A White House memo directed at federal agencies aims to jumpstart efforts to move vulnerable security systems to a quantum-resistant cryptography security posture and maintain investment in quantum computing technology.
The document, released on May 4, warned quantum computing poses “significant risks to the economic and national security of the United States.”
Most notably, a quantum computer of sufficient size and sophistication—also known as a cryptanalytically relevant quantum computer (CRQC)—would be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.
“Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet,” the memo stated.
To balance the competing opportunities and risks, the Biden administration is pushing for efforts to maintain American leadership through continued investment and partnerships, while mitigating the threat of CRQCs through a “timely and equitable transition” of cryptographic systems to interoperable quantum-resistant cryptography.
Mitigating the Risk
The term “quantum-resistant cryptography,” also referred to as post-quantum cryptography, describes cryptographic algorithms or methods that are determined to not be specifically vulnerable to attack by either a CRQC or a classical computer.
The goal is to mitigate as much of the risk as is feasible by 2035, with the first sets of technical standards for quantum-resistant cryptography expected to be released publicly by 2024.
“Any digital system that uses existing public standards for public-key cryptography, or that is planning to transition to such cryptography, could be vulnerable to an attack by a CRQC,” the memo warned.
The document noted additional guidance and directives may be required in the future as quantum computing technologies and their associated risks mature.
The memo recommended that investments target the discovery of new quantum applications, new approaches to quantum-component manufacturing, and advances in quantum-enabling technologies, such as photonics, nanofabrication and cryogenic and semiconductor systems.
Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services, explained that the biggest threat is to public-key encryption technology.
“It is widely believed that quantum computing will enable rapid factoring of the prime numbers that support public-key encryption,” he said. That is vital because public-key cryptography is often used to transfer “symmetric” key-encryption keys used for the transmission of sensitive data.
“This has huge, huge implications for almost all encryption transmission, but also for anything else that requires digital signatures, such blockchain technologies supporting cryptocurrency like Bitcoin,” he said.
Barratt said the IT security industry needs to fundamentally rethink root key infrastructure to be quantum-based.
He explained that once quantum computing is available for mainstream use, the likelihood is that cryptography will have to make a pivot away from the prime number-based math to elliptic curve-based crypto (ECC) systems.
“However, it’s only a matter of time before the underlying algorithms supporting ECC become vulnerable at scale by designing quantum systems specifically to break it,” he added.
When assessing how acute the threat is to current cryptography standards, Barrett pointed out that quantum systems are still a long way from having the scale required to be dangerous.
“However, given the potential threat to cryptocurrency, there is a massive incentive,” he said. “The other interesting impact could be the undermining of Bitcoin, creating a significant crash in value.”
Barrett said military, intelligence and defense organizations should probably be first in line once the technology is fit-for-purpose for signals intelligence work.
“Following that, quantum will probably be a major part of all crypto systems in the future,” he said.
The national security memo added that quantum information science (QIS) and related cybersecurity principles should be incorporated into academic curricula at all levels of schooling to support the growth of a diverse domestic workforce.
“Furthermore, it is vital that we attract and retain talent and encourage career opportunities that keep quantum experts employed domestically,” the memo stated.
It also called for the United States to promote professional and academic collaborations with overseas allies and partners.
“This international engagement is essential for identifying and following global QIS trends and for harmonizing quantum security and protection programs,” the document said.