Post-Quantum Cryptography Deconstructed


Post-Quantum Cryptography Deconstructed The cornerstone of every cybersecurity architecture is the encryption of data and network communications to prevent unauthorized access to sensitive information. If all other cybersecurity controls fail, encryption is always there to prevent unauthorized access to information. Encryption is so critical to the world’s digital commerce that all cybersecurity rules, regulations, and standards require organizations to deploy proper encryption protocols.

Up to now, we have had access to cryptographic algorithms that would prevent even the most aggressive hackers from breaking into encrypted data and networks. However, current-state encryption algorithms face an existential threat as we enter the quantum computing era.

Does Quantum Computing Pose a Threat?

Quantum computing introduces computers using quantum mechanics to solve highly complex problems at unimaginable speeds. However, it is a dual-edged sword; in the wrong hands, quantum computers could also be used to break today’s most advanced cryptographic algorithms.

This looming encryption vulnerability has been a theoretical threat for nearly 30 years. In 1994, mathematician Peter Shor developed an algorithm that challenged encryption used by modern cryptosystems by establishing a quantum algorithm that rapidly solves asymmetric cryptographic algorithms.

Suppose hackers or, more likely, nation-state adversaries with the means to acquire quantum computers used them to hack into the world’s most secure networks and computers. This threat is ushering in the post-quantum cryptography (PQC) development race. Fortunately, the quantum computers needed to run Shor’s algorithm do not exist yet, so there is time to prepare.

How Will Organizations Combat the Quantum Computing Threat?

In the future, adversaries could launch cyberattacks supported by quantum computing capable of executing quantum algorithms to break existing encryption algorithms. PQC, which will operate on nonquantum computers, will be needed to combat this threat. I know it sounds like bringing a knife to a gunfight, but few companies will have access to quantum computing anytime soon. PQC will be designed using conventional cryptographic algorithms to repel a quantum-computing-based attack.

The efforts to develop PQC are well underway, with The National Institute of Standards and Technology (NIST) leading the way. NIST has assembled a public-private collaboration to identify, refine, and operationalize several PQC algorithms in advance of the availability of quantum computing. Thwarting future quantum-based attacks will rely on today’s computing technology to encrypt existing, stored data using PQC.

What Is the State of PQC Today?

In July 2022, NIST announced the first wave of PQC algorithms selected as potential 2024 cryptographic standards. These new standards will replace currently deployed encryption algorithms to establish keys for secure communication and authenticate users through digital signatures. But not so fast: On February 21, 2023, it was reported that both the CRYSTALS-Kyber public-key encryption and the key encapsulation mechanism NIST recommended for post-quantum cryptography the previous July were broken. Swedish researchers from the KTH Royal Institute of Technology in Stockholm used recursive training AI combined with side-channel attacks to achieve this feat.

Companies like QuSecure offer a Software-as-a-Service-based quantum security solution, and Entrust has its Cryptographic Center of Excellence (CryptoCoE) to aggressively address the PQC market. Clearly, deep-learning-based side-channel attacks will need to be part of the equation when touting next-gen cryptography. So the state of PQC is…well, we’ll have to wait and see.

Should CISOs Be Doing Anything Now to Prepare for PQC?

CISOs should start transition planning to move existing cryptographic algorithms to PQC. This process begins with inventorying cryptography-dependent systems and applications while assessing available algorithms and relevant cryptographic standards and their requirements. Next, CISOs should define a roadmap to integrate the new PQC standards when available. Finally, PQCs should be tested to demonstrate how systems perform using the new PQC algorithms.

A Final Word

No one knows when the state of quantum computing will advance to break Rivest–Shamir–Adleman (RSA) or elliptic-curve cryptography (ECC); some say 10 years, some say 20. But what is known is that we need to be prepared, and it will take many years to unwind outdated encryption algorithms from current use and deploy PQC. The good news is that while hardware and software engineers are trying to figure out how to bring quantum computing to market, cryptographers are already well on their way to bringing PQC to market.

Drop me a line at [email protected] and let me know your thoughts on whether you feel post-quantum computing will happen in our lifetime or are planning on moving forward with PQC.