Amidst a slew of large-scale cyberattacks in India, and with the national digital economy set to hit USD 800 billion by 2030, the need for shoring up domestic cybersecurity, much like the monetary incentive for cybercriminals, is stronger than ever. The GoI’s allocation of INR 625 crores towards cybersecurity infrastructure comes at a time when the threat landscape is growing increasingly resilient to modern solutions. Aggravating this is the rise of quantum computing and the challenges it poses for modern cybersecurity.
Many aspects of security such as cryptography rely on computationally complex arguments – the math. At its most basic, it takes an original piece of human-readable information and transforms it into incomprehensible text. The security of an algorithm comes from the fact that no one has figured out a way to break it within a reasonable amount of time for it to be a concern. While encryption remains integral to society’s functions, it is not without risk and concerns.
The eventual arrival of commercial quantum computers powerful enough to break public-key encryption will be a significant threat to national security, financial, health, and private data. A large-scale quantum computer could allow for the decryption of most existing cybersecurity protocols and all previously recorded traffic within a matter of months or even days instead of the millennia it would take using classical computers. This would put at risk our economic prosperity, national security, and much of our daily lives as we know it. Though encryption is not top of mind for most of us, it is undoubtedly an important enabler for various critical activities.
Cybersecurity researchers and technologists are rightly concerned with the mixed blessing that is quantum computing. Whilst it enables novel applications such as quantum simulation, it opens the door to greater risks that could paralyze the internet, communication protocols, and e-commerce; the very fabric of modern society.
How will quantum computers achieve this?
Traditional cryptography relies on how hard it is to break down any given number into the product of its constituent primes. The two primary forms of encryption are symmetric, in which the same key is used to encrypt and decrypt the data; and asymmetric, which involves a pair of mathematically-linked keys. Symmetric encryption is typically faster and more efficient. However, it relies on two parties trusting each other and sharing the ‘secret’ key – thereby introducing a potential breach point for bad actors. Asymmetric encryption – used in authenticating digital certificates, documents, and e-commerce payments uses two disparate keys, thus doing away with the secret key sharing problem. While the math differs, nearly all internet communications use both symmetric and asymmetric cryptography. Hence, both forms need to be secure.
The SHA-256 cryptographic protocol used for Bitcoin network security is unbreakable by today’s computers. However, experts predict that within a decade, quantum computing will be able to break this and several other protocols. Elliptic Curve Digital Signature Algorithm (ECDSA), the security algorithm behind all major block chain technologies today, has been proven vulnerable to quantum computing attacks. Once broken, it will be impossible to differentiate legitimate wallet owners from cybercriminals who forged its signature. Given the public’s perception of how decentralized block chain technology is ultra-reliable, this fact should be a matter of great concern.
Where to start?
While the timelines for sufficiently advanced quantum computing capabilities are unclear (projections say by 2030), the first step is to acknowledge its impact on today’s cryptography and that current cybersecurity solutions will largely be inadequate. Such risk needs to be considered now.
- Organizations should look to see how they can implement Perfect Forward Secrecy (PFS), which is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the server’s private key. Forward secrecy protects past sessions against future compromises of keys or passwords.
- Organizations must start thinking about post-quantum cryptography (PQC) algorithms and replacing current algorithms with new quantum-resistant algorithms.
- Organizations should evaluate the security of post-quantum candidates and transition to using these algorithms to ensure their data remains secure.
- Another option is quantum key distribution (QKD). This creates a shared secret between users which is used to create secure messages, transmissible over conventional channels.
- Organizations also need to consider updating their procurement policies, mandating that future technology purchases require cryptographic flexibility, the ability to add and switch to newer more secure algorithms as they become available.
As India moves into the next stage of its digital transformation, a cybersecurity first approach with a long-term view of the future will be key. This would be best exemplified with a proactive approach to dealing with the looming threats associated with quantum computing. It’s important that we don’t view quantum security replacement for all existing measures, but instead, as an additional form of security alongside current solutions. India Inc. will need to factor in how they will deploy, manage, and maintain both conventional and post-quantum security on their systems.
Views expressed above are the author’s own.
END OF ARTICLE