Google published a threat model recently for the coming era of post-quantum cryptography (PQC), putting into perspective potential vulnerabilities that may surface if there is not a migration from “classical cryptographic algorithms to PQC.” The risk of “store-now-decrypt-later” style attacks, where bad actors harvest data they cannot read currently with the intent of breaking the encryption in the future, intensifies with the expected advent of quantum-grade resources at their disposal.
It begs the question of how vulnerable organizations will become if they do not make such a transition fast enough? Will it be open season on their data without quantum encryption? Does the post-quantum future mean quantum encryption will be mandatory for even the most basic forms of cyber resilience?
The Quantum Clock Is Ticking
The National Institute of Standards and Technology (NIST) issued guidance that calls for migration of federal government systems to post-quantum cryptography by 2035, which motivated other stakeholders to set comparable transition timetables, says Richard Searle, vice president of confidential computing with multi-cloud security company Fortanix.
“Often when people are talking about post-quantum cryptography, they’re talking about two different time horizons,” he says. One of those timeframes is based on when a cryptanalytically relevant quantum computer is established and proven, Searle says. While that has been expected to happen on a 10-year horizon, he says that does not seem to be the case anymore. The other timeframe is a deadline for when post-quantum cryptography migration must be achieved. “It does create this sort of cliff-edge mentality about the transition, but inevitably it’s not going to be anything like that,” Searle says. “It’s going to be a piecemeal migration.”
A gradual approach seems likely, he says, because of two fundamental reasons. Companies and organizations currently use cryptography in a raft of different tasks within their business, Searle says, and often that cryptography is shared with a third party. “Establishing which elements of those business processes need to be migrated first comes down to a risk management-based approach,” he says. “You’re not going to be able to do this sort of ‘Big Bang’ transition. It’s going to have to be done on a process-by-process, data-by-data basis.
From Worse to Worse
Though there is some time to develop quantum encryption resources, the potential risks of not shoring up such defenses may lead to severe consequences.
“Do you remember Heartbleed?” asks, Kevin Bocek, chief innovation officer, with cybersecurity company Venafi, referring to the infamous vulnerability in an older OpenSSL cryptographic library — dubbed by some at the time as one of the most dangerous security risks to the web. “Imagine a Heartbleed happening every day and imagine Heartbleed getting worse and worse and worse every day starting with a little bleed, getting to a big bleed.”
Quantum compute resources to break encryption might be initially hard to come by for bad actors, but aggressor states that want to launch damaging attacks could hasten the availability of such tools. “What we’ll see as the quantum capabilities move from the most sophisticated adversaries — that of course is nation states, and generally that’s a small set of nation states — as that moves down, that becomes more available to a broader set of adversaries,” says Bocek. This also means the most sophisticated adversaries will become even more capable as well, he says.
Rather than one linear threat in the post-quantum world, Bocek says, the threat will look more like a curve. “You can imagine Heartbleed, or really bad Heartbleed, and then really, really bad, bad, bad Heartbleed, and then it keeps on getting worse and worse as the various sets of adversaries gain capabilities.” He says this crescendo set of security challenges may continue as the world goes post-quantum. “We’ve been fortunate,” Bocek says. “We’ve been reliant on a type of technology for over 35 years that has allowed us to do what we’re doing right now, and to do so privately and to know that one machine talking to another machine is authentic, and that’s going to go away.”
A Gradual Erosion of Encryption
Min-Hank Ho, vice president of products with Baffle, a data protection provider for cloud environments, says there might not be a drastic turn where current encryption fails the moment quantum compute arrives on the scene — it could be more complex. “Encryption, I think to a lot of people, is what you see in the movies with switching codes and bites,” he says.
In reality, Ho says, there are different types of encryptions. Asymmetric encryption is currently used for SSL/TLS communication to the web and is used for identifying services, he says. Encryption for data protection — as it is being stored and even for data as it is being used by a computing system — is symmetric encryption, according to Ho.
Such forms of encryption might not be immediately made obsolete by quantum computers — at least for the moment. “As far as the current state-of-the-art, what everybody knows today, symmetric encryption is generally pretty resistant to quantum computing attacks,” Ho says. “That’s because the algorithms available to quantum computers today to target symmetric encryption is not that great.”
Quantum computers are expected to deliver tremendous compute power that would reduce the time needed to crack encryption, but for the moment current algorithms still pose a challenge. “When they designed this algorithm, the key size is so large, even if you were to cut it by a square root, it’s like, ‘Oh man, it’s gonna take forever,’” Ho says. A standard that could be relevant post-quantum is CNSA (Commercial National Security Algorithm) 2.0, he says, which includes AES (Advanced Encryption Standard) with 256 bit keys.
Quantum Computer (Bartlomiej K. Wroblewski via Alamy Stock Photo)
“Where things go off the rails a little bit is the asymmetric algorithms,” he says. “RSA and DSA by far are the most widely used today.” For a while, Ho says, the sense was that if there was a large enough key size it might not be so dire — but there may actually be a threat.
“Network communication like the ones that we do over the web, they’re kind of ephemeral and they’re generally pretty easy to upgrade, relatively speaking, because we’ve done this many times before,” Ho says. “Your web browser automatically updates. The websites automatically update. That’s not so bad.” Managing identities with those updates can get a little tricky. “Somewhere stored in these computing systems is a certificate assigned by an old algorithm,” he says. “Everybody has to find all of those, update all of those.”
To put in perspective what a daunting task that can be, Ho says not too long back there were still ATMs that used Windows XP. “You would think a system that is trying to process money would be the most secure, but it’s not.”
The post-quantum cryptography era might not be open season on unprepared systems, he says, but rather an uneven landscape. There are layers of concerns to consider. “What I think scares me a little bit is that this type of attack is somewhat quiet,” Ho says. “The people who are going to be taking advantage of this — the few people initially who have quantum computers as you can imagine, probably state actors — will want to keep this on the downlow. You wouldn’t know it, but they probably already have access.”
Attacks From Many Sides
Michael Osborne, CTO IBM Quantum Safe / Security Research, says many may be limiting their concerns to attacks that harvest data to decrypt at some point in the future with quantum machines. “Actually, we do not think that is a good reflection of the threat scenario,” he says.
Lower hanging fruit may be available for bad actors to launch cyberattacks, even those who may play the long game. “There’s not going to be one date where all of a sudden there will be a cryptographically relevant quantum computer,” Osborne says. “There will be an evolution of capability over the years. The first attacks are going to be very, very expensive. They’re going to be probabilistic. They might take weeks or months for a single attack.”
Given the options, he says attackers that want results are not likely to spend time scouring through terabytes of encrypted communications in the hope they fish out one that might have something interesting inside. “Attackers are going to choose their targets very carefully, and if you’re an attacker it has to have a certain value,” Osborne says. “That might be a key which is still trusted for software updates.” This could mean inserting malware into a software update that no one will notice and then gaining access to all the current communications, not data harvested from 10 years prior.
Defenders, Bad Actors, and Costs
“At some point — and it’ll be quite some time after the first capability — it will be cost-effective to start decrypting a large amount of information, but that’s way downstream compared to some of the attacks that we’re going to see,” he says.
It may be possible to shore up certain cyber defenses while quantum computers continue their development and evolution, and before bad actors start to leverage their capabilities. “There is time to the extent that obviously things which are not protected with quantum-safe mechanisms — they are lost to a quantum future,” Osborne says.
Basic cybersecurity hygiene will still be relevant, he says, while preparing for that quantum future because other types of attacks are not expected to simply disappear as technology advances.
For many enterprises and organizations, cybersecurity represents a cost — in time, money, and resources. The notion of needing to develop a whole new type of defense might make the C-suite grumble out the bottom line, but the need for protection will persist and the development of quantum safety may just become part of the overall security budget.
“It’s a cost,” Osborne says. “It’s an insurance. Security is an insurance cost. It’s very difficult to compete today with the ransomware threat, but because that’s the priority today. CSOs have so many priorities, and money is a finite resource. What does the strategy become? To just hook on to the things you have to do anyway to take you on that journey rather than as a separate initiative.”
The risks of a post-quantum future might seem a distant problem, but the repercussions could be dramatic for those who go unprepared or try to cut corners on such defenses.
The Pass-Fail Security Dilemma
“From a technical perspective … being quantum-safe — it’s a binary thing. You either are or you’re not,” says Duncan Jones, head of quantum cybersecurity with quantum computing company Quantinuum.
If there is a particular computer system that an organization fails to migrate to new standards and protocols, he says that system will be vulnerable. However, the barrier to entry for access to quantum compute resources may limit the potential for early attackers who already have pockets deep enough to procure the technology. “The capability to mount attacks with quantum computers is going to be — when it first arrives, it’s going to be only available to the wealthiest,” Jones says. “This is a nation state capability when it first arrives.”
He explains that it is unlikely there would be a singular day when all bets are off, and everyone would be equally targeted hackers armed with quantum power. “It’s going to be very selective at first,” Jones says, “but over time, as we get past ‘Q-Day’ and powerful quantum computers are commonplace, then yes — if you leave a system undefended, it can be attacked with a quantum computer.”
Attackers would still need to work on gaining access to a system, but he calls it “a big mistake to leave systems unprotected” from such newer types of breaches.
There is a fair amount of uncertainty in all aspects of the PQC future, for attackers and defenders. “On the threat side, the time scales are not clear and also, we never quite know what other people will do with quantum computers,” Jones says. “It may even be the case that Shor’s algorithm, which is the main threat we’re thinking about, isn’t the only thing that can threaten us.” Other algorithms may yet be developed that get put to work in quantum hacking, Jones says.
“On the defense side, I see there are two things you can do to be quantum-safe,” he says.
One of them is the algorithms, Jones says, which includes NIST’s efforts in this evolving space. “We think that’s gonna be a big part of the solution but it’s one part of the solution.”
The other idea builds on a desire to fight quantum with quantum. “We work with organizations who want to use quantum technology to strengthen their keys today, so that’s using quantum techniques to produce unpredictable keys that even quantum computers can’t sort of predict as well,” he says. “And then there’s other people looking at QKD (quantum key distribution) as an alternative or a companion. There’s lots of things that are in flux.”