Quantum computing is coming, and organisations that do not start preparing now could end up exposing critical data because their encryption methods are not quantum computing ready, according to a European telecoms information security officer.
“Despite violent disagreements between cryptographers and physicists, it is not a question of if, but of when quantum computing will be a reality, and when it is, many of the current encryption techniques companies rely on will be open to cracking,” said Jaya Baloo, CISO of KPN Telecom in the Netherlands.
“Enormous strides are being made towards building viable quantum computers, so it is important that information security professionals understand why this is a threat to many popular encryption methods and that they start taking action now to ensure they are in the best possible position when it happens,” she told Computer Weekly.
Many encryption systems are based on the premise that it would take too long for anyone to carry out the mathematical calculations required to reveal the encryption keys, but even basic quantum computers will be capable of determining encryption faster enough for attackers to use.
China is known to be investing heavily in developing a quantum computing capability for both defensive and offensive purposes. Although Europe is investing in developing quantum computing capabilities, Baloo said the investment pledged so far is a fraction of what China is investing.
The good news is that all the symmetric encryption currently in use is unlikely to be affected by the arrival of quantum computing. “As long as we keep refreshing keys and following best practices for transferring keys, we are good to go,” said Baloo.
“The problem arises when it comes to asymmetric encryption. It is all the public key cryptography that is out there because it is based on complex mathematical problems that would even take a super computer a long time to solve, but that principle breaks down with quantum computers,” she said.
Specifically, quantum computers are expected to be able to carry out integer factorisation of very large prime numbers and compute discrete logarithms very quickly, but many current algorithms are based on the assumption that these processes currently require significant time, effort and computing power.
Although it may already be too late to ensure organisations’ encryption processes are completely secured against cracking by quantum computers because it could take up to 20 years for quantum computing proof algorithms to mature and be fully integrated into organisations, Baloo said there are things that information security professionals can and should do now to ensure they are not totally defenceless.
“It is about ensuring that organisations are agile when it comes to encryption and have the ability to adapt and to implement post-quantum ciphers and algorithms when they become available,” said Baloo.
“I want to encourage information security professionals to document their organisations’ current situations, to examine and understand their current cryptographic landscape and consider how to extend that into action,” she said.
Three areas for security professionals to consider
According to Baloo, there are three areas that information security professionals should consider taking action. “Three years ago, we were talking about understanding the problem – now we need to be talking about understanding the solution,” she said.
First, organisations should consider extending the length of their encryption keys to the maximum possible under whatever encryption system they are using, which will help defend against the first quantum computers that are unlikely to be at maximum strength from the start.
“Right now, organisations can extend their encryption key length by simply changing the appropriate configuration option, and thereby extend the lifespan of current algorithms,” said Baloo.
Second, large organisations that handle large volumes of sensitive information that needs to be kept secret for a long time, such as financial institutions should consider implementing quantum key distribution to preserve the integrity and confidentiality of data. “This is not for every organisation, but certainly for key institutions that have a lot of important information to protect,” she said.
Third, Baloo said organisations should start preparing to replace existing algorithms with post quantum algorithms. While some exist already, the US National Institute of Standards and Technology (Nist) is planning to publish new ones once a selection process is completed.
“Organisations can already start considering what are their vital parts of their network where post quantum algorithms should be implemented and talking to their suppliers to ensure that the new algorithms will be supported by their hardware when the algorithms are released by Nist,” she said.
Baloo is to discuss this topic in greater detail at Infosecurity Europe 2018 in London on 5 June in a keynote presentation entitled: Quantum computing: how should information cyber security professionals prepare?