The advent of quantum computing is closer than you think: some nations have already demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer provide sufficient protection. You need to act now to begin your transformation to quantum-resistant encryption.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Developing quantum-resistant cryptography capabilities is crucial to maintaining data security and integrity for critical applications. Organizations need to act now to begin their transformation to quantum-resistant encryption.
The quantum realm presents itself as a peculiar and captivating domain, shedding light on enigmas within our world while pushing the boundaries of computational capabilities. The widespread availability of quantum computers is expected to occur sooner than anticipated. This emerging technology holds the potential to tackle valuable problems that even the most powerful classical supercomputers will never be able to solve. Quantum computers possess the ability to operate millions of times faster than their current counterparts.
As we venture further into the era of quantum mechanics, organizations relying on encryption must contemplate a future where these methods no longer suffice as effective safeguards. The astounding speed and power of quantum machines have the potential to render many existing security measures utterly ineffective, including the most robust encryption techniques used today. To illustrate, a task that currently takes ten years to crack through a brute force attack could be accomplished by a quantum computer in under five minutes.
Amid this transition into a quantum future, the utmost priority for organizations remains data security, particularly safeguarding sensitive information. Organizations must proactively prepare for the development of countermeasures and essential resilience measures to attain a state of being "quantum safe."
Alan Tang
Principal Research Director, Security and Privacy
Info-Tech Research Group
Your Challenge
Common Obstacles
Info-Tech's Approach
The advent of quantum computing (QC) is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
1900-1975 |
1976-1997 |
1998-2018 |
2019-Now |
---|---|---|---|
|
|
|
|
The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.
Unlike conventional computers that rely on bits, quantum computers use quantum bits or qubits. QC technology surpasses the limitations of current processing powers. By leveraging the properties of superposition, interference, and entanglement, quantum computers have the capacity to simultaneously process millions of operations, thereby surpassing the capabilities of today's most advanced supercomputers.
A 2021 Hyperion Research survey of over 400 key decision makers in North America, Europe, South Korea, and Japan showed nearly 70% of companies have some form of in-house QC program.
Organizations need to reap the substantial benefits of QC's power, while simultaneously shielding against the same technologies when used by cyber adversaries.
QC early adopters see the promise of QC for a wide range of computational workloads, including machine learning applications, finance-oriented optimization, and logistics/supply chain management.
Experienced attackers are likely to be the early adopters of quantum-enabled cryptographic solutions, harnessing the power of QC to exploit vulnerabilities in today's encryption methods. The risks are particularly high for industries that rely on critical infrastructure.
Critical components of classical cryptography will be at risk, potentially leading to the exposure of confidential and sensitive information to the general public. Business, technology, and security leaders are confronted with an immediate imperative to formulate a quantum-safe strategy and establish a roadmap without delay.
In 2019, Google claimed that "Our Sycamore processor takes about 200 seconds to sample one instance of a quantum circuit a million times—our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years."
Source: Nature, 2019
On December 3, 2020, a team of Chinese researchers claim to have achieved quantum supremacy, using a photonic peak 76-qubit system (43 average) known as Jiuzhang, which performed calculations at 100 trillion times the speed of classical supercomputers.
Source: science.org, 2020
The emergence of QC brings forth cybersecurity threats. It is an opportunity to regroup, reassess, and revamp our approaches to cybersecurity.
Quantum computers have reached a level of advancement where even highly intricate calculations, such as factoring large numbers into their primes, which serve as the foundation for RSA encryption and other algorithms, can be solved within minutes.
QC could lead to unauthorized decryption of confidential data in the future. Data confidentiality breaches also impact improperly disposed encrypted storage media.
A recovered private key, which is derived from a public key, can be used through remote control to fraudulently authenticate a critical system.
Cybercriminals can use QC technology to recover private keys and manipulate digital documents and their digital signatures.
Consider RSA-2048, a widely used public-key cryptosystem that facilitates secure data transmission. In a 2021 survey, a majority of leading authorities believed that RSA-2048 could be cracked by quantum computers within a mere 24 hours.
Source: Quantum-Readiness Working Group, 2022
The development of quantum-safe cryptography capabilities is of utmost importance in ensuring the security and integrity of critical applications' data.
The US Congress considers cryptography essential for the national security of the US and the functioning of the US economy. The Quantum Computing Cybersecurity Preparedness Act was introduced on April 18, 2022, and became a public law (No: 117-260) on December 21, 2022.
The purpose of this Act is to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography, and for other purposes.
Main Obligations |
|
---|---|
Responsibilities |
Requirements |
Inventory Establishment | Not later than 180 days after the date of enactment of this Act, the Director of OMB, shall issue guidance on the migration of information technology to post-quantum cryptography. |
Agency Reports | "Not later than 1 year after the date of enactment of this Act, and on an ongoing basis thereafter, the head of each agency shall provide to the Director of OMB, the Director of CISA, and the National Cyber Director— (1) the inventory described in subsection (a)(1); and (2) any other information required to be reported under subsection (a)(1)(C)." |
Migration and Assessment | "Not later than 1 year after the date on which the Director of NIST has issued post-quantum cryptography standards, the Director of OMB shall issue guidance requiring each agency to— (1) prioritize information technology described under subsection (a)(2)(A) for migration to post-quantum cryptography; and (2) develop a plan to migrate information technology of the agency to post-quantum cryptography consistent with the prioritization under paragraph (1)." |
"It is the sense of Congress that (1) a strategy for the migration of information technology of the Federal Government to post-quantum cryptography is needed; and (2) the government wide and industry-wide approach to post- quantum cryptography should prioritize developing applications, hardware intellectual property, and software that can be easily updated to support cryptographic agility." – Quantum Computing Cybersecurity Preparedness Act
Since 2016, the National Institute of Standards and Technology (NIST) has been actively engaged in the development of post-quantum encryption standards. The objective is to identify and establish standardized cryptographic algorithms that can withstand attacks from quantum computers.
Date | Development |
---|---|
Dec. 20, 2016 | Round 1 call for proposals: Announcing request for nominations for public-key post-quantum cryptographic algorithms |
Nov. 30, 2017 | Deadline for submissions – 82 submissions received |
Dec. 21, 2017 | Round 1 algorithms announced (69 submissions accepted as "complete and proper") |
Jan. 30, 2019 | Second round candidates announced (26 algorithms) |
July 22, 2020 |
Third round candidates announced (7 finalists and 8 alternates) |
July 5, 2022 |
Announcement of candidates to be standardized and fourth round candidates |
2022/2024 (Plan) | Draft standards available |
CRYSTALS – Kyber |
CRYSTALS – Dilithium |
FALCON |
SPHINCS+ |
NIST recommends two primary algorithms to be implemented for most use cases: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes FALCON and SPHINCS+ will also be standardized.
There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.
The advent of QC is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
The advent of QC is closer than you think as some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.
Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a Chief Information Security Officer (CISO) alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.
There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.
The advent of QC poses threats to cybersecurity. It's a time to regroup, reassess, and revamp.
IT Benefits |
Business Benefits |
---|---|
|
|
Time, value, and resources saved to obtain buy-in from senior leadership team using our research material: 1 FTEs*10 days*$100,000/year = $6,000 Time, value, and resources saved to implement quantum-resistant cryptography using our research guidance: 2 FTEs* 30 days*$100,000/year = $24,000 Estimated cost and time savings from this blueprint: $6,000 + $24,000 =$30,000 |
The advent of sufficiently powerful quantum computers poses a risk of compromising or weakening traditional forms of asymmetric and symmetric cryptography. To safeguard data security and integrity for critical applications, it is imperative to undertake substantial efforts in migrating an organization's cryptographic systems to post-quantum encryption. The development of quantum-safe cryptography capabilities is crucial in this regard.
Phase 1 - Prepare
Phase 2 - Discover
Phase 3 - Assess
Phase 4 - Prioritize
Phase 5 - Mitigate
The rise of sufficiently powerful quantum computers has the potential to compromise or weaken conventional asymmetric and symmetric cryptography methods. In anticipation of a quantum-safe future, it is essential to prioritize crypto-agility. Consequently, organizations should undertake specific tasks both presently and in the future to adequately prepare for forthcoming quantum threats and the accompanying transformations.
Quantum-resistance preparations must address two different needs:
Reinforce digital transformation initiatives
To thrive in the digital landscape, organizations must strengthen their digital transformation initiatives by embracing emerging technologies and novel business practices. The transition to quantum-safe encryption presents a unique opportunity for transformation, allowing the integration of these capabilities to evolve business transactions and relationships in innovative ways.
Protect data assets in the post-quantum era
Organizations should prioritize supporting remediation efforts aimed at ensuring the quantum safety of existing data assets and services. The implementation of crypto-agility enables organizations to respond promptly to cryptographic vulnerabilities and adapt to future changes in cryptographic standards. This proactive approach is crucial, as the need for quantum-safe measures existed even before the complexities posed by QC emerged.
Preparation for the post-quantum world has been recommended by the US government and other national bodies since 2016.
In 2016, NIST, the National Security Agency (NSA), and Central Security Service stated in their Commercial National Security Algorithm Suite and QC FAQ: "NSA believes the time is now right [to start preparing for the post-quantum world] — consistent with advances in quantum computing."
Source: Cloud Security Alliance, 2021
Preparing for quantum-resistant cryptography goes beyond simply acquiring knowledge and conducting experiments in QC. It is vital for senior management to receive comprehensive guidance on the challenges, risks, and potential mitigations associated with the post-quantum landscape. Quantum and post-quantum education should be tailored to individuals based on their specific roles and the impact of post-quantum mitigations on their responsibilities. This customized approach ensures that individuals are equipped with the necessary knowledge and skills relevant to their respective roles.
Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a CISO alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.
During the discovery phase, it is crucial to locate and identify any critical data and devices that may require post-quantum protection. This step enables organizations to understand the algorithms in use and their specific locations. By conducting this thorough assessment, organizations gain valuable insights into their existing infrastructure and cryptographic systems, facilitating the implementation of appropriate post-quantum security measures.
Quantum risk assessment entails evaluating the potential consequences of QC on existing security measures and devising strategies to mitigate these risks. This process involves analyzing the susceptibility of current systems to attacks by quantum computers and identifying robust security measures that can withstand QC threats.
By identifying the security gaps that will arise with the advent of QC, organizations can gain insight into the substantial vulnerabilities that core business operations will face when QC becomes a prevalent reality. This proactive understanding enables organizations to prepare and implement appropriate measures to address these vulnerabilities in a timely manner.
Organizations need to prioritize the mitigation initiatives based on various factors such as business value, level of security risk, and the effort needed to implement the mitigation controls. In the diagram below, the size of the circle reflects the degree of effort. The bigger the size, the more effort is needed.
Source: Hyperion Research, 2022
Hyperion's survey found that the range of expected budget varies widely.
To safeguard against cybersecurity risks and threats posed by powerful quantum computers, organizations need to adopt a robust defense-in-depth approach. This entails implementing a combination of well-defined policies, effective technical defenses, and comprehensive education initiatives. Organizations may need to consider implementing new cryptographic algorithms or upgrading existing protocols to incorporate post-quantum encryption methods. The selection and deployment of these measures should be cost-justified and tailored to meet the specific needs and risk profiles of each organization.
Implement solid governance mechanisms to promote visibility and to help ensure consistency
Each type of quantum threat can be mitigated using one or more known defenses.
Adib Ghubril
Executive Advisor, Executive Services
Info-Tech Research Group
Erik Avakian
Technical Counselor
Info-Tech Research Group
Alaisdar Graham
Executive Counselor
Info-Tech Research Group
Carlos Rivera
Principal Research Advisor
Info-Tech Research Group
Hendra Hendrawan
Technical Counselor
Info-Tech Research Group
Fritz Jean-Louis
Principal Cybersecurity Advisor
Info-Tech Research Group
117th Congress (2021-2022). H.R.7535 - Quantum Computing Cybersecurity Preparedness Act. congress.gov, 21 Dec 2022.
Arute, Frank, et al. Quantum supremacy using a programmable superconducting processor. Nature, 23 Oct 2019.
Bernhardt, Chris. Quantum Computing for Everyone. The MIT Press, 2019.
Bob Sorensen. Quantum Computing Early Adopters: Strong Prospects For Future QC Use Case Impact. Hyperion Research, Nov 2022.
Candelon, François, et al. The U.S., China, and Europe are ramping up a quantum computing arms race. Here's what they'll need to do to win. Fortune, 2 Sept 2022.
Curioni, Alessandro. How quantum-safe cryptography will ensure a secure computing future. World Economic Forum, 6 July 2022.
Davis, Mel. Toxic Substance Exposure Requires Record Retention for 30 Years. Alert presented by CalChamber, 18 Feb 2022.
Eddins, Andrew, et al. Doubling the size of quantum simulators by entanglement forging. arXiv, 22 April 2021.
Gambetta, Jay. Expanding the IBM Quantum roadmap to anticipate the future of quantum-centric supercomputing. IBM Research Blog, 10 May 2022.
Golden, Deborah, et al. Solutions for navigating uncertainty and achieving resilience in the quantum era. Deloitte, 2023.
Grimes, Roger, et al. Practical Preparations for the Post-Quantum World. Cloud Security Alliance, 19 Oct 2021.
Harishankar, Ray, et al. Security in the quantum computing era. IBM Institute for Business Value, 2023.
Hayat, Zia. Digital trust: How to unleash the trillion-dollar opportunity for our global economy. World Economic Forum, 17 Aug 2022.
Mateen, Abdul. What is post-quantum cryptography? Educative, 2023.
Moody, Dustin. Let's Get Ready to Rumble—The NIST PQC 'Competition.' NIST, 11 Oct 2022.
Mosca, Michele, Dr. and Dr. Marco Piani. 2021 Quantum Threat Timeline Report. Global Risk Institute, 24 Jan 2022.
Muppidi, Sridhar and Walid Rjaibi. Transitioning to Quantum-Safe Encryption. Security Intelligence, 8 Dec 2022.
Payraudeau, Jean-Stéphane, et al. Digital acceleration: Top technologies driving growth in a time of crisis. IBM Institute for Business Value, Nov 2020.
Quantum-Readiness Working Group (QRWG). Canadian National Quantum-Readiness- Best Practices and Guidelines. Canadian Forum for Digital Infrastructure Resilience (CFDIR), 17 June 2022.
Rotman, David. We're not prepared for the end of Moore's Law. MIT Technology Review, 24 Feb 2020.
Saidi, Susan. Calculating a computing revolution. Roland Berger, 2018.
Shorter., Ted. Why Companies Must Act Now To Prepare For Post-Quantum Cryptography. Forbes.com, 11 Feb 2022.
Sieger, Lucy, et al. The Quantum Decade, Third edition. IBM, 2022.
Sorensen, Bob. Broad Interest in Quantum Computing as a Driver of Commercial Success. Hyperion Research, 17 Nov 2021.
Wise, Jason. How Much Data is Created Every Day in 2022? Earthweb, 22 Sept 2022.
Wright, Lawrence. The Plague Year. The New Yorker, 28 Dec 2020.
Yan, Bao, et al. Factoring integers with sublinear resources on a superconducting quantum processor. arXiv, 23 Dec 2022.
Zhong, Han-Sen, et al. Quantum computational advantage using photons. science.org, 3 Dec 2020.