cryptography – Security with Qubits

Happy World Quantum day! And a little bit about standardisation!

After a busy few months, I had to make time for a post. Mainly because I couldn’t let the first Quantum Day (14 April 2022) pass without having spent some brain cells on a quantum topic!

Recently, my focus on Quantum Technologies took a backseat while I adapted to something new. I have kept reading relevant articles when I could and made a point to attend my regular quantum computing centred meetups to keep an eye and a foot in… so to speak. Still, I have some catching up to do and this post might have more questions than answers as I navigate and research my thoughts. On the plus side, having questions is always a good starting place!

For the cybersecurity sector, the year 2022 can be a determining one. NIST is expected to announce the “winning” algorithms from their Post-Quantum Cryptography (PQC) competition and this will then bring about a new standard in cryptography. In this post, I want to catch up on the competition status and the latest news. I also touch on the idea of standardisation in Quantum Computing.

Shor’s algorithm and Grover’s algorithm, devised around three decades ago, combined with the processing power of commercial quantum computers expected within the next decade or so, will break or greatly diminish the cryptography based security of our technological world today. Shor’s algorithm for example, could be used to break RSA factorisation, which is the underlying mathematical problem protecting transactions on the internet. The current cryptography standards will become unsafe, and NIST since 2009 started looking at post-quantum cryptography methods (classical, quantum or a combination of both) that will not be broken with the advent of quantum computers, and from 2016, a call for proposals for post-quantum cryptosystems was made to the public. Unlike previous competitions, a clear winner is not expected due to the ongoing development in all aspects. Instead, a select few that have gone through NIST and public scrutiny will become the new standards. Thus, NIST is advocating the industry to be open minded and crypto agile – i.e. whichever system you move to, be ready to change, if for some reason that system is no longer deemed secure.

In 2022, the proposals analysis is at its 3rd round. From the 69 proposals in round 1 in 2017, 15 candidates remained at the beginning of this year and are under rigorous scrutiny. Attack proposals have already been placed on two finalist candidates in 2021 and in 2022. Now, one question would be, do we know all the attack prospects of the finalists? Discovering a weakness in a finalist that could become a world standard… would not disclosing that vulnerability be an advantage for the nefarious minded?

It is worth noting that the NIST competition is not close-ended either; they are open to new evaluations. For example, 8 of those 15 candidates in round 3 are alternate candidates who showed potential and could possibly go to a 4th round. From the 7 finalists including the two with attack proposals (it will depend how they handle the attacks, I presume), the initial standards will be chosen this year or at least by 2025.

If you use cryptography to secure your systems, the crypto-standards will change very soon and would require some work to get the systems to the new standard. NIST will of course provide guidelines. This brings my next questions! Currently how many systems are actually within existing standards? Can we expect resistance from companies to move to new standards? Are stakeholders and end-users aware of the crypto standards protecting their assets? Will there be compliancy or certification required and will those be region oriented e.g. for the UK, will this be governed by the National Physical Laboratory (NPL)? Finally, will there be sanctions or legal repercussion if a system is not transitioned to a new standard within a time limit? On the promising side of all these questions, the quantum industry and community is new and are aware of security aspects and standardisation benefits, thus everybody is designing, building and growing together from the outset.

Related Quantum Cybersecurity topics I would like to eventually explore are the standardisations expected for Quantum Key Distribution and Quantum Random Number Generators. I would also like to explore and reflect on the first set of Quantum Computing Governance Principles published by the World Economic Forum in January 2022, with particular attention to the themes of Security, Privacy and Standardisation.

Questions from a business perspective

Quantum Cybersecurity, where Quantum Computing and Information Security intersects, is a keen interest of mine. I read news articles, research papers and books where available, listen to lectures on various platforms, try to code, and have recently been joining meetups and conferences. It is a way to learn and progress, but to understand and remember, the materials need to be thought over or studied and there is only so much of this I can discuss with a rubber duck . This blog is a way for me to focus the brainstorm of my thoughts. By writing things down, it helps me to reflect further and in depth on a subject. Plus, a blog can be referenced back to… a rubber duck doesn’t record my musings!

Without further ado, let me reflect on a recent conference I attended online. When I joined Quantum Tech 2021 I wasn’t sure what outcome I wanted from the conference, except of course networking. As the day went along, I realised I was getting answers to questions I’ve been pondering on since my thesis. Questions that had been floating around in my thoughts but not defined or written down.

“What sort of data has long retention? Are we ready for organisations to change encryption when there is no standard yet? Has the urgency to be quantum resistant changed? Should the organisations be doing something concrete about it?”

My thesis concerned the impact of Quantum Computing on Information Security, and one critical impact is that commonly used encryption methods are at risk of being broken or weakened once quantum computers have the capacity to run certain quantum algorithms on a large scale. These are the same cryptographical methods that for example secure browser communication (https) or protects one’s credit card transactions. And, since the quantum machines will come into existence in around the next ten years, the industry is working hard on solutions – whether it is to develop and standardise quantum and post quantum cryptography techniques which will be resistant to such weaknesses or to find solutions from an organisational point of view i.e what can an organisation do to protect its assets. My thesis reflected on the former and my remaining questions had more to do with the latter.

Organisations are being encouraged to consider the risks on their assets and the weak points in their systems. A risk already present is that data encrypted by a cryptographic method that could be broken in the quantum future, could be intercepted, stored to be decrypted and accessed later for whichever use the attacker obtained the data. So, my first question was what sort of data has a retention life of around 10 years and need to be secured now? I had been thinking about it and from the conference talks and chats with presenters, I got some answers. It would be assets such as intellectual property of a company, trade secrets, medical records of patients, defence plans of nations, certain legal documents, and certain financial documents. I’m still pondering on other such assets. Let me know if you have other examples!

The industry is also working hard on standardising post quantum methods. The National Institute of Standards and Technology is researching a new standard for encryption. And this brings up my next question; since NIST standards on a post quantum cryptographic technique will not be finalised for another year or more, then how could a company start using a resistant quantum cryptographic method now? During the conference, there were a few Quantum Cybersecurity companies presenting and it was eye opening to learn that they have cryptographic methods (post quantum cryptographic NIST candidates mixed with classical methods) in place for organisations to start getting quantum ready. The salient point is that all the companies show crypto agility and scalability i.e in the near future, once the NIST standard is in place, the company has contingency plans to move to that method (if the standard is not already the method used) and in the far future, if a method used is no longer secure, it would be easy to move to another. It seems the Quantum Cybersecurity industry is ready now to assist organisations in becoming quantum resistant on the security aspects.

It is also important to bear in mind that attackers are more and more proficient and resourceful. Has the urgency to become quantum resistant changed? The urgency to secure data has changed, years ago an attack was likely to be from someone’s basement but nowadays, it could be an attack funded by an establishment. And meanwhile, Quantum Computing development is moving quickly. The threats definitely exist.

Considering this, should organisations be doing something now? The answer is yes. Consider your organisation (e.g. Do you have encrypted data assets with 10 years shelf life? Which cryptographic methods are you using?) and the resources at your disposition (can you start an in-house or outsource risk assessments or vulnerability assessments? Can you increase your encryption key length? Can you move to quantum resistant techniques?) Start having your security analysts ask questions, monitor the development in Quantum Computing and keep track of post quantum cybersecurity standards. There is no need to panic, but it is time to get ready.

Recent Posts

Recent Comments

Archives

Categories