Separating FUD from Practical for Post-Quantum Cryptography

Preparation for post-quantum cryptography increasingly appears in the news and industry materials. The reason for this is twofold. First, there have been advances in capabilities for post-quantum computing. Second, the National Institute of Standards and Technology (NIST) will complete final rounds for selection of these new cryptographic algorithms in 2024.

Overall, the primary concern driving preparedness from a security perspective is that encryption is breakable due to advancements with post-quantum computing for both asymmetric and symmetric cryptography. Most researchers put this possibility 10-15 years out from now, but they acknowledge we could be surprised with technological advancements. Quantum computing also advances capabilities for processing, making some computations feasible in much shorter time periods and providing great opportunities for advancement in numerous sectors. As such, quantum computing will be appropriate for some workloads but not all depending on requirements and resources. It is likely the early adopters will be in sectors such as finance, science research, and government.

This blog will describe the current state of quantum computing, the concern for data protection, as well as practical steps that reduce the hype for most organisations.

Algorithms Currently Capable of Decrypting Data Post-Quantum

Post-quantum cryptography is still a few years from reaching required system capability levels. But organisations are concerned in the meantime. Simply stated, adversaries may decrypt data stolen today when such capabilities become possible at a later point in time. Organisations might be concerned that they will be targeted in a breach or that ransomware actors will exfiltrate their data and later sell it on the dark web.

To better understand the risk of data exposure from advancements in quantum computing, I've provided information on the algorithms capable of decrypting data in a post-quantum world. I also provide the limitations, including a requirement for computing capabilities well beyond our reach today, in order to put this threat into perspective.

• Shor’s Algorithm targets asymmetric cryptography, meaning RSA, public/private key pair-based encryption methods. Currently, Shor’s algorithm requires millions of qbits to successfully break RSA. To put this into perspective, Schneier on Security explains that IBM Osprey has 433 qbits. While we can’t predict how quickly advances will be made considering Moore’s algorithm, it may be quite some time before using Shor’s algorithm and quantum computing become a real threat.
• Grover’s Algorithm targets the keys in symmetric cryptography, so this too may be broken in a post-quantum world. Migrating to AES-256 as a current step will aid in preparation for post-quantum security according to NIST, as it will be safe with Grover’s algorithm for some time to come without advancements in the algorithm.
• New algorithms are in development (and in review) that significantly improve upon Shor’s algorithm's post-quantum requirements. One published paper cites being able to break RSA with only 372-qbits using a new algorithm. This research is still in process of being validated.
• Another concern is that similar advances by nation states will never become publicly available, thus allowing access to stolen encrypted data by adversaries.

Steps to Migrate to Quantum-Safe Algorithms

Standards bodies and vendors are busy working to help you. The problem is that standards bodies and vendors have more work to do to enable a smooth transition to quantum-safe algorithms.  

NIST is in the final stages of a lengthy process to select post-quantum cryptographic algorithms.

In July 2022, the selection process narrowed down to the following algorithms. Broken down by type, they are as follows:

• Public Key Encryption and Key Establishment Algorithms
  • CRYSTAL-KYBER
• Digital Signature Algorithms
  • CRYSTALS-DILITHIUM
  • FALCON
  • SPHINCS+

The full cryptographic algorithm evaluation is set to complete in 2024.

Once algorithms are finalised, standards bodies will integrate support for these algorithms into existing protocols, enabling support for post-quantum cryptography for data-in-transit and data-at-rest encryption. The Internet Engineer Task Force (IETF) and other standards-developing organisations (SDO) such as OASIS will take several steps to make this possible, as the algorithm parameters and key lengths differ from pre-quantum cryptography. As you can see from the IETF link provided above, some of this work has already commenced. There is some preparation work that is possible by standards bodies and that is underway.

Vendors are also preparing for post-quantum cryptography, and they have steps to take before organisations can easily make this transition. The following set of bullets highlights some high-level steps required before products will be ready to support post-quantum cryptography:

• Participate in the update of standards to accommodate post-quantum cryptography
• Update supported protocols according to standards published into products
• Update proprietary products and protocols to support post-quantum cryptography

Products are available from several vendors today with quantum computing capabilities. In addition to IBM above, Dell also has products, and HP has research efforts on quantum computing.

3 Steps for Organisations to Prepare for Post-Quantum Cryptography

A practical approach to avoid falling into fear, uncertainty, and doubt (FUD) around post-quantum cryptography breaks down into three steps.

First, you must prepare your organisation by understanding the data assets of your organisation, where these assets are stored, and the flow of sensitive data within your environment. This could be aligned to best practices for information management in spreadsheets or more formally in an electronic stored information (ESI) data map using the CIS Critical Security Controls (CIS Controls). Your organisation should consider taking steps to label data according to sensitivity and business importance as well as the lifespan of the data. It is important to manage your data and understand where data is backed up, considering storage data protection best practices such as data deduplication and offline backups along the way. At the next level, compliance, record retention, and legal hold considerations should factor to ensure that data is managed appropriately according to each set of requirements. If the value of the data is beyond its lifespan or if record retention requirements require its deletion, data destruction should factor into the planning process for how data is treated.

Second, you should use the CIS Critical Security Controls to aid in the protection of your organisation’s assets today. The Safeguards are prioritised to help mitigate risk in a meaningful way. By preventing an attack, you are also minimising the chance of your data being stolen today and decrypted later.

Lastly, you must move to post-quantum cryptography within 3-4 years of the technology becoming available in products. Manage and protect your data according to best practices for information management, and you’ll be ready for this transition when algorithms are integrated into protocols and products. Understanding your data will also help you prioritise for your transition.

This article was originally published over on the CIS CTO blog.