(CNET) Data surreptitiously gathered now could still be sensitive when more powerful quantum computers come online in a few years. The urgency comes because today’s encrypted data could be collected now and cracked later. Hackers or nations can record network data, for example, when internet routing problems send traffic across borders to China or other nations.
The computing industry is well aware of this potential vulnerability. Some companies have embarked on an effort to create, test and adopt new encryption algorithms impervious to quantum computers. Some of those companies, including IBM and Thales, have already begun offering products protected by what’s called post-quantum cryptography.
Quantum-safe encryption will come into your life through upgraded laptops, phones, web browsers and other products. But most of the burden for quantum-safe encryption rests on the shoulders of businesses, governments and cloud computing services that must design and install the technology. It’s an extraordinarily complex change that’s on par with fixing Y2K bugs or upgrading internet communications from IPv4 to IPv6.
John Graham-Cumming, chief technology officer of internet infrastructure company Cloudflare, said there’s a lot of uncertainty: It could take five years before quantum computers can crack encryption or it could take 20. But already Cloudflare has tested post-quantum protections and plans to adopt them for internal operations this year.
Researchers at Intel and NTT Research and 451 Research analyst James Sanders reckon it will take on the order of a decade.
The quantum transition is in many ways harder than some past encryption upgrades. One problem is that digital key sizes likely will be larger, requiring more memory to process them. Changing algorithms won’t be a simple swap, especially for smart home devices and other products with limited computing horsepower.
Experts also recommend a hybrid approach that double-protects data with both conventional and post-quantum security encryption. That lets system administrators embrace PQC sooner without worrying as much about weaknesses that could be found in relatively immature algorithms. Hybrid encryption is possible now, though most expect serious adoption of PQC to take place after NIST is done with its standardization work.