The Immediate Need for Post-Quantum Cybersecurity
Skip Sanzeri
By now most know that quantum computers are ultra-powerful computing devices capable of hacking most current forms of cybersecurity. Nearly all of our current encryption is based on factoring large numbers, and guess what quantum computers do best? Factor large numbers. There are debates as to how soon quantum computers will come online with enough power to cut through our current cryptography, but consensus says anywhere from 3 to 10 years[i].
While this may seem like something we do not need to worry about now, there is an immediate need to begin planning for and even implementing post quantum cryptography.
Many are familiar with the “steal now, decrypt later,” or “harvesting” techniques where hackers steal data and then apply powerful computers to decrypt it. Of course, once the data is in the hands of the hackers, they can take their time and use all available computing resources to decrypt that data. Since most data remains valuable for 10 to 25 years, it is fair to say that any data stolen today could be hacked by a quantum computer based on the timeframe mentioned above. Personally identifiable information (PII) such as social security numbers, dates of birth and driver’s license numbers has decades of value. Military & government secrets, financial data and healthcare information all remain valuable for 10 or more years.
And to compound the problem, we need also to calculate the amount of time it takes to upgrade cryptography and systems. Changing out infrastructure across the enterprise such as cryptography can take years.
So, let’s do the math. According to Michele Mosca’s Theorem[ii] (X+Y)>Z: if the time value of your data (X) plus the amount of time it takes to upgrade cryptographic systems (Y) is greater than the time when quantum computers come online with enough power to break cryptography (Z), you are already too late. In a real-world example, if your company houses financial information such as bank account numbers for your customers, these are believed to have value of 10 or more years. If you calculate that it will take 3 years to upgrade to post quantum cryptography, then your data if stolen, will be exposed for anywhere from 3 to 10 years. Since we expect quantum computers to come online with enough power to crack current cryptography within 3 to 10 years, we can assume hackers can utilize the stolen data to the greatest advantage. Thus, it is imperative to start planning for post-quantum cybersecurity now and begin implementing post quantum cryptography as soon as possible.
Fortunately, NIST is working on a program to standardize very powerful quantum resistant algorithms that if deployed in the near term, could protect data against breaches from quantum computers. These highly complex algorithms go far beyond standard factoring on which much of our current cryptography is built by using (as one example) lattice based[iii] multidimensional mathematical structures. The best news is that these algorithms also protect against current hacking from classical computers, so by upgrading your cryptography early you achieve a win-win scenario. For more information visit NIST[iv] as www.nist.gov.
__________________________________________________________
[i] https://www.networkworld.com/article/3373550/quantum-computing-will-break-your-encryption-in-a-few-years.html
[ii] https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session8-mosca-michele.pdf
[iii] https://eprint.iacr.org/2018/230.pdf
[iv] https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round
By: Skip Sanzeri
