Will Quantum Computing change the way we use encryption?
Today, encryption is a cornerstone of our cybersecurity practices. It protects everything from cell phones and SMS messages to financial transactions and intellectual property.
However, a new challenge in the complex landscape of encryption has recently emerged, thanks to the advancement of quantum computing. What challenges lay ahead? Here is the breakdown:
Quantum Computing (QC), invented in the 1970s by David Deutsch, has made significant steps forward in the following decades and has become a viable technology capable of solving complex computational problems. Based on the laws of quantum mechanics, QC is not bound to the restrictions of classical computers, where everything resolves to a 1 or 0. Instead, QC uses "multidimensional computational spaces" to answer nearly impossible questions. It sounds like sci-fi, but it applies to our current computing environment.
Quantum Computing presents a unique challenge to all cybersecurity efforts because it has the potential to break some of the commonly used encryption standards used today.
Organizations use symmetric or asymmetric keys to encrypt their data at rest or in motion. Symmetric cryptography, like the Advanced Encryption Standard (AES), utilizes a single key to encrypt and decrypt data. In contrast, asymmetric cryptography (RSA) uses a public and private key to encrypt and decrypt data. The two types of cryptography differ in the security they provide based on their bit count (AES typically uses 128 or 256 bits, and RSA keys typically use 1024-2048 bits) and the password strength the key creator uses.
Due to QC’s threat to circumvent almost any encryption, in 2022, NIST introduced several new encryption key algorithms to address the inherent risks posed by QC. Because of the increased complexity of the algorithms used to generate the keys, they are considered QC-resistant (QCR). The new encryption keys mitigate the potential impact of Grover’s Algorithm, which can break AES-128 encryption in seconds today, and Shor’s Algorithm, which will eventually be able to break RSA encryption as QC technology advances.
In short, suitable algorithms and encryption standards could protect us from the future of QC hackers. But deploying them is a different matter.
Today’s lack of widespread QC availability makes QCR encryption a non-existent priority for most organizations because no perceived threat would require immediate action. Many companies’ IT and cybersecurity teams are already pushed to the maximum and tend to focus their efforts (and budgets) on decreasing current attack surfaces and clearing out the never-ending stream of alarms.
But that’s no reason to delay action. Complacency yields breaches, especially in cybersecurity. If encryption is not updated to match tomorrow’s threats, what’s to stop malicious actors from decrypting all of the non-QCR data in the future? IBM estimates a 1-in-7 chance that current encryption keys will be breakable by QC as early as 2026, and that chance skyrockets to 1-in-2 in 2031. If today’s data encryption isn’t made QCR shortly, companies could see their information harvested or held ransom, damaging an organization’s reputation and ability to operate.
The best time to upgrade your encryption is before hackers can break it with these new tools -- an ounce of prevention is worth a pound of cure, as the saying goes. Part of this prevention is identifying where all essential data resides, how users or systems access it, and the encryption used to protect it. For organizations anticipating the addition of new data sources or applications to their enterprise, part of the planning and encryption selection criteria should include support for QCR encryption. In addition, companies that develop enterprise applications in-house should also update their DevSecOps pipeline to include the integration of QCR encryption to prevent potential issues and rework in the future.
Jerry Derrick is Vice President of Engineering at Camelot Secure. He leads the company's engineering division and is responsible for the design, development, and sustainment of the Camelot Secure360 platform. Jerry's responsibilities also include the management of the product roadmap, research and development activities, and ensuring the overall security of the platform and customer data. A cybersecurity engineering veteran of over 20 years, Jerry understands and focuses on the importance of fusing people, processes, and technology to ensure Camelot Secure360 enables organizations to know their environments are secure against the latest threats. Before joining Camelot Secure, he worked at top military and government cybersecurity organizations to develop and deploy tools and capabilities to facilitate the more efficient and effective analysis of cybersecurity data.