Embedded Files
The potential for quantum computing to break cryptography in the future is a major
The potential for quantum computing to break cryptography in the future is a major
challenge for today
challenge for today
Current symmetric cryptographic methods, such as AES, are considered largely resilient against quantum computing attacks when used with appropriate key lengths (UK NCSC, 2020; ANSSI, 2022; ENISA et al., 2022; ETSI, 2015; BSI, 2021, 2023).
However, public key cryptography algorithms face a direct threat from quantum computing. This poses a significant issue as public key cryptography is widely employed for digital signatures and key agreement – the process by which remote parties establish the symmetric keys they will use for communication, as previously mentioned (UK NCSC, 2020; ANSSI, 2022; US Government Accountability Office, 2021).
The implications are substantial. The vulnerability of these cryptosystems to quantum attacks jeopardizes all security protocols that rely on their public key ciphers, as well as any product or security system that derives its security from these protocols (ETSI, 2015). While current quantum computers do not pose an immediate threat to public key cryptography, a future, large, general-purpose quantum computer, termed a Cryptographically Relevant Quantum Computer (CRQC), could easily solve the mathematical problems underpinning public key cryptography (UK NCSC, 2020). As highlighted by the US National Institute for Standards and Technology (NIST), the availability of a CRQC to an adversary would break the security of nearly all modern public-key cryptographic systems. Consequently, all secret symmetric keys and private asymmetric keys currently protected by public-key algorithms, along with the information secured under those keys, would be vulnerable to exposure. This includes all recorded communications and stored information protected by these algorithms, as previously encrypted material stored by an adversary could be decrypted if that adversary gains access to a CRQC in the future. Any such information still considered private or sensitive would be susceptible to exposure and undetected modification (Barker, Polk and Souppaya, 2021).
While the timeline for the availability of a CRQC is uncertain, it's crucial to acknowledge the potential for a rapid collapse of current cryptographic infrastructure if it materializes sooner rather than later, leaving stakeholders with limited time to react. Furthermore, some threat actors might already be engaged in "retroactive attacks," collecting high-value encrypted data and key agreement data today with the intent of decrypting it in the future using a CRQC. Evidence suggests that some nation-states are already employing this "intercept and store now, decrypt later" strategy (ENISA et al., 2022). Additionally, a future CRQC could be used to forge digital signatures, allowing impersonation of legitimate private key owners or tampering with information whose authenticity is protected by a digital signature. While this threat will be fully realized upon the availability of a CRQC, it necessitates consideration today for high-value, root-level public keys intended for long operational lifetimes (UK NCSC, 2020; ANSSI, 2022; BSI, 2021). Moreover, a national security agency might operate the first fully functional large quantum computer in secret for a significant intelligence advantage (ENISA et al., 2022). The US National Security Agency issued a stark warning in 2015 about the imminent threat posed by quantum computer development to current public key cryptography (BSI, 2021; ANSSI, 2022).
Given the substantial and increasing research investments in quantum information technologies, several cybersecurity agencies have cautioned that the anticipated collapse of current cryptographic infrastructure due to the expected advent of quantum computing must be addressed today, and the transition to quantum-resistant cryptography should commence now (Chen et al., 2016; ANSSI, 2022; BSI, 2021; UK NCSC, 2020). This transition requires considering at least three factors, namely the expected operational lifetime of the data to be protected (ETSI, 2015).
The required security lifespan of the information: This duration varies depending on the sensitivity and longevity requirements. For example, credit card payment information has a short confidentiality window, whereas some state and military secrets demand protection for decades.
The time needed to upgrade infrastructure for quantum safety: Implementing new cryptographic methods and gaining widespread acceptance within the security community is a lengthy process. Most information systems are not designed for rapid cryptographic updates without significant infrastructure changes. NIST estimates that algorithm replacement can be highly disruptive and often takes decades to complete (Barker, Polk and Souppaya, 2021).
The estimated timeline for building a CRQC: If this timeframe is shorter than either of the above durations, sensitive information could be compromised by adversaries.
Moreover, even if the construction of a functional CRQC proves impossible, as some quantum skeptics argue, the development of a new cryptographic paradigm would still provide a valuable alternative to current public key cryptography. This would be particularly beneficial should a future vulnerability compromise the utility of existing methods, a risk that can never be entirely ruled out (ANSSI, 2022).
Quantum Resistant Cryptography: the solution for cryptography in the future quantum
Quantum Resistant Cryptography: the solution for cryptography in the future quantum
computing era
computing era
The solution to the threat posed by quantum computers to traditional cryptography lies in the development of a new generation of cryptographic algorithms resistant to attacks from both traditional and quantum computers. This new family of algorithms is called "quantum-resistant cryptography" (QRC), also referred to as post-quantum, quantum-safe, or quantum-secure cryptography. These algorithms encompass key establishment and digital signatures and can be executed on conventional computers using traditional communication channels (ANSSI, 2022). Once developed and deployed, they can proactively address the "intercept and store now, decrypt later" challenge posed by future CRQCs.
Since 2006, a significant international community of researchers has been actively working on QRC, including through publicly funded research projects in the European Union and Japan (Chen et al., 2016). As is standard in cryptography, trust in new cryptosystems is generally tied to the standardization of algorithms by globally recognized institutions like ETSI, ISO, and NIST. In 2016, NIST initiated a QRC standardization effort by defining evaluation criteria for quantum-resistant public key cryptography standards. They began accepting proposals for quantum-resistant public key encryption, digital signature, and key exchange algorithms, aiming to select at least one candidate algorithm for each functionality through a consensus-driven process (Chen et al., 2016). Following a rigorous three-round evaluation, in 2022 NIST selected one quantum-resistant algorithm for key establishment and three for digital signatures from a total of 82 proposals submitted by international research teams. At the time of this writing, NIST continues to evaluate four additional candidates for potential future inclusion in the standard (Alagic et al., 2022; US NIST, 2022; UK NCSC, 2023).
Many cybersecurity agencies have welcomed the NIST process (BSI, 2021; ANSSI, 2022; UK NCSC, 2020), which has acted as a catalyst for strong engagement from the international cryptography research community and spurred initiatives to coordinate domestic efforts, such as the French "Risq" project (ANSSI, 2022). Throughout NIST's standardization process, these cybersecurity agencies have issued recommendations encouraging organizations to consider QRC. Concurrently, the Internet Engineering Task Force has been working on updating internet protocols to be resistant to quantum computers, and ETSI has been developing migration and deployment guidance (IETF, 2022a, 2022b; UK NCSC, 2023).
The UK National Cyber Security Centre (NCSC) has urged large organizations to incorporate the threat of quantum computer attacks into their long-term roadmaps, including the evolution of major commercial products and services to support QRC. The NCSC has also encouraged organizations managing their own cryptographic infrastructure to factor post-quantum transition into their long-term plans and identify high-priority systems for transition, such as those processing sensitive personal data or parts of the public key infrastructure with certificate expiry dates far in the future. Due to potential security and business continuity risks, the British cybersecurity agency has advised against early adoption of non-standardized QRC but has highlighted the ongoing development of relevant guidance by standards bodies like NIST and ETSI. The agency also emphasized the continued need to support conventional public key cryptography during the interim period when organizations will need to operate both conventional and quantum-safe cryptography, while working towards a future state where only QRC is used (UK NCSC, 2020, 2023).
The German Federal Office for Information Security (BSI) has called for the early consideration of implementing QRC within an appropriate risk management framework. Given the current limited understanding of potential weaknesses in QRC, the German cybersecurity agency recommended "hybridization," the combination of traditional algorithms with QRC, rather than implementing QRC alone (BSI, 2021). The French cybersecurity agency (ANSSI) also supports a three-phase transition process involving hybridization: i) an immediate and voluntary hybridization phase where quantum-resistant security aims to add post-quantum defense-in-depth to pre-quantum security assurance; ii) a second phase, starting no earlier than 2025, providing quantum-resistant security assurance while avoiding any regression in pre-quantum security, during which quantum resistance would be claimed as a security feature; and iii) a third phase, after 2030, with optional hybridization where the level of assurance provided by quantum-resistant security would be equivalent to the current pre-quantum level (ANSSI, 2022). ANSSI acknowledges that standardization does not necessarily equate to maturity, with many aspects, such as the design of secure algorithm implementations, still being research topics lacking long-term cryptanalytical scrutiny. France encourages the development of future QRC and hybrid cryptographic products. Both BSI and ANSSI recommend implementing "cryptoagility" for new products, designing them with sufficient flexibility to adapt to future developments, implement upcoming recommendations and standards, and potentially replace algorithms that no longer provide the desired level of security (ANSSI, 2022; BSI, 2021). ANSSI defines a "cryptoagile" product as one that allows updating its cryptographic algorithms without requiring recall or replacement. Cryptoagility is also described as "a design feature that enables updates to future cryptographic algorithms and standards without the need to modify or replace the surrounding infrastructure" (US DHS, 2022) and "best practice that enables cryptographic algorithms used in applications and protocols to be interchanged easily to ensure systems remain secure if new cryptographic vulnerabilities are discovered" (Canadian Centre for Cyber Security, 2022).
The transition to QRC is a priority within the US Department of Homeland Security (DHS)'s vision for cybersecurity and resilience (US DHS, 2022). In partnership with NIST, DHS has released a roadmap to assist organizations in protecting their data and systems and mitigating risks associated with the advancement of quantum computing technology. The US Cybersecurity and Infrastructure Security Agency (CISA) established a QRC Initiative in 2022 to unify and drive agency efforts to address threats posed by quantum computing and to support critical infrastructure and government network owners and operators during the transition to quantum-resistant cryptography. This initiative includes: i) assessing quantum computing risks across US critical infrastructure (55 National Critical Functions) to determine the status of QRC transition work, identify high-risk areas, and assess federal support needs; ii) planning resource allocation and engagement strategies with public and private sector owners and operators; iii) partnering to promote the adoption and implementation of policies, standards, and requirements to enhance the security of the Federal Civilian Executive Branch, state, local, tribal, and territorial entities, critical infrastructure, and supporting technology; and iv) engaging stakeholders to develop mitigation plans and encourage the implementation of standards once available, as well as to develop technical products to support these efforts (US CISA, 2022). DHS has also created a roadmap to guide organizations in preparing for the transition to QRC, based on a scenario where a CRQC might be available by 2030 (US DHS, 2022, 2021). The Australian Signals Directorate (ASD) encourages research, testing, and practical trials of QRC algorithms while NIST finalizes the standardization process and urges Australian industry to continue research and development in quantum technologies (ACSC, 2023). In planning for a quantum-resistant computing environment, organizations are encouraged to: create a transition plan for QRC algorithm use, including testing and adoption of new QRC algorithms and decommissioning legacy cryptographic algorithms, based on an inventory of their public key cryptography usage and the value of data protected by it. The ASD also advises organizations to discuss anticipated QRC requirements with vendors or those involved in quantum-resistant cryptographic research and to educate and train relevant personnel on the eventual transition to QRC algorithms.
The Canadian Centre for Cyber Security has invited organizations to develop and budget for a transition plan to deploy standardized QRC, prioritizing sensitive information with a long lifespan, such as intellectual property, tax data, and medical records, and to inquire with vendors about their plans for securely upgrading software and hardware to QRC. The Centre has recommended several steps for planning this transition (Canadian Centre for Cyber Security, 2021).
Page updated
Google Sites
Report abuse