Post Quantum Consulting
You’ve likely heard the prediction that post quantum computers are set to compromise the world’s current public key infrastructure. How real is the threat? And what should organizations do today to prepare?
Planning for a Post Quantum World
The advent of quantum computing promises to solve certain types of complex problems in machine learning, medicine, and material science that are simply intractable for classical computers today. At the same time, quantum computing poses a devastating threat to today’s security.
Our cryptographers and system architects can develop a custom mitigation and transition plan to prepare your cryptographic infrastructure for the post quantum world.
"...researchers working on building a quantum computer have estimated that it is likely that a quantum computer capable of breaking 2000-bit RSA in a matter of hours could be built by 2030."
– Report on Post-Quantum Cryptography, NIST, April 2016
FAQ: Protecting Infrastructure Against Future Security Threats
Organizations need to take a proactive approach to PQC. There are multiple variables to consider and various layers of solutions. Learn more about PQC and find out how your organization fares.
Who needs QRC first?
Ultimately, the entire global infrastructure will need to transition to quantum-safe cryptography. The following two groups will be most immediately affected:
- First, organizations that need to keep secrets safe for long periods of time. This might include governments, law firms, medical research and pharmaceutical companies.
- Second, organizations that won’t be able to easily change their crypto as a real quantum computing threat emerges. For example, organizations that have a reliance on a microprocessors that need a 10-year development cycle and have a 20-year year life. Many embedded systems are often supposed to last decades.
Should my organization adopt QRC now?
Unless your organization falls into one of the two groups above, probably not. However, all organization should begin planning now and investigate, and potentially experiment, before NIST standards are published (NIST drafts are to be available in 2022-2024). It would be ill-advised to adopt something prior to NIST standards since one would likely need to upgrade once the final standards are released.
Is Quantum Key Distribution (QKD) a solution?
QKD is solution that has been shown to work. It does not rely on quantum computing. QKD works for point to point links where one can be sure there is no middleman in your link. The Chinese ground to satellite QKD laser link is a good example of this; however, a buried fiber optic cable is not a good application. QKD does require specialized infrastructure, and as such, the timeline for adoption is much further out.
Generally, QKD is only suitable for point to point and doesn’t allow for switching. Further authentication of QKD information is an unsolved problem. You can detect if a man in the middle jumps into the middle of your QKD link but you can’t detect the man in the middle if he was there from the beginning such as with a fiber optic repeater. QKD works as a link to link security mechanism. It doesn’t work as an end to end security mechanism.
How quickly will things need to change?
Even once scalable quantum computing arrives, the threat aperture will likely widen slowly. There is a lot of industry hype about when quantum computing will actually deal a death blow to today’s public key algorithms. The reality is that no one knows. Many experts think quantum computing will definitely arrive in the next 10 years, other expect that to be longer. Organizations with long lived information that needs to be protected, should be concerned. For many, it is probably most prudent to wait for standards.
Which market applications will need to migrate first?
High risk sectors such as national security, financial, pharmaceutical, medical research and will be the first affected. Any organization with information that has lasting value should be protected. Classic examples are trade secrets and personnel records. Code signing is also an important long term security need. The need for post quantum today applies to data that needs to kept secret for a really long time. So, \if data needs to be protected for 20, 30 or 40 years, then consider post quantum protection soon. If your data only needs to be kept secret for the next 10 years, wait for NIST to standardize and use those algorithms.
What needs to be done now?
Planning. It is vital for organizations to understand their risk exposure in order to determine what precautions need to be taken and when. For organizations that require a near-term solution, a hybrid cryptosystem may be appropriate. A hybrid cryptosystem is one which uses two different cryptographic algorithms to perform the same function. There are pros and cons to hybrid cryptosystems as well.
Now is also the time for engineering and experimentation to determine optimal solutions. Most PQC is not yet ready for prime time. Ideal solutions will still require significant research and development efforts to perfect.
Securing All Aspects of Your Infrastructure
Our clients trust us to design custom digital security solutions that work for their products and customers. Even if PQC is not the right fit for your company today, we can help.