By Janet Jones, Microsoft with Judith Furlong, Dell Technologies; Brian Rosenberg, Raytheon Technologies; Souheil Moghnie, NortonLifeLock; Mathew Lyon, Dell Technologies; Steve Lipner, SAFECode
It may sound like tomorrow’s problem, but the countdown is already on to manage the threat that the emergence of quantum computing poses to today’s cryptography and everything it protects. Quantum computing research and development is rapidly progressing as evidenced by recent announcements of commercial quantum computers and programming languages. If we wait for quantum computing to arrive before addressing its cryptographic implications, we will be much too late. This blog will elaborate on the impact of quantum computing to current cryptographic algorithms and mechanisms.
Why the rush?
Quantum computing is an imminent threat to the modern cryptography that is used today to secure systems, devices, communications, and the Internet. Public key cryptography relies on the difficulty of solving certain complex mathematical problems even with today’s fastest computers. But the advent of quantum computing will make what was once difficult far easier. Quantum computers are able to perform some computations exponentially faster, which puts current asymmetric cryptographic algorithms (e.g., RSA, ECDSA, ECDH) at significant risk. The threat from quantum computers also requires current symmetric and hash algorithms (e.g. AES, SHA-2, SHA-3) to be used with increased key or hash output sizes in order to become quantum-safe.
As a result, many existing cryptography-based security services could be compromised in a quantum computing environment. These include: 1) higher level protocols (e.g. TLS, IPSec) used to identify and protect data communications, 2) key management protocols used to support data encryption, 3) public key certificates and digital signatures used to verify data integrity, signed code distribution and payment systems, and 4) cryptocurrency and blockchain/distributed ledger implementations. Even scarier, an adversary might be able to record encrypted data now and decrypt it later when a quantum computer becomes available to them.
Unfortunately, replacing cryptography is not done with a simple flip of a switch. Organizations who prepare now for this change will be in a much better position to successfully manage what is likely to be a complex migration process.
What the Industry is Doing
To address the risk, new post-quantum cryptographic (PQC) algorithms have been developed and are currently under review through NIST’s Post-Quantum Standardization Project. Launched in 2017, this project brings together research teams from around the world to work on cryptanalysis of the newly developed algorithms. The project, which is entering its third and final round, is expected to announce results within the next 1-2 years.
PQC algorithms are expected to have much longer key size, much longer signature size, and potentially worse performance than current algorithms. We should assume that for the first several years of deployment, classical cryptography and PQC algorithms will be deployed side-by-side.
What SAFECode is Doing
SAFECode believes that technology providers should be taking immediate action to prepare for migration to encryption methods that will remain secure even when quantum computing becomes available. We’ve formed a working group focused on helping our members and the community proactively plan for the transition to quantum-safe cryptography. We’ll be publishing practical guidance over the next few months to assist developers with their migration strategy. We are also closely monitoring and contributing to NIST’s PQC standardization project and will keep you informed of relevant industry progress as well.
Like other SAFECode guidance, all of our recommendations are based on real-world planning and work underway at our member companies. SAFECode members looking to share their strategies, brainstorm around potential roadblocks, or hear more detailed insight from other members should contact [email protected] to join the working group.
We are currently developing a high-level post quantum cryptography migration roadmap that identifies immediate, short-term and long-term activities to support the gradual transition to quantum-safe cryptography. While we expect this roadmap to be somewhat fluid, we believe it is important to highlight the various phases of migration and key associated tasks so that organizations can begin to set expectations and formalize internal plans for the transition. From there, we will take a closer look at key parts of the roadmap, providing recommendations to assist the community at each transition phase.
- Crypto agility / Prototyping Quantum Resistant Cryptography