Guide to Understanding Post-Quantum Cryptography and Encryption
While still in their early stages of development, quantum computers are set to change the world — and that includes the ability to break the cryptography and encryption we use today. Quantum computers are approaching the computing power and stability needed to break public-key encryption protocols. The time to migrate to post-quantum cryptography is now.
What is a Quantum Computer?
At the core of understanding a quantum computer is understanding a qubit. While classical computers operate in zeros and ones, quantum computers can superposition all the points in between.
Given that ability, a quantum computer is fundamentally more complex than a classical computer in a couple key ways:
Classical Computer
- Uses a memory made up of bits, either 0 or 1
- Can only exist in one state at a time
- Calculations performed by logic gate operations
- Single state bit order (10 bits in, 10 bits out)
- Deterministic solution – run the algorithm and get the same answer every time
Quantum Computer
- Can represent 0, 1, or any quantum superposition of the two states
- Each additional qubit can be in a superposition of 2n states
- Problem is encoded into the qubits (via quantum gate operations)
- Calculation ends with the measurement
How Will Quantum Encryption Affect the Industry?
Quantum computers have ushered in a major change for society – impacting everything from artificial intelligence (AI) to chemistry, biology, and physics:
- Financial Systems: Ability to model systems with more connections between them or look up more data
- AI: Emergence of deep learning systems to make more connections, enhance search, and apply quantum algorithms
- Chemistry, Biology, and Physics: Opportunity to model bigger molecules, atoms, drug interactions, etc.
- Cryptography: Factoring RSA keys and breaking the discrete logarithm problem (DLP) in elliptic curve cryptography (ECC) will be feasible
Who has Access to Quantum Computers?
Quantum computers have largely been relegated to national labs and universities, but several brands are entering the race to create commercially available quantum computers, including IBM, Microsoft, Google, AWS, and Honeywell. While the technology is being developed, it stands to advance quickly. And widespread availability of quantum computers could increase the potential risk to public-key encryption.
Encrypted Data is Harvested and Stored
Today, quantum computers are not sophisticated enough to crack public key encryption, but data is harvested and stored for the day that advancement does occur. Data with long-standing value (typically about 25 years) poses the greatest risk so certain industries like critical infrastructure, finance, and healthcare, as well as governments, have already started their transition to being quantum-safe.
Identifying Cryptographic Keys at Risk
Many standard cryptographic algorithms stand vulnerable to quantum computers.
- AES-256: Larger output needed
- SHA-256 and SHA-3: Larger output needed
- RSA: No longer secure
- ECDSA and ECDH (Elliptic Curve Cryptography): No longer secure
- DSA (Finite Field Cryptography): No longer secure
Begin to Migrate to Post-Quantum Encryption
Hackers harvest data to decrypt and crack encryption. Take steps to secure your organization’s data—today and in the future—by migrating to post-quantum encryption. The process can take years, and NIST is actively working to establish new standards.
Entrust is a participating member of the Internet Engineering Task Force (IETF) and participants in the NIST compete to identify new quantum-resistant cryptography standards for the post-quantum world. It is critical to begin planning to replace hardware, software, and services that use public-key algorithms now so that information is protected from future attacks.
What’s a Post-Quantum Crypto Agility Maturity Assessment?
First, identify the algorithm, data protection risks, and post-quantum challenges in your business systems. Does your organization use any cryptographic keys that are currently considered at risk? Next, map out your migration plan and timeframes for completion to achieve the required level of crypto agility. The migration is a time-intensive task that could take years. Lastly, review your governance against best practices for control, compliance, and skills in readiness for post-quantum migration testing and implementation. Once you know what data in your organization is at risk, you can develop a detailed plan to mitigate that risk or use Entrust’s Cryptographic Center of Excellence for actionable recommendations to remediate identified risks in cryptosystems.
How to Prepare for Post-Quantum Encryption
Your organization can take steps today to prepare to migrate to post-quantum encryption methods.
- Take inventory of your organization’s cryptographic assets and data, and where they reside.
- Prioritize your organization’s most valuable data and that with the longest shelf life. Migrate this data to post-quantum encryption first.
- Test quantum-resistant algorithms on a prototype data set.
- Plan your organization’s roadmap for migrating post-quantum cryptography with your vendors.
Crypto Agility is Key
Crypto agility, or cryptographic agility, is the ability to change, approve, and revoke cryptographic assets as needed to respond to developing threats. Crypto agility gives you the ability to change cryptographic algorithms, combine encryption methods, increase encryption key sizes, and revoke digital certificates—all without significant security and IT lift.
Expert Assistance Planning for Post-Quantum Encryption
Your organization doesn’t need to plan for post-quantum encryption all on its own. Entrust’s Cryptographic Center of Excellence (CryptoCoE) provides the tools and guidance needed to inventory and prioritize your data and cryptographic assets, and put a post-quantum plan into motion.