Post-Quantum Cryptography: Is There A Looming Crypto-Apocalypse?
The realm of cryptography finds itself on the cusp of a groundbreaking evolution. While classical encryption methodologies have been heralded for their resilience against brute-force attacks, the arrival of post-quantum risks and novel algorithms threaten to change this landscape forever.
The Age-Old Trust in Classical Encryption
Classical encryption techniques, like RSA, have been venerated for their robustness. An example is the 2048-bit RSA encryption, which, under current technology, is often reported to take longer than the age of the universe to break (this assertion is also somewhat flawed, as it is a probability, not a certainty, that it would take that long). This seemingly impenetrable strength is derived from the computational complexity and the time involved in factoring large numbers, a process rendered tedious by the ‘von Neumann bottleneck‘.
This security assertion is now being questioned.
Enter Quantum Computing
Quantum computing, with its potential for immense parallelism, promises to expedite complex calculations. In this quantum realm, computers leverage qubits, which, unlike classical bits, can hold a superposition of states. This means they can represent both 0 and 1 simultaneously. As a result, quantum computers pose a direct threat to classical encryption schemes, potentially making them obsolete.
Let’s also keep in mind that current quantum computers are still woefully limited in their computing ability. While the premise is incredible, the actual hardware is not there yet.
While quantum computing remains a distant reality for many, a company very recently unveiled a novel approach combining data processing and storage in a dedicated hardware package, and emerges as an immediate contender. MemComputing, with its potential to bypass the von Neumann bottleneck, presents a radical approach to solving complex mathematical problems faster than classical computers. A case in point is its purported potential to crack 2048-bit RSA encryption in minutes using ASICs (Application Specific Integrated Circuits). As is often the case, “extraordinary claims require extraordinary evidence”, but just the possibility of it operating at a fraction of the reported capacity would make current encryption effectively a very fancy “please don’t open” sign instead of the actual deterrent to unauthorized snooping that we have grown accustomed to.
Anticipating the Crypto-Apocalypse
This potential for imminent encryption breakdown has birthed terms like ‘cryptopocalypse’. There is increasing concern, as highlighted by a DigiCert survey, that threat actors (or other parties) may already be stockpiling encrypted data, anticipating the day when decryption becomes trivial. 61% of the surveyed respondents admitted unpreparedness for post-quantum computing challenges.
Furthermore, the lack of awareness and budget allocation towards quantum-readiness only exacerbates the situation. With encrypted data’s potential longevity and the “harvest now, decrypt later” strategy of adversaries, the clock is ticking.
Gearing up for the Future
Recognizing the looming threat, institutions like NIST are proactively seeking quantum-resistant algorithms. It’s notable that NIST is gearing up to release its post-quantum cryptographic standards by 2024. Messaging application Signal is also gearing up by testing incorporating quantum-resistant encryption in their End-To-End Encryption protocols.
However, as these solutions remain in their infancy, what’s crucial now is readiness. Organizations, especially those handling critical infrastructure, should begin with:
- Quantum-Readiness Roadmaps: Preparing a strategic plan for migration towards quantum-resistant encryption methodologies.
- Vendor Engagement: Actively engaging with vendors who are primed for the post-quantum era.
- Re-Encryption of Assets: Recognizing the potential for at-rest attacks, organizations must consider full re-encryption of existing data.
- App & Protocol Design: Ensuring future-proofing by designing apps and protocols that can easily migrate to more secure encryption methods.
Any weakness in a fundamental encryption algorithm has always been highly disruptive. It impacts every level of security, explicit and implicit, of data, processes and protocols used by organizations.
Protecting intellectual property, trade secrets, customers’ PII, transactions and many other aspects of daily activities all rest on the assumption that the encryption will resist attackers. We have already seen several algorithms be scrapped due to discovered flaws that rendered them immediately obsolete – forcing certificate renewals, application upgrades, and other changes – and quantum computing poses the same challenge. While we’re not there yet, the road is only getting shorter, and we seem to be arriving at the destination sooner than predicted.
Planning for such an event should be included in the risk management process – taking these matters into account is critical to avoid being blindsided by events. What’s crucial now is not to rest on past laurels but to actively prepare for a future where encryption must evolve to continue safeguarding our digital information.