Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. John Prisco of Safe Quantum that while the quantum security apocalypse is still off in the future, your current data is already at risk.
If you think about how the impending quantum computing age is discussed today, it’s made out to sound like a doomsday sometime in the future, though the timing is vague. Eventually, we will see the end of public key, RSA encryption which has served us well for over 40 years. With that comes the havoc of any cybersecurity breach on a massive scale. The day when quantum computers can break public-key, RSA encryption is commonly known as “Y2Q Day.”
The question is no longer if but when a quantum computer will be capable of breaking secure communication as we know it. The amount of time for a quantum computer to be capable of breaking RSA encryption is difficult to predict. The main reason has to do with the fact that we are in the vacuum tube era of quantum computers, more commonly called the NISQ era or Noisy Intermediate-Scale Quantum computer era. Today’s quantum computers are not capable of doing much damage or creating much benefit. There are too many approaches or modalities to efficiently reach a working, powerful quantum computer quickly from cold superconducting to all optical quantum computers.
Y2Q: Quantum Security Judgement Day
Quantum Key Distribution
Are we really keeping our eye on the ball regarding what the immediate threats are? Unfortunately, not as much as we should be. Of course, we should prepare for using new encryption algorithms that are quantum resistant. Note the term quantum resistant, not quantum proof! But truthfully, many organizations already have a problem, and the initiative must be to recognize the problem and take action now. The problem is the harvest now, decrypt later (HNDL) attack, where bad actors harvest sensitive data now to decrypt later with appropriately powerful quantum computers. This is also a quantum threat because it only exists due to the fact that the day is coming when quantum computers can factor RSA encryption keys and read sensitive data as if it were never encrypted.
So, what legitimate choices do we have today to protect our data? While post-quantum cryptography (PQC) is an emerging technology that has already been seven years in the making (with another two years required for standardization), one must ask if we are willing to lose two more years’ worth of sensitive intellectual property to harvest now, decrypt later attacks. Considering that 2022 showed us the failure of the Rainbow and SIKE PQC algorithms, which were touted as finalists in the NIST standardization process, who’s to say another algorithm might meet with an untimely death? That’s why supplementing PQC with a solution that is quantum proof by the properties of quantum physics will provide the best defense-in-depth solution for data security in the quantum-computing future.
Enter quantum key distribution (QKD), which employs cryptographic keys made of photons that cannot be intercepted without destroying the quantum state of the keys. Because this method employs the laws of quantum physics which guarantee the state of a photon will be altered by merely trying to observe the photon, this renders interception useless. That makes QKD an ideal method for transmitting data that is of extremely high sensitivity, whether for the federal government or other organizations. What’s more, it is the only guaranteed method for defeating HNDL attacks now.
Quantum Security at the Federal Level
Wondering whether the federal government even has this in mind yet? The answer is yes.
In late December President Biden signed the Quantum Cybersecurity Preparedness Act into law, which “encourages the Federal Government to adopt technology that is protected from decryption by quantum computing.” While this directive strictly applies to federal agencies, it also serves as a bright yellow caution sign to federal, private and publicly held organizations for the years ahead. In other words: quantum computing threats are coming, and the danger posed by them could already be a problem that organizations don’t realize they have.
As summarized by the US Senate Committee on Homeland Security & Governmental Affairs, the Quantum Cybersecurity Preparedness Act prioritizes a shift of federal agency information technology to ones with post-quantum cryptography (PQC). It additionally imposes a schedule to review the National Institute of Standards and Technology (NIST)’s PQC standards one year after they are published (which are still in progress) and requires an annual assessment on the quantum risk, costs of PQC implementation, and analysis behind future federal PQC migration plans. This is a step in the right direction, but PQC standardization is still a couple years out from being ready for use. Even then, organizations should implement a defense-in-depth strategy, ensuring multiple layers of cybersecurity to better prevent breaches. Foundationally, QKD solutions are the only ones currently that fit the bill of a non-algorithmic, quantum proof method of data transmission, making it the best pairing for PQC solutions to ensure that organizations have the best possible security plan heading toward Y2Q.
Though Y2Q may feel like more of a boogeyman than a tangible upcoming threat to many organizations, the threat that harvest now, decrypt later poses to organizational data is lurking as we speak. Further, even PQC may not be able to protect against quantum computing threats, so waiting for standardization of these algorithms should only be part of a robust cybersecurity plan. To address the full breadth of what quantum computing could bring, consider a multi-layered plan for security now— before Y2Q delivers the crypto apocalypse.