Companies consider post-quantum cryptography options

Doing nothing is a bad strategy. But firms can protect their data by considering post-quantum cryptography options and running simulations.
9 February 2023

Lattice puzzle: post-quantum cryptography options need to resist qubit-enabled decryption schemes. Image credit: Shutterstock Generate.

Getting to grips with post-quantum cryptography can quickly turn a stroll into a mountain climb. Understanding how superposition, interference, and entanglement – three key properties that make quantum bits (qubits) different from their classical cousins – will impact data security isn’t straightforward. But reframing the scenario can help to shed more light on why companies need to start thinking about their post-quantum cryptography options today.

Risk management exercise

The topic boils down to risk management and a question of how firms choose to handle the process. “Most agencies put 2030 as the tipping point, from a risk perspective,” Nils Gerhardt – CTO at Utimaco, a cybersecurity solutions provider with offices in Aachen, Germany, and California, US – told TechHQ. “But if you have data that you want to protect, you need to start now.”

Driving the transition from current data encryption algorithms to post-quantum cryptography options is a fear that quantum computers could solve the mathematical problems that support today’s web security. And it’s not just about securing internet traffic. Data storage, firmware signing, and even blockchain-based systems (which use private keys to sign digital ledger transactions) could all be impacted.

As Gerhardt highlights, nobody is sure exactly when quantum computers will gain the capacity – thanks to advances in error correction and increasing numbers of available qubits – to break encryption schemes such as RSA. The cryptography standard (named after its inventors: Ron Rivest, Adi Shamir, and Leonard Adlemanis) is widely used for generating public and private key pairs, and creating digital certificates. But there’s a whole raft of encryption schemes that could become vulnerable. And the concern in cryptography circles centers around Shor’s algorithm, which opens the door to breaking conventional cryptography standards.

Behind the scenes, encryption schemes such as RSA utilize very large numbers, which become exponentially difficult to factor mathematically as they increase in size. And this provides a security barrier. Classical machines struggle to solve even a small RSA combination. For example, researchers broke an 829 bit RSA key only after months of effort using a giant cluster of machines that provided an equivalent of 2700 years of computation time. Today, the recommended key length is 2048 bits, and recall that the computational challenge grows exponentially. So our data is still safe, right?

The catch, as mentioned, is Shor’s algorithm, which turns an integer-finding problem into a frequency search to determine the period of a function (which is a shortcut to factoring large numbers). And this latter exercise is something that quantum computers can, in principle, do quite easily. And the more qubits, the tougher the problems that can be solved. Today, while quantum computer developers such as IBM, and others, have roadmaps to scale up to thousands of qubits, there remain technical issues to overcome. Depending on the quantum computing architecture, qubits may have to be kept at the temperature of outer space, systems are extremely sensitive and present a wide range of engineering challenges.

Harvest now, decrypt later threat

But these road bumps shouldn’t be read as an excuse for companies to delay considering post-quantum cryptography options. Quite the opposite. It’s possible that bad actors are harvesting encrypted data today, banking on the prospect of quantum success in the future – a so-called ‘harvest now, decrypt later’ attack strategy. To defend themselves, firms will need to switch to a new suite of cryptography approaches.

“We need different algorithms for different use cases,” Utimaco’s Gerhardt points out. “And to be prepared for more frequent changes in cryptography.” For example, constrained devices will have limitations on processing power and some applications will need to prioritize response time. International standards organizations, such as NIST in the US, recognize that one algorithm won’t fit all use cases. And, through a long-running competition to find suitable post-quantum cryptography algorithms, has narrowed down its selection to a range of candidates, including CRYSTALS-KYBER, CRYSTALS-DILITHIUM, FALCON, and SPHINCS+.

The first step that companies can take is to understand which classical algorithms are in use across the organization and where systems are deployed. Such analysis will help companies to determine which post-quantum cryptography options will be most suitable for them. And cybersecurity firms offer simulators that allow developers to run a post-quantum cryptography proof-of-concept.

Initially, it’s likely that hybrid deployments will be the go-to strategy – in other words, solutions that tunnel a combination of conventional and post-quantum cryptography schemes. The approach means that if holes are found in the new algorithms then protection is still afforded by classical data encryption or digital signing methods running in tandem. It can take years of analysis before the cryptography community declares an algorithm to be, most likely, secure.

Direction of travel

Security experts have subsequently poured cold water on the claims, but for a while there was excitement about results reported by security researchers in China – who submitted a paper on factoring integers up to 48 bits (261980999226229) with 10 superconducting qubits. The breakthrough, if quantum scientists elsewhere succeed in reproducing the Chinese team’s results, would still be some way off solving 2048 bit keys. But the write-up adds weight to concerns that Shor’s algorithm could one day pose a problem to classical encryption schemes. In its paper, the Beijing-based group believes – following a quantum resource estimation – that as few as 372 physical qubits could be sufficient to challenge ‘simpler’ RSA-2048 configurations. And the team comments that noisy intermediate-scale quantum computers could be up to the task in the near future.

Nobody knows for sure when a quantum computer will be capable of breaking today’s data encryption schemes and rendering digital signatures untrustworthy. But the direction of travel is crystal clear. And doing nothing is a bad strategy for companies with data and software that must be protected.