author photo
By SecureWorld News Team
Sat | May 11, 2019 | 5:53 AM PDT

Cryptography is at the core of information security, and many people in the industry are concerned about the potential disruptive impacts of decryption with the onset of quantum computing. 

Cryptomathic has this in-depth look at the topic:

Many important aspects of IT security rely on encryption and public key cryptography, which are essential for e-commerce and protecting secret electronic information.

These techniques are based in turn on mathematical algorithms that are very difficult to “break”. Modern algorithms with suitable key lengths (e.g. AES-128, RSA-2048, ECDSA-256, etc.) are not susceptible to brute force attack – even with massive amounts of computing power, they would take centuries or, in some cases, even longer than the lifetime of the universe to break.

However, it is possible to create unique algorithms for quantum computers (e.g. “Shor’s algorithm”) that dramatically reduce the time it takes to break these algorithms.

Symmetric algorithms used for encryption, like AES, are still thought to be safe (with sufficient key length – e.g. AES-256 or larger); however, current asymmetric algorithms like RSA and ECDSA will be rendered essentially useless once quantum computers reach a certain scale.

This will break nearly every practical application of cryptography in use today, making e-commerce and many other digital applications that we rely on in our daily lives totally insecure.

Should I worry?

Probably not - it is a global problem, and there are many people working on this. But that doesn’t mean you should ignore it. Keep an eye on the progress of quantum computing, the development of quantum-resistant algorithms, and the creation of new standards; ensure your applications and infrastructure are upgradeable; make a plan, and be ready to migrate at the right time.

However, note that much encrypted information that is around today, or over the coming years, will probably be susceptible to decryption one day in the future once quantum computers are generally available—all an attacker needs to do is capture the encrypted data today, including the initial key exchange handshake, then wait until they have a quantum computer power enough to break it within a reasonable amount of computing time.

This is primarily a problem for governments, who have large amounts of secret data with a long “intelligence life”— i.e. it needs to be kept secret for 25 years or more for national security reasons. This is why governments are at the forefront of the research effort—both to develop quantum computing for offensive cyber operations, and to develop quantum-resistant algorithms for defensive purposes. They may even have clandestine research efforts that are ahead of the academic world, as there is a significant military advantage to be had.

Commercial organizations with sensitive data that they wish to protect in the long term and that are attractive targets for hackers should look to use symmetric algorithms with long key lengths (e.g. AES-256 rather than AES-128 or 3DES) as soon as possible and, where Diffie-Hellman is used to negotiate symmetric keys, use perfect forward secrecy techniques to minimize the amount of data protected under each key.