Introduction to Quantum Security – quantum computers and post quantum cryptography
This is part one of a three-part series on quantum security – how it works, the implications for society and business, and what it will mean for leaders of organizations that process sensitive data and rely on keeping that data secure.
Advances in computing power and cybersecurity are naturally and necessarily intertwined.
We’re brushing up against the limits of the transistor-based “classical” computing found in your laptop and smartphone. At the same time, practical advances in quantum computing promise to extend those limits dramatically – not by replacing current computers, but by working alongside them to solve previously intractable problems that remain forever beyond your laptop’s reach.
The quantum era comes with serious implications for cybersecurity, and businesses should begin preparing for potential threats right now.
What are quantum computers?
For a deeper dive into quantum computing fundamentals, numerous learning resources are available across websites of industry leaders.
Here’s a quick refresher: instead of the bits and bytes representing 1s and 0s in your PC, quantum computers store values in qubits, the quantum version of bits that leverages the weird and complex behaviors of fundamental atomic particles – behaviors such as their ability to represent many values simultaneously (aka quantum superposition), versus the single value (1 or 0) stored in a classical bit at any given time. For certain classes of problems, that effectively means quantum computers will be able to calculate in minutes what might take classical computers hundreds, thousands, or in some cases, billions of years.
Cryptography is one class of problems well-suited to quantum computing, and that entails both peril and promise for businesses that rely on secure data. Let’s look first at what cryptography is and how it’s used in modern computing.
What is cryptography?
Cryptography itself is the practice of encoding a message before sending, to ensure only the intended receiver can read it. Whether a message is on parchment, broadcast by radio, or transmitted over the internet, the concept is the same: anyone who has the cryptographic ‘key’ can unlock and read the original (plaintext) message. Everyone else reads it as gibberish (ciphertext).
Ideally the key-holder and the intended recipient are one in the same, but in practice, the possible key-holders include anyone capable of guessing, stealing, or otherwise deriving the value of the key.
We all send encoded messages across the internet every time we login to a secure site, send an email, or make a payment online. For these transactions, the typical ‘key’ is an un-guessably long string of bits (1s and 0s) sent to a website or payment processor who then uses it to verify your identity and encode sensitive data. The more bits (256, 1024, 2048 bits are common lengths), the stronger the encryption. Every network transaction, from online banking, to email and big data transfers, relies on data encryption.
But now, quantum computing is poised to dramatically disrupt current ciphers, posing an array of threats to the integrity of encrypted data and transactions world-wide.
Why do quantum computers threaten cryptography?
The strange behaviors of qubits in quantum computers turn out to be particularly useful for deciphering the kinds of keys we use today to protect petabytes of sensitive data.
Some current cryptographic schemes, public key encryption (PKE) in particular, will be more vulnerable to quantum threats than others.
RSA is a form of PKE widely used for digital signatures and email encryption. PKEs cleverly side-step the risks of sharing a key with multiple parties by using two keys per transaction – a public key anyone can use to encrypt data and a matching private key, known only to the receiver – the only key that can decode data encrypted by its public twin.
But the effectiveness of RSA relies on the difficulty of factoring large numbers into their prime roots. RSA keys are the product of multiplying two large prime numbers. If you can figure out its prime factors, you crack the key. That’s a big ask for classical computers, but quantum algorithms will be able to find prime factors in mere minutes.
That capability is a serious challenge to data security, and something businesses need to begin preparing for now. Fortunately there are some steps that forward-looking decision-makers can take to prepare for potential quantum disruption.
How are companies protecting from the future threat?
Contending with looming quantum threats is a process, and waiting to address these challenges until the post-quantum era is upon us may pose existential risks to business.
Stay abreast of emerging standards and get started by assessing your most vulnerable datasets, taking inventory of existing systems and prioritizing those that rely on any form of public key encryption (see the strategic outline below).
A Strategic Outline for Quantum Readiness
Take Inventory
Inventory and prioritize your critical datasets for their business value.
Inventory systems using cryptographic technologies, including hardware with built-in cryptographic functions that may need firmware updates or wholesale replacement.
Identify quantum vulnerable systems from your inventory
Tag systems or transactions as quantum vulnerable if they rely on public key cryptography.
Prioritize systems for cryptographic transition by evaluating the business value of a quantum vulnerable system:
Which assets are protected by the system (e.g. passwords, keys, root and signing keys, sensitive personally identifiable information)?
Tag systems or transactions as quantum vulnerable if they rely on public key cryptography.
How long does the data require protection?
The takeaway for business leaders is to recognize both the challenges and opportunities quantum computing presents, and to prepare their organizations for the inevitable company-wide technocultural shift toward embracing quantum, while securing their most vulnerable assets first.
The good news is that for all its potential perils, quantum cryptography will ultimately allow us to protect sensitive data more effectively than ever, and you can take your first steps toward quantum preparedness by talking with experts right now.