Quantum computing is coming – are you ready?
Are you prepared for the day that quantum computing breaks today’s encryption?
Sponsored Feature The internet is all about transparency and openness - connecting people and information, shoppers and vendors, or businesses. But it's also all about security and trust.
The messages and information people and businesses want to exchange can't be exposed to prying eyes. And users need to be certain they are really dealing with the person or business they think they're dealing with.
That's why encryption is the cornerstone of the internet we know today. Specifically, it has been digital encryption, courtesy of RSA and other algorithms, that has allowed the digital transformation we've all lived through since the 1990s.
As Avesta Hojjati, VP of engineering at digital trust provider DigiCert explains, "RSA is a type of encryption algorithm that is asymmetric, meaning you have a public and private key. The public key is used to encrypt the data and whoever has access to the private key will be the only person who can decrypt the data and read the data."
These algorithms are based on the "factorization problem," a branch of mathematics focused on factoring the product of two large prime numbers.
Solving this problem with "classical computers," i.e. the binary-based sort of system you're reading this on, would take thousands, even millions of years. So, the widespread deployment of these algorithms, at least to transmit cryptographic keys, has been critical to the development of a secure internet.
Except that it's now clear cracking these algorithms might not take millions or thousands of years. In fact, it could take just minutes or seconds.
The fact that the term "classical computing" has become more widespread in recent years hints at what has changed. Quantum computing, first conceived theoretically in the 1980s, has steadily moved from the realm of theory to reality, to the point where quantum computers, and quantum simulators, are being offered by mainstream cloud service providers.
Such computers are based on quantum mechanics, exploiting phenomena such as entanglement and super positioning, and instead of binary bits, using "qubits." And qubits, rather than representing just zero or one, are able to do multiples of zeros and ones, all at the same time. Likewise, entanglement "is a completely different phenomenon where, if I process a certain data on one qubit, the behavior of this qubit will impact the rest of the qubits," explains Hojjati.
The result is computing on a different, faster scale – at least for some problems. "And unfortunately," he adds, "One of those is the factorization problem. And that makes these quantum computers able to basically break or weaken certain encryption algorithms."
Watch this video to learn more about how to prepare for Q-Day.
Are we in the clear now?
Does that mean all our communications are now potentially exposed? A quantum answer could be yes and no. The consensus is it would take around a 10,000 qubits system to break current encryption. The services available now range up to a couple of hundred qubits at most.
But this is leading edge technology and development is accelerating. Moreover, it's fair to assume that nation states are going to be extremely interested in exploiting quantum computing to crack encryption – and are unlikely to broadcast whether they possess such strategic technologies or not.
"Nation states could have access to 10,000 qubits," says Hojjati. "We don't know."
But this is almost immaterial, if we accept that at some point, they will. Because while these organizations – and other attackers – await to use powerful quantum computers, they can still be capturing mountains of currently encrypted data.
"We often refer to this as 'harvest now decrypt later,'" says Hojjati. "Once I have access to 10,000 qubits, either being a nation state or being an individual, I can go ahead and decrypt the data that I have collected."
That point when quantum computing becomes powerful enough to undermine the encryption and trust that underpins today's digital infrastructure has been dubbed Q Day.
There's a clear parallel to the millennium bug here. The difference is nobody can be sure when Q Day will arrive. Or whether it has already arrived.
The precise timing of Q Day may be unknown, but preparations have been in hand for some time. The US National Institute of Standards and Technology has been working on post quantum encryption algorithms since 2016, choosing a quartet of candidates back in 2022. Draft standards for the first three were finalized on August 14, while a fourth is slated for standardization this year. Many service providers have already prepared for the launch of these – or even incorporated them into their existing systems.
But this does not mean that companies simply swap one set of algorithms for another. For one thing, that requires knowing exactly what existing algorithms or certificates are already deployed across your organization – and where.
Where to start on quantum encryption?
That potentially creates a massive discovery and prioritization exercise. Moreover, the new algorithms will be much bigger, with bigger keys, than previous algorithms, requiring more compute to process. So, there will be a resource issue to contend with. Some systems – think legacy embedded systems, including those in satellites – might just not be powerful enough to handle new algorithms efficiently.
So, says Hojjati, "We actually take a step back and we refer to this as crypto agility."
The aim is to ensure that whether you're using classical algorithms such as RSA or a PQC one, "at a moment's notice, you can go ahead and switch these algorithms and deploy the most secure one." And you can keep repeating this on an hourly and daily basis as an organization's policy demands.
This still demands discovery and visibility of the encryption infrastructure. But given the scale of encryption use, it will also require automation for companies to update or upgrade algorithms and libraries effectively. And it also demands policy management, to ensure an organization is on top of changes – for example, that an algorithm has been compromised – and to act accordingly.
DigiCert has collaborated with NIST on the development of the new algorithms and standards. The company also offers a Trust Lifecycle Manager platform to automate discovery and updating, as well as policy management. This integrates with existing discovery solutions in an organization, as well as with the webservers, load balancers and other platforms that will feature encryption. Moreover, its DigiCert ONE platform is post-quantum ready, enabling users to begin testing post quantum technology.
This will help companies execute their post quantum policy. But there will still be significant decisions they will have to face up to, not least concerning where they start. Hojjati says it might help to consider two different streams of upgrade work.
"You can begin by doing your discovery for any new releases that you have. So, you basically start building your inventory, or any new application that is getting shipped out, any new web server that is going out, or so forth."
The second stream, he explains, is "your already deployed landscape. And this is where it's extremely hard." If the first stream is like fitting a seatbelt to new cars, the second is like recalling the existing fleet out in the market to upgrade.
This could encompass different approaches, for example creating smaller teams tasked with tackling a set amount of inventory per month or quarter. And, Hojjati adds, discovery of components will never be a one-off job. "It's a continuous discovery. You want to make sure that you're always on top of this, otherwise, you end up with outdated data."
Device manufcturers considering impact
The good thing is that awareness of the challenge is increasing. Some verticals, such as finance, have it absolutely top of mind with some already having quantum safe algorithms in production. Likewise, some manufacturing sectors are examining the impact, given the implications of having to upgrade embedded or IoT devices. And, of course, medical devices offer a particularly heightened security and trust challenge.
"I think for these device manufacturers, they had a moment where they realized they can't go ahead and push the devices out as fast as they are without thinking about proper security," says Hojjati.
But not everyone is on top of the problem. Which is why DigiCert is backing Quantum Readiness Day on September 26, to coincide with the expected finalization of the new algorithms by NIST.
The worldwide event will bring together experts, both in how to break encryption and how to implement the upcoming post quantum algorithms, helping you make sure you're ahead of the problem.
As Hojjati says, whether we've reached Q Day or not, "This is real, this is here, the standards have been released. Basically, there is no more reason for you to not move forward to the PQC algorithm."
Sponsored by DigiCert.