Cryptography is crucial to making sure that data is only accessible to its intended parties. It’s all about the confidentiality component of the CIA triad of information security. (The other components are integrity and availability.) Modern computer networking absolutely wouldn’t work without strong cryptography, nor would the modern world. Businesses, institutions, and individuals all depend upon it.
Most of our money is digital, stored as numbers on the computers of financial institutions. Did an ATM give you cash out of your bank account today? Did you shop online with confidence? Thank cryptography. Our sensitive medical records are mainly digital. Proprietary and patented information from militaries, governments, academia, and large corporations are digital and encrypted.
Cryptography is also implemented to prevent man-in-the-middle attacks on data that goes back and forth between your endpoints and internet servers, and Internet of Things (IoT) devices and the internet. That’s the integrity part of the CIA triad. More and more medical devices and motor vehicles are IoT, so cryptography could prevent you from dying from a failed pacemaker or a car crash.
How would you feel if I told you all of that the cryptography that helps to make the modern world work will be obsolete very soon? Cryptographic implementations that are currently the equivalent of a locked door on a bank vault will soon be like covering something with a glue stick and tissue paper. I’d be a bit concerned if I were you. All current cryptography will soon become weaker than a seeding dandelion on a windy day.
That day is coming very soon, and quantum computing is responsible. IBM’s Arvind Krishna says, “quantum computers will crack today’s encryption within a decade.” Krishna has been following the implications of quantum computing on cryptography very closely. He’s the senior vice president of IBM’s Cloud and Cognitive Software division, and he leads their research and development of quantum computing technology.
So, what is quantum computing? It’s a concept that many people outside of computer science find confusing, but it’s actually quite simple. All computer data so far, from the earliest electronic computers in the 1940s to today, is binary. The computer data you’re using right now is in the form of many sophisticated programming languages, but when CPUs process the data at the most fundamental level, it’s all 0s and 1s. A bit can be on or off, either or.
Quantum computing shatters that paradigm to pieces... quantum pieces! The smallest unit of quantum data is a qubit. A qubit could be 0 or 1 or a coherent superposition of both according to quantum mechanics. So, a qubit can be 0,1, or both 0 and 1. Quantum computing has been researched for many years now, and will probably be deployed in production environments within a few years. This isn’t speculation of the Star Trek era, this could be real while Donald Trump is President of the United States.
As far as cyber attacks are concerned, a lot of data that's breached is still inaccessible to cyber attackers because it's encrypted, it's ciphertext. So, it's not good enough for attackers to just acquire the data, they also have to crack it. Some of the strongest and most complex ciphers can take the computers we have right now decades or longer to crack, making the data pragmatically uncrackable. But cyberwarfare units in countries like China and Russia are well aware that quantum computers will soon be able to easily crack current cryptography, so it's reasonably speculated that they're stockpiling ciphertext acquired through cyber attacks for that very soon reality.
But there’s hope for the future. Christopher Mims from the Wall Street Journal writes:
“The good news is that many of the smartest mathematicians and cybersecurity experts in the world, employed by Google, Microsoft, IBM and the federal government, as well as many other tech giants, are well aware of the problem and have been cooking up solutions for years.
They’re working on a completely different scheme of encryption, called quantum-safe encryption. This kind of encoding can be achieved by today’s computers, in about the same amount of time that current encryption requires, but it can’t be cracked by conventional or quantum computers, hence the moniker ‘quantum safe.’
There are dozens of proposed algorithms for quantum-safe encryption, but the most popular approach, called lattice encryption, works by encoding information in a multidimensional ‘lattice’ of data. Picture a three-dimensional grid of dots, add another hundred or so dimensions, and you get the idea.
But before quantum-safe encryption can get everywhere that it needs to be, it must first become an agreed-upon standard, and then developers, companies and government bodies must translate it into code and insert it into countless services and systems.”
The National Institute of Standards and Technology (NIST) has been working on a project to create quantum-safe encryption standards since 2016, and their work is expected to be completed by 2022. IBM has been developing lattice-encryption algorithms, and they’ve been submitting their work to the NIST for their consideration of 26 possible quantum-safe algorithms.
Whew! Problem solved, right? Not exactly.
NIST’s Dr. Dustin Moody says, “The transition to quantum-safe algorithms won’t happen instantaneously. Even when there are urgent threats, it doesn’t happen as easily and quickly as people would like.”
The advent of quantum-safe encryption will highlight the need for organizations to maintain crypto agility. If organizations don’t have a complete inventory of their machine identities, they’ll have a hard time locating them to be replaced for quantum updates. In the event that they need to do so quickly, they will also benefit from an automated solution that can rapidly replace machine identities, virtually on the fly.
The world of computing will be revolutionized by quantum technology very soon, and we aren’t completely ready. How well prepared is your organization to support the crypto agility that quantum-safe encryption will require?