Note to Crypto Specialists: Prepare Now for Our Quantum Computing Future

This article originally appeared on SC Magazine.

As the reality of powerful quantum computers draws closer, concerns about the threat this game-changing technology poses to today’s cryptographic tools and the critical data protected by them have grown. Since the days of ancient Rome, human beings have used encryption to protect sensitive information from interception. In today’s digital world, reliance on cryptography has become almost ubiquitous. However, we’re now in a global high-stakes race to develop next-generation quantum computers that will render much of modern cryptography obsolete.

Fortunately, a new generation of quantum-resistant cryptographic tools (often called “post-quantum” or PQ cryptography) can counteract these new quantum computers, but only if we prepare for this transition now. Delaying the transition to PQ cryptography represents a direct threat because it’s become clear PQ crypto must play a critical role in any long-term national cyber defense strategy. 

Today’s encryption standards offer protection against today’s technologies, but do not account for quantum computers, which will likely break much of today’s most advanced cryptography retroactively. Nations like China have made significant progress in building ever more powerful quantum computers (increasingly in secret), and there’ a looming risk of the most sensitive, classified information across governments and industries becoming accessible. This would shake global security and do untold damage to the national security of governments and the competitiveness of industry actors around the globe.

To avoid this scenario, we must develop, implement, test, integrate, deploy and maintain new PQ security solutions across our IT infrastructures so we can lay the groundwork for this transition today. This would identifying how exactly we are vulnerable to quantum-capable adversaries and prioritizing those vulnerabilities. In the same way, countries have made the COVID-19 vaccine available to the most vulnerable and critical populations first; organizations must identify their priorities in their upcoming transition to a PQ security posture. The government will need to prioritize securing the information and capabilities most central to U.S. national security, while the private sector will protect intellectual property and trade secrets.

In identifying priorities, organizations must combine two types of information about their operations. They will need a clear picture of which of their security systems are vulnerable to quantum attacks and in which sense they are vulnerable. Additionally, organizations must build a risk profile for each vulnerability that quantifies how a successful exploit would impact the wider organization. Only by understanding these priorities can organizations most effectively dedicate their limited resources. 

Besides prioritizing vulnerabilities, organizations must ensure that their IT infrastructure and operations have crypto agility; that they are designed and operated with explicit support for rapidly, seamlessly, and securely upgrading the underlying cryptographic tools. That means critical material, certificates, crypto libraries, and even completely cryptographic components should be easy to upgrade. 

Academia, industry, and government continue to make progress towards leadership in quantum. The Department of Defense’s Defense Information Systems Agency (DISA) has  actively explored post-quantum cryptography that would maintain secure encryption in the face of quantum computers. 

Meanwhile, the National Institute of Standards and Technology (NIST) has worked on establishing post-quantum cryptography standards that will help normalize a new generation of PQ crypto algorithms, a critical step in their widescale use. NIST has organized a global collaborative effort of cryptographers to work on cryptanalysis, optimizing and fine-tuning the new standards. The near decade-long process is now slated to reach fruition in the next two to four years, culminating in a handful of foundational PQ cryptographic algorithms. We can then expect governments and industry to dive into the much broader, largescale and complex effort of implementing, testing, integrating and deploying complete PQ information security solutions.

Organizations can and should take these steps today to prepare for a post-quantum world. By identifying the vulnerabilities in a post-quantum future and ensuring the cryptographic agility of IT infrastructure and processes, organizations in both the public and private sector can stand prepared for this new reality. These efforts will protect the national and economic security of countries around the world once-powerful quantum computers come online.