Preparation for post-quantum cryptography increasingly appears in the news and industry materials. The reason for this is twofold. First, there have been advances in capabilities for post-quantum computing. Second, the National Institute of Standards and Technology (NIST) will complete the final rounds for the selection of these new cryptographic algorithms in 2024.
Overall, the primary concern driving preparedness from a security perspective is that encryption is breakable due to advancements in post-quantum computing for both asymmetric and symmetric cryptography. Most researchers put this possibility 10 to 15 years out from now, but they acknowledge we could be surprised by technological advancements.
Quantum computing also advances capabilities for processing, making some computations feasible in much shorter time periods and providing great opportunities for advancement in numerous sectors. As such, quantum computing will be appropriate for some workloads but not all depending on requirements and resources. It is likely the early adopters will be in sectors such as finance, scientific research, and government.
This blog will describe the current state of quantum computing, the concern for data protection, as well as practical steps that reduce the hype for most organizations.
Algorithms currently capable of decrypting data post-quantum
Post-quantum cryptography is still a few years from reaching the required system capability levels. But organizations are concerned in the meantime. Simply stated, adversaries may decrypt data stolen today when such capabilities become possible at a later point in time. Organizations might be concerned that they will be targeted in a breach or that ransomware actors will exfiltrate their data and sell it on the dark web.
To better understand the risk of data exposure from advancements in quantum computing, I’ve provided information on the algorithms capable of decrypting data in a post-quantum world. I also offer the limitations, including a requirement for computing capabilities well beyond our reach today, in order to put this threat into perspective.
- Shor’s algorithm targets asymmetric cryptography, meaning RSA, public/private key pair-based encryption methods. Currently, Shor’s algorithm requires millions of qbits to successfully break RSA. To put this into perspective, Schneier on Security explains that IBM Osprey has 433-qbits. While we can’t predict how quickly advances will be made considering Moore’s algorithm, it may be quite some time before using Shor’s algorithm and quantum computing become a real threat.
- Grover’s algorithm targets the keys in symmetric cryptography, so this too may be broken in a post-quantum world. Migrating to AES-256 as a current step will aid in preparation for post-quantum security according to NIST, as it will be safe with Grover’s algorithm for some time to come without advancements in the algorithm.
- New algorithms are in development (and review) that significantly improve Shor’s post-quantum requirements. One published paper cites being able to break RSA with only 372-qbits using a new algorithm. This research is still in the process of being validated.
- Another concern is that similar advances by nation-states will never become publicly available, thus allowing access to stolen encrypted data by adversaries.
Steps to migrate to quantum-safe algorithms
Standards bodies and vendors are busy working to help you. The problem is that standards bodies and vendors have more work to do to enable a smooth transition to quantum-safe algorithms.
NIST is in the final stages of a lengthy process to select post-quantum cryptographic algorithms.
In July 2022, the selection process narrowed down to the following algorithms. Broken down by type, they are as follows:
- Public Key Encryption and Key Establishment Algorithms
- CRYSTAL-KYBER
- Digital Signature Algorithms
- CRYSTALS-DILITHIUM
- FALCON
- SPHINCS+
The full cryptographic algorithm evaluation is set to complete in 2024.
Once algorithms are finalized, standards bodies will integrate support for these algorithms into existing protocols, enabling support for post-quantum cryptography for data-in-transit and data-at-rest encryption.
The Internet Engineering Task Force (IETF) and other standards-developing organizations (SDO) such as OASIS will take several steps to make this possible, as the algorithm parameters and key lengths differ from pre-quantum cryptography. As you can see from the IETF link provided above, some of this work has already commenced. There is some preparation work that is possible by standards bodies and that is underway.
Vendors are also preparing for post-quantum cryptography, and they have steps to take before organizations can easily make this transition. The following set of bullets highlights some high-level steps required before products will be ready to support post-quantum cryptography:
- Participate in the update of standards to accommodate post-quantum cryptography.
- Update supported protocols according to standards published into products.
- Update proprietary products and protocols to support post-quantum cryptography.
Products are available from several vendors today with quantum computing capabilities. In addition to IBM above, Dell also has products, and HP has research efforts on quantum computing.
Three steps for organizations to prepare for post-quantum cryptography
A practical approach to avoid falling into fear, uncertainty, and doubt (FUD) around post-quantum cryptography breaks down into three steps.
First, you must prepare your organization by understanding the data assets of your organization, where these assets are stored, and the flow of sensitive data within your environment. This could be aligned to best practices for information management in spreadsheets or more formally in an electronically stored information (ESI) data map using the CIS Critical Security Controls (CIS Controls). Your organization should consider taking steps to label data according to sensitivity and business importance as well as the lifespan of the data. It is important to manage your data and understand where data is backed up, considering storage data protection best practices such as data deduplication and offline backups along the way.
At the next level, compliance, record retention, and legal all hold considerations that should factor in ensuring data is managed appropriately according to each set of requirements. If the value of the data is beyond its lifespan or if record retention requirements require its deletion, data destruction should factor into the planning process for how data is treated.
Second, you should use the CIS Critical Security Controls to aid in the protection of your organization’s assets today. The safeguards are prioritized to help mitigate risk in a meaningful way. By preventing an attack, you are also minimizing the chance of your data being stolen today and decrypted later.
Lastly, you must move to post-quantum cryptography within three to four years of the technology becoming available in products. Manage and protect your data according to best practices for information management, and you’ll be ready for this transition when algorithms are integrated into protocols and products. Understanding your data will also help you prioritize for your transition.
Kathleen Moriarty is Chief Technology Officer at the Center for Internet Security and the former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
Adapted from this post on CIS Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.