Forbes: Why companies must act now to prepare for post-quantum cryptography
Quantum computing is on the verge of a breakthrough, promising to bring unprecedented speed to problem-solving in a range of applications and industries, even if it’s not quite ready for mainstream use. When that happens, it will herald a new era of computing — but also bring with it significant risks.
In problem spaces where quantum computing can make a difference, the improvement in processing power over traditional computing is measured in orders of magnitude. A number of previously “hard to solve” problems suddenly become a lot easier. Unfortunately for those of us using public-key cryptography, the “hard to solve” problems include those that make today’s public-key encryption methods secure. In the face of quantum-enabled cyberattacks, nothing that relies on public-key encryption will be safe using current security protections.
Although companies developing quantum systems have announced various “breakthroughs” in recent years, systems are still in the testing stage, and quantum does have its skeptics. That said, progress does appear to be accelerating, and building an effective quantum computer is starting to look like more of an engineering problem than a “pie in the sky” research problem.
The National Institute of Standards and Technology (NIST) has been working on post-quantum cryptography for the past five years — a wise move considering the amount of time it takes to test, adopt and roll out a new standard, then wait for enough “critical mass” to develop among organizations adopting the standard. It can take a decade or so, especially the last part. (NIST announced the current Advanced Encryption Standard — AES, also referred to as FIPS PUB 197 — in 2001, 24 years after its predecessor, DES, was published.)
While NIST has already released one quantum-resistant signature standard, it is regarded as increasingly complex to implement safely and has likely been released as a stop gap. Work has also been done in developing more implementation-friendly standards. NIST has a list of seven finalists and eight alternative candidates of interest. It is expected that NIST will announce the final algorithm choices and draft standards early in 2022 and final standards in 2024. These new algorithms utilize several different approaches based on techniques such as lattices, coding theory, multivariate polynomials and hash-based trees. These techniques are more resilient against advances in classical computing than the current public-key algorithms and offer greater security overall.
Quantum computers will create new technology that will disrupt our current public-key systems. Alternatively, quantum computers signify advances in both classical computer design and algorithms, which are slowly chipping away at the security of our public-key systems. But rest assured, new algorithms are on the way.
Tomorrow’s Threat is Today’s Challenge
Organizations should understand the potential impacts of quantum cryptography, have an idea of how and when they could adopt the new standards, and how they can prepare by being “crypto-agile.” We hear a lot about crypto-agility these days, often just in the context of being able to swap in one algorithm for another one. The reality is more complex.
Know What Algorithms You Are Actually Using And Where
Run an inventory of what’s in place, where it becomes possible to work out dependencies and what constraints might apply. It’s a good idea to do this across everything, not just public-key algorithms. There is a quantum algorithm that essentially halves the security of a symmetric cipher as well. While in this particular case the level of sophistication required for the quantum computer to run such an algorithm is likely decades away, it does mean that further down the track we will need to expand our symmetric key sizes as well (for today, if you are really worried, only use AES-256.)
Understand The Weak Points And Prioritize Updating Systems Standards
This is where the preparation is required and certificates, most particularly the long-lived trust anchors, will need to be updated. Key sizes for public-key algorithms will most certainly change. Organizations could discover it is not possible to change over all their infrastructure at once; in these instances, it is acceptable to implement a transition strategy. They also will have to decide on whether to migrate to PQC via hybrid and the traditional X.509 single-key certificate formats.
There are pros and cons to both:
• Hybrid certificates contain a sequence of both traditional and PQC public keys and signatures. While there is no standard for these yet, there is an RFC standard currently progressing through the IETF, which should arrive before the new NIST PQC standards do. Minimal changes are required to migrate from traditional X.509 certificates, so the basic idea is to deploy the new hybrid certificates and, once established, start moving all the services using those certificates to the PQC algorithm. Potential pitfalls here are things like: the certificates becoming oversized, “jumbo” certificates, and complex certificate path validation processes, particularly if the traditional signature algorithm is compromised and a PQC based verification starts to disagree.
• Single certificates each carry separate traditional and PQC public keys and signatures. This could be done in an “all or nothing” or with a “side by side” approach. “All or nothing” is self-explanatory. “Side by side” means keeping the old infrastructure in place and deploying the new next to it. The potential downside here is it will require new messages, new deployment infrastructure. On the other hand, it is easier to ensure full migration as you would be unlikely to be caught by a hybrid certificate that was still being used for its traditional algorithm.
The Strategy Must Be Crypto-Agile
The transition to post-quantum algorithms is a priority. Companies that begin planning now to implement quantum-resistant cryptographic standards can ensure that they protect their most critical digital and hardware assets from this future cyber threat, as well as threats arising from advances in classical computing.
Get in touch
If you have a question or would like some more information, contact us today.