Technology develops quickly, though, and on multiple fronts. While scientists work on increasing the qubit count, mathematicians are finding new algorithms that have already reduced the necessary number of qubits by orders of magnitude. Estimates of how long it could take for quantum to threaten today’s cryptographic algorithms vary.
“Regardless of how long it takes to commercialize quantum computing, organizations should start taking stock of their cryptographic reliance, and implement governance steps that will allow them to quickly swap out software and hardware components that are quantum resilient,” says Soutar,
Developing post-quantum cryptography
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST)is stepping in to prepare for this post-quantum future. NIST, which develops frameworks and guidelines for cybersecurity and privacy (among many other technical and manufacturing disciplines), is hunting for new, quantum-proof encryption algorithms that can secure new secrets and re-encrypt old ones. It solicited approaches to the problem in 2017, initially receiving 69 submissions.
By July 2020, it had whittled down the submissions to a shortlist of 15, seven of which are prime candidates for general purpose post-quantum cryptography, and eight of which either need more development or look suitable for specific applications. The organization is now reviewing these algorithms and plans to release draft standards by the end of 2024.
In the meantime, until a quantum-resistant cryptography standard is ready, companies with an eye on future security face a difficult task: The volume of information that will need to be secured is vast. When quantum computing does become a practical threat, it won’t just threaten freshly minted data. It could also affect data that organizations are creating today, and data that they have encrypted in the past—if public-private key pairs used during the process were recorded.
Matthew Scholl, chief of the computer security division in the Information Technology Laboratory at NIST, also urges organizations to begin planning for quantum’s impact on encryption while NIST continues working with the international cryptographic community to finish the needed encryption standards. “There will be time for commercial products to implement these new standards and for organizations to integrate them into their infrastructures,” he says, but being ready for that transition will be key. “We have learned from previous encryption and from other important legacy upgrades that these changes can be complex and resource intensive.”
Assessing the risk
Before organizations can assess the risk of quantum computing to their operations, they ought to analyze the processes that it supports, in a discipline that Soutar calls crypto-governance.
“Crypto-governance means getting a real sense of what data an organization has, how it is encrypted, how it is transmitted, what cryptographic methods are used, where the keys are stored, and how the keys are exchanged,” he says.
NIST is helping to create frameworks for crypto-governance and organizational agility beyond its standardization work. At the end of June this year, shortly after its third post-quantum cryptography standardization conference, it released a report detailing post-quantum implementation tasks that companies must tackle as they prepare their migration to quantum-resistant cryptography.
At a high level, these tasks involve rooting out quantum-vulnerable cryptographic libraries, applications, computing platforms, communication protocols, and hardware and software modules. These modules include any application using Transport Layer Security (TLS), which is a common public key cryptography implementation supporting internet communications. It also includes operating systems that include quantum-vulnerable cryptography. “Much of this work will be done by large technology providers but knowing if and where you might have hard coded, purpose built, or custom code that implements these protocols will be part of that awareness,” says Scholl.