WHY THIS MATTERS IN BRIEF
When large quantum computers come online circa 2025 over 70 percent of the world’s encryption will be at risk, so companies need to adopt new method to protect themselves and their data.
As quantum computing becomes an increasingly “real” technology, moving out of the labs and into the cloud where it’ll be available as a service as early as 2020, the global security community, and anyone who cares about security, especially encryption, is on the clock. Most experts agree that these insanely powerful computer systems, that have already demonstrated they’re at least 100 million times faster at processing information than today’s top of the line traditional computing platforms, will be able to crack the vast majority of today’s modern crypto, including RSA-1024, -2056, -4096, ECC-256 and ECC-521, Diffie Hellman and Elliptic Curve Diffie Hellman crypto, in just days and minutes, not billions or trillions of years as it would take today, laying all secrets bare for all to see. That said though, many experts also agree that in order to crack these crypto systems these beasts will have to reach 10,000 Qubits in size, a milestone we’re still a long way from achieving, with many estimating the early 2030’s.
All that said though companies still shouldn’t be complacent about the threat posed to crypto by tomorrow’s powerful quantum computing platforms. As a result, and as companies also start attempting to build the first quantum safe blockchains, a new report out today from the Cloud Security Alliance’s (CSA) Quantum Safe Security Working Group says that security researchers, vendors and enterprises need to start working now if they want to beat quantum’s cryptographic buzzer and keep their information safe. But considering how long it takes for the IT world to transition to new encryption measures when old ones wear thin, the CSA report warns that the window until quantum computing reaches widespread adoption, which they estimate to be about 10 to 15 years, doesn’t give companies as much of a cushion as many would like.
“Cryptographic transitions take time, often a very long time,” the report explains, pointing to the decade long transition it took to get from 1024 to 2048-bit RSA key sizes, or the move to elliptic curve-based cryptography (ECC).
“The transition to quantum resistant cryptography is likely to take at least ten years. It is therefore important to plan for transition as soon as possible,” says the report.
The good news though is that researchers have been working on this problem for a long time and they’ve got some good ideas on where cryptography should be headed. For example, NIST just last month held a workshop that featured some 80 research submissions in its Post Quantum Crypography Standardization initiative. The CSA report offers a breakdown of five of the most promising categories of cryptographic methods that could stand as post-quantum cryptography alternatives, and these include Lattice based cryptography, Hash based schemes, Elliptic curve encryption, Multivariate cryptography, and last but not least Code based cryptography.
According to Roberta Faux, lead author of the CSA report, there are pros and cons for each class of algorithm and it’s going to take some time for researchers, and later, security engineers, to figure out which is best for a workable standard.
For example, she says the community is going to have to have a lively debate to balance out three big trade-offs, namely key size, bandwidth and confidence level.
If, for example, you consider code based schemes, they’ve got a fast computational speed and they’ve been around so long that they’ve got a high degree of confidence from many in the security community. But their key size is large – some might say impractically so, Faux says. Meanwhile, Isogeny based cryptography has got small key sizes but the computation is still expensive and it’s relatively new so there’s less confidence there, and so on.
“I think the community agrees that we still need more time to investigate the wide range of post-quantum cryptographic algorithms,” Faux says, “and [to] understand the issues involved in migrating from existing public key cryptography to post-quantum cryptography.”
But that said, time, it seems is no longer on their side. Tick tock tick tock BOOM!?