Nature: Threat actors stealing data now to decrypt when quantum computing comes
(DarkReading) Jeffrey Schwartz reports on the peer-reviewed paper chronicling the threat that actors are stealing data now to decrypt later along with a technical road map for transitioning to Post-Quantum Computing (PQC) that appeared Wednesday in Nature. IQT-News summarizes Schwartz’s report; his full analysis and the original Nature paper are worth the time to review:
The cybersecurity experts who wrote the paper, titled “Transitioning organizations to post-quantum cryptography,” underscored the fact that when large and fault-tolerant (LFT) quantum computers become available, attackers will be able to use them to crack most existing public key crypto systems, including RSA and elliptic curve cryptography (ECC).
One of the co-authors of the paper is Jack Hidary, founder and CEO of Sandbox AQ, a software-as-a-service (SaaS) provider focused on bringing together quantum computing and artificial intelligence technology to address complex processing issues.”We realized that a white paper was necessary to give context to CISOs and to engineering teams and other leaders in the C-suite as to how this migration would occur.” Hidary emphasizes that with SNDL, state-sponsored and independent attackers have already begun exfiltrating RSA encrypted data. “It’s happening right now — they’re storing that information, then they will decrypt in the future in a few years when they have additional computing power,” he said. “That’s the concern.” Related: IQT San Diego Quantum Enterprise featuerd Jack Hidary, head of quantum and AI at Sandbox (Alphabet) in opening keynote for the May 10-12 conference and exhibition
The Nature paper points to three critical issues that the authors contend organizations must address.
1 The existence of an active and critical threat called store-now, decrypt later (SNDL), a practice wherein attackers steal sensitive data and hold onto it with the intent of decrypting it once quantum computing becomes available.
2 The authors warn that quantum computers will be able to break the most commonly relied on RSA and ECC to forge signatures. That would put at risk all SSL-based websites, zero-trust architectures, and cryptocurrencies, among other things, according to the authors.
3 They highlight how the National Institute of Standards and Technology (NIST) is poised to select a set of PQC candidates that it will recommend as standards. Although the paper was written months ago before Wednesday’s publication, NIST is poised to reveal the candidates within a few weeks and potentially sooner.
Among cybersecurity standards, it is one of NIST’s largest undertakings since developing Advanced Encryption Standard (AES) and Secure Hash Algorithm-3 (SHA-3). The new PQC standard will likely include more than one algorithm, NIST’s pending announcement was presaged by two directives last week from the Biden administration aimed at recognizing and addressing PQC. The Nature paper provides a detailed technical breakdown of PQC issues, it also aims to bring awareness of the implications of quantum computing for existing information assets and emphasize the need to develop a plan.
Sandra K. Helsel, Ph.D. has been researching and reporting on frontier technologies since 1990. She has her Ph.D. from the University of Arizona.