The quantum threat to hash functions and symmetric algorithms comes from an algorithm invented by computer scientist Lov Grover in 1996.2 Although Grover’s algorithm significantly speeds up the time it takes to attempt all potential numerical keys or hash values until finding the right one, this algorithm can be readily thwarted by doubling the key length or using other currently available hash functions.
On the other hand, a quantum algorithm designed in 1994 by mathematician Peter Shor3 poses a more serious threat to public-key cryptography. Shor’s algorithm can theoretically break the mathematical relationship between public and private keys in a matter of hours.4 Public keys are widely distributed—consider, for example, web certificates—and could be used to determine the private key, which would effectively render current public-key cryptography useless. As such, the quantum threat to public-key cryptography—used for such things as key exchange and digital signatures—is significantly higher than to hash functions or symmetric algorithms. Security experts differ on when quantum computers will be mature enough to use Shor’s algorithm to crack public-key cryptography. Estimates range from between five and 20 years.5 Given that public keys are widely available, encrypted data and related communications can be collected now and decrypted once hackers gain access to sufficiently mature quantum computers, thus jeopardizing the long-term security of today’s internet communications and transactions.
Fortunately, the National Institute of Standards and Technology (NIST) is working to standardize postquantum, public-key cryptography algorithms that can be used to develop systems that are secure against both quantum and traditional computers. After a multiyear process of soliciting, evaluating, and standardizing one or more postquantum cryptography algorithms, NIST plans to announce the standardized quantum-resistant algorithms by 2024.6
When postquantum cryptography is fully developed and standardized, organizations can upgrade their existing public-key cryptography systems. One report from the World Economic Forum estimates that 20 billion digital devices will need to be upgraded or replaced with postquantum cryptography in the next 20 years.7
This is not a simple switch or patch because cryptography is entrenched across the enterprise, including in physically remote systems. For example, migrating to postquantum cryptography will affect the performance requirements of microprocessors that are embedded in ATM machines, TV set-top boxes, point-of-sale systems, smartphones, and a host of other devices and systems. As a result, algorithm replacement can be extremely disruptive and take decades to complete, and typically requires upgrading or replacing components of the cryptographic infrastructure.8
Parallel to its standardization efforts, NIST is developing practices and recommendations aimed at simplifying the migration from current public-key cryptography algorithms to quantum-resistant algorithms.9 NIST aims to develop a migration playbook with recommendations and practices that help organizations address the challenges of algorithm replacement. In its initial stages, the NIST migration playbook’s goal is to demonstrate automated discovery tools to help organizations determine where and how public-key cryptography is being used in hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications. Then the focus of the initiative will be on prioritizing those components and assets for migration.
Similarly, the World Economic Forum has called for the development of a quantum security coalition to promote the adoption of secure quantum solutions and develop global governance principles and models.10
How to prepare for postquantum cryptography
In addition to leveraging the NIST standards and migration recommendations, business leaders can take several actions to ready their organizations for the security implications of quantum computing.
1. Build awareness of quantum’s security risks. Understand the risk quantum computing poses to existing cryptographic and encryption systems. Extend this awareness to other business leaders at the board and C-suite level to gain support for investing in a quantum-safe cryptography infrastructure.
2. Take a fresh approach to cryptographic governance. Preparing cryptographic systems for the quantum computing era is a major technical challenge, one that may require organizations to change their view of the cryptographic infrastructure as rigid and static. In the same way that Agile software delivery practices help create more adaptable technology organizations, so can a more agile approach to cryptographic governance create more flexible businesses that can quickly pivot and reprioritize in response to evolving security threats, including those related to quantum computing. This mindset shift can result in a flexible, dynamic cryptographic infrastructure that’s more capable of fluidly evolving with enterprise, industry, and technology security challenges and requirements.
3. Assess the enterprise’s readiness to become crypto-agile. A refreshed approach to cryptography can enable a more crypto-agile organization—that is, one that can efficiently update cryptographic algorithms, parameters, processes, and technologies to better respond to new protocols, standards, and security threats, including those leveraging quantum computing methods. To assess organizational readiness for crypto-agility, review the following and consider potential migration strategies:
• Data and cryptographic assets: To help respond to systemic changes—such as new algorithms—it can help to provide an accounting of data assets to understand how they’re cryptographically protected. Inventory and prioritize cryptographically protected data, transactions, and other assets and understand their retention requirements and location. For example, are they on-premises or in the cloud?
• Cryptographic keys: To identify and prioritize future vulnerabilities, review the types of cryptographic keys being used, their characteristics, and their location in existing computer and communications hardware, operating systems, application programs, communications protocols, key infrastructures, and access control mechanisms.
• Infrastructure limitations: Quantum-safe cryptography may use substantially more processing power than current cryptographic methods, which could require infrastructure upgrades. As NIST standards develop, understand how they will impact system infrastructure. Identify potential future infrastructure shortcomings such as bandwidth, latency, memory, and computing power and develop a plan for addressing these limitations.
4. Engage with the quantum security ecosystem. Monitor the development of NIST’s postquantum cryptography standards and solutions and understand and evaluate the recommended migration approaches. Develop crypto governance based on a framework such as the NIST Cybersecurity Framework, which outlines practices and processes for managing cybersecurity risk. Finally, engage in public-private and industry ecosystem relationships to stay aware of technology developments in quantum computing, quantum-resistant cryptography, and crypto-agility.
5. Practice good cyber hygiene. As always, be proactive about managing and reducing cybersecurity risks. Establish and maintain strong foundational cybersecurity principles and practices and situational awareness of data, infrastructure, and other assets.
While the path to postquantum cryptography may be lengthy and complicated, enterprises can see the quantum threat coming, which makes the decision to prepare a simple one. You may be familiar with the American adage, “an ounce of prevention is worth a pound of cure.” In the case of tackling crypto-agility, however daunting the prevention may seem, it would be infinitely more tolerable than the crisis that could result from a collapse of public-key encryption.