Dr Francis Gaffney, Senior Director – Mimecast Labs & Future Operations at Mimecast, charts the road to quantum-enabled cybersecurity
Based on the values of quantum mechanics, quantum computers use rapidly emerging technology to effortlessly process complex algorithms. As quantum computers can perform certain types of computations more efficiently than classical computers, they could also pose a significant threat to the current cryptographic cybersecurity systems. This is why there is a need for quantum-enabled cybersecurity.
Quantum computing holds the potential to unlock secrets ranging from one’s personal finances to a nation’s defence strategy. Large-scale quantum computers, if realised, can enable hackers and nation states to break current cryptographic protocols.
In essence, they are capable of threatening the security of commonly used public key cryptosystems and exposing the vulnerabilities that exist within today’s fundamental digital systems that are used to power various internet services, including online financial transactions, e-commerce, and secure communications.
NIST Post-Quantum Cryptography standardisation process
Over the coming years, quantum computers of sufficient size and complexity, will become capable of executing Shor’s Algorithm, one of the most widely used algorithms that can break factorisation-based encryption with ease. Modern encryption systems are designed in a way that it would take classical computers billions of years in computing time to break these codes. However, by combining Shor’s algorithm with the enormous computing power of quantum machines, attackers will become capable of decrypting data protected by asymmetric cryptography.
Concerned about the potential threat these machines pose to the security of data across government and private organisations, since 2017 the U.S. National Institute of Standards and Technology (NIST) has been working on the post-quantum cryptography standardisation process with the cryptographic community to tackle cyber threat actors including those who are now operating under the concept of “harvest now, decrypt later”. This means encrypted data that is safe against current cyber threats, can be stored or recorded now using algorithms that are quantum vulnerable and then decrypted when large-scale workable quantum computers come into existence.
The NIST process has been initiated to evaluate and establish new public key cryptography standards and specify at least one publicly disclosed digital signature, public-key encryption, and key-establishment algorithms. On July 5th, 2022, NIST completed its third round of the Post-Quantum Cryptography (PQC) standardisation process, during which it identified four new algorithms to withstand the risks imposed by quantum processors.
Security implications for organisations
While NIST is set to host its fourth conference later this year to refine the algorithms and to further develop concrete implementation strategies, we are still a few years away from facilitating the full adoption of these standards. And as research continues to pick up pace around circumventing Shor’s algorithm, organisations should now consider working with cybersecurity specialists to better prepare for the potential of vulnerabilities from quantum implementation.
By working with well-qualified cybersecurity specialists, businesses and government organisations can now help their CIOs and other IT leaders to increase their engagement with standards developing organisations to keep themselves updated with the latest developments related to algorithm and dependent protocol changes.
These cybersecurity specialists or officials can also help organisations to audit their current inventory to identify the most sensitive and critical datasets that need to be secured. This information can help with identifying critical data that may be at risk of being decrypted once a cryptographically workable quantum computer becomes available.
It’s also important for organisations to work with cybersecurity officials to identify acquisition, cybersecurity, and data security standards that will require updating to reflect post-quantum requirements. From this audit organisations will be able to identify where and for what purpose public key cryptography is currently being used and mark those systems as “quantum vulnerable”.
Overall, these early preparations, including taking inventory of all systems using cryptographic technologies for any function, can help organisations to better protect themselves against potential vulnerabilities from quantum implementation while facilitating a smooth and efficient transition to the new post-quantum cryptography standards in the future.