Utimaco CTO Nils Gerhardt describes the threat quantum computing poses to current encryption methods and suggests how cybersecurity can get ahead.
The US National Institute of Standards and Technology (NIST) recently announced that after six years of testing, it has settled on four algorithms it believes will be able to withstand hacking of quantum computers currently being developed around the world. . This may seem like something that will only be of interest to IT and security circles, but even if these algorithms remain unobtrusive in our lives and businesses, they will have a significant impact.
Quantum computing exploits the laws of quantum mechanics to solve problems that cannot be solved by classical computers. These systems are already showing that they can perform calculations that would take prohibitively time-consuming on conventional computers.
Although the idea of quantum computing has been around since the 1980s, it’s only in recent years that we’ve seen working prototypes such as IBM’s Eagle being developed. As early as 1994, scientists had determined that quantum computers could break the RSA encryption that to this day underpins much of digital security.
The threat to current encryption
While existing computers are theoretically capable of cracking RSA encryption, efforts to do so would actually take around 300 billion years. According to research published in the journal Quantum, a quantum computer using Shor’s algorithm with enough “qubits,” or quantum bits, could crack the same encryption in seconds.
This means that attackers may soon be able to access credit card information, steal encrypted patient data, or compromise cryptocurrency security if we don’t adequately prepare for post security. -quantum. Digitally signed documents created before quantum-resistant algorithms were implemented will also be vulnerable. Unless they can be re-signed by both parties in a format using quantum-resistant cryptography, millions of legal agreements could be invalidated. Even the blockchains that power the $2 trillion cryptocurrency market and a growing number of other applications could be compromised.
Digitally signed documents can also be changed retroactively in a post-quantum world. Since digital documents are replacing hand-signed documents, and even physical documents that are scanned and securely stored, any digitally signed document that has no physical equivalent could become legally unenforceable if tampered with. by hackers. Additionally, some document signing companies have tens of millions of rental contracts and employment contracts on their servers. It is essential that all these documents be secured again before quantum computers pose a formidable threat.
Preparing for a post-quantum world
To determine where post-quantum cryptography (PQC) and conventional cryptography will need to be implemented, companies will need to understand what data needs to be protected and what will be worthless to cybercriminals. Over time, some data will become stale and worthless to hackers, but some data will need to be protected indefinitely.
Before an initial plan is in place, a proof of concept that uses PQC or hybrid methods to protect data can be created to deploy to a company’s digital assets.
It may simply be a matter of switching from one method to another. Transport-layer security, for example, can be made quantum-resistant, and post-quantum cipher suites are already available from Amazon Web Services. This means that information in transit (i.e. credit card details sent by a customer to an e-commerce retailer) will be secure in all future transactions. Legacy systems, however, might need to be significantly upgraded or even replaced.
Full deployment of quantum security in an organization can take years in some cases.
Get ahead of quantum hacks
When it comes to securing existing assets, there are two options. The first is to re-encrypt the data with the new quantum-resistant algorithms. This can take time, especially when there are thousands or even millions of data to encrypt. Using “hybrid” encryption, on the other hand, involves leaving the existing encryption in place and placing a layer of quantum encryption on top of it. This can be difficult when the files are larger, and poorly implemented hybrid security can be as insecure as standard non-quantum security.
Additionally, since large-scale quantum computers have not been developed, real-world testing may actually disprove the belief that the four algorithms identified by NIST are quantum safe. It’s also worth considering that there will be other stages of evaluation, so some of the four might be dropped or added in the next round. This may discourage security professionals facing a migration to quantum resistant cryptography. Potentially, they could do anything to migrate to an algorithm that proves unsafe by further testing or by testing against real quantum computers.
Rather than having a single dominant encryption scheme as we do today, where RSA predominates, there will likely be various schemes, possibly including all current NIST candidates. There are many instances of cryptography today, including IoT and cloud devices, so the size and performance characteristics of different schemes should vary. It also provides an extra layer of security by effectively hedging our bets. Bad actors may be able to decipher a pattern, but they won’t be able to decipher them all.
Everything from individual devices to entire organizations will need to become “crypto agile” and operate flexibly on many different schemes.
By Nils Gerhardt
Nils Gerhardt is chief technology officer at cybersecurity provider Utimaco and board member of the IoT M2M Council.
10 things you need to know straight to your inbox every weekday. Sign up for the brief dailythe summary of essential science and technology news from Silicon Republic.
#Quantum #Resistant #Algorithms #Crucial #Protecting #Business