Sorry, you need to enable JavaScript to visit this website.
Preparing for a Future with Quantum Computers March 14, 2019

by Diana Proud-Madruga

As an avid science fiction reader, I’ve been watching the current developments in technology with particular interest. The world of science fiction is rapidly moving into the realm of science fact, especially when it comes to quantum computers. Unlike conventional computers, which use ones and zeros, quantum computers follow the principles of quantum physics, using ones, zeros, and everything in between. Breakthroughs in quantum computing will bring with them a quantum leap (pun intended) in analytics, machine learning and artificial intelligence, possibly even opening up the way to an artificial general intelligence. These breakthroughs, however, also pave the way for massive data breaches as quantum computers plow through data protected by current encryption technologies.

The good news is there are things we can do right now to protect information.

On December 15, 2016, the National Institute of Standards and Technology (NIST) announced that it was seeking public-key cryptographic algorithms that are quantum resistant. NIST predicts, per NISTIR 8105, that certain encryption algorithms will be more vulnerable and carry greater impacts from quantum computing:

  • AES, a symmetric key used for encryption, will require larger key sizes.
  • SHA-2 and SHA-3, used for hash functions, will require greater output.
  • RSA, ECDSA, ECDH (Elliptic Curve Cryptography) and DSA (Finite Field Cryptography), all public keys employed for signatures and key establishment, will no longer be secure.

NISTIR 8105 further warns that organizations should have newer algorithms in place as soon as April 2026. IBM, however, predicts that implementation should occur sooner, feeling that quantum computing will be mainstream within the next five years.

In anticipation of this breakthrough, NIST is actively looking for the next generation of encryption algorithms that will secure data in the post-quantum computing world. After evaluating the first round of candidate algorithms, NIST has moved into the second round. That’s all well and good for future requirements, but what about now? Organizations need to be concerned about what may happen when a quantum computer comes online.

One worst-case scenario is that a hacker (think “enemy state”) could accumulate large amounts of encrypted data in anticipation of being able to crack the encryption as soon as a quantum computer becomes available. Consider that just one piece of critical information within the stolen data could result in a breach of intellectual property, massive identity thefts or even a national security incident.

Luckily, there are steps we can take today to protect information against such a future occurrence. IBM, a current leader in quantum computing, recommends organizations begin by:

  • Identifying, retraining or recruiting for the necessary quantum cybersecurity skills to:
    • Develop cybersecurity champions.
    • Collaborate with standards formulators.
    • Deduce the implications of various potential quantum cybersecurity approaches.
    • Create a quantum security transition plan.
  • Identifying where post-quantum security methods should be adopted by assessing potential quantum-era security exposure:
    • Symmetric encryption algorithms: Where appropriate, at least double the key sizes currently in use to help ensure an adequate future level of security strength.
    • Asymmetric encryption algorithms: Identify where these algorithms are in use and plan to switch to post-quantum alternatives.
    • Hashing algorithms: Assess the output sizes currently in use and plan to employ larger ones.
  • Keeping current with advances in post-quantum cybersecurity standards and emerging post-quantum security solutions, such as the work being done at NIST.
  • Working with encryption solution providers to deploy quantum-safe alternatives as they become available.

Organizations will be looking to solution providers to address one or more of these recommended steps, as the expertise threshold is high for each. Minimum essential vendor credentials include a technologically savvy workforce and a history of collaborating with standards organizations such as NIST and, in the healthcare sector, HL7 Security and Privacy working groups. Moreover, experience in conducting vulnerability analyses will be critical. I am proud to say that Electrosoft Services, Inc. is leading the way in this field, helping private and public organizations address the cybersecurity challenges of today and prepare for the quantum computing world to come.

Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.

Return to Electroblog