The ‘quantum encryption apocalypse’ might just be Y2K 2.0

Academics, security pros, and policymakers recently swarmed Washington, DC, for the first-ever Quantum World Congress, a mass gathering of quantum computing experts. Among the biggest topics of discussion, according to Axios, was the “quantum encryption apocalypse.”

That’s the concept that some of the most widespread encryption algorithms in use today are vulnerable to codebreaking by next-generation computers operating on principles of quantum mechanics. The biggest unknown might not be when this threat arrives, but what cybersecurity pros can do to prepare for it.

What’s quantum uncertainty about? Traditional computers use bits, a logical state with two possible values: 1 or 0. Quantum computers rely on qubits, which can be both 1 or 0 simultaneously. In theory, qubits can generate solutions to problems in hours or days that would take classical computers exponential amounts of time—say, trillions of years—like cracking RSA encryption.

Existing quantum computer prototypes aren’t accurate enough to be of use solving practical problems. Yet that could rapidly change if or when certain engineering problems like noise mitigation are solved.

One concern is not only that techniques like RSA will become useless against quantum-equipped adversaries, but that nation states may already be archiving data to crack years from now.

“In terms of script kiddies, and small hacker groups, they don’t really have access to this stuff,” David Mahdi, chief strategy officer and CISO advisor at Sectigo, told IT Brew. “At least today, nation states are probably the thing to worry about at the moment, because I would predict that they’re going to be the first to have these capabilities.”

Quantum hacking, classical solutions. Scott Crowder, the VP of IBM Quantum, told IT Brew that certain cryptographic methods can already be future-proofed, and mathematicians have developed replacement algorithms for those that can’t. The hard part, he said, will be upgrading.

“It takes a long time to make this kind of transformation of your IT systems,” Crowder said. “So, the good news is that researchers, like at IBM Research, have come up with cryptographic methods [where] both quantum computers and classical computers suck at the math of doing it.”

Public-key (asymmetric) encryption is known to be quantum vulnerable, but private-key (symmetric) encryption can be shored up just by making the keys larger, said Crowder. Earlier this year, the US National Institute of Standards and Technology announced the selection of four quantum-resistant algorithms (and four other candidates) designed to fill the gaps.

Crowder said research has shown those replacement algorithms, which run on classical computers, to be efficient, commercially viable, and more practical than solutions like quantum key distribution.

“We’ve done the math part,” Crowder said. “The hard part now is, how do I inventory all the stuff that I’m getting out there, figure out which of the things that I gotta go fix first? And how do I set up a process to make it easy for me to go fix them and prove that it’s fixed and keep them updated?”

The superposition. Crowder pointed to the arduous tasks of identifying weak points and ensuring they can not only be fixed but made stronger over time—across their entire supply chains. IBM has proposed a model called a cryptographic bill of materials, based on the software bill of materials concept.

“It’s kind of like Y2K, but it’s even more complex than that,” Crowder said. “Transforming basically our entire digital economy to something that is quantum safe is a non-trivial human exercise.”—TM

Billy Hurley contributed reporting to this story.