organizations, partners and suppliers to make this cryptographic shift. Asking partners and suppliers about their road maps and timelines for quantum-safe migrations will be an essential exercise. Without sufficient demand from their customers, OEMs may put off their own quantum-safe migrations.