Quantum computing is set to transform multiple industries with its extraordinary computational capabilities, enabling the resolution of complex problems currently beyond classical computers' reach. However, this quantum leap also brings significant challenges, particularly in cryptography. It threatens current security measures, potentially breaking encryption that protects sensitive data, leading to significant security breaches.
Moreover, quantum computing's impact extends beyond security, disrupting business operations and strategic plans. Adapting to quantum threats requires years of effort, including architectural changes and addressing potential interoperability issues.
Taking these into consideration, on June 25th, ADACOM held an event titled “Insights, Challenges and Prospects in the eIDAS 2.0 and Quantum Cryptography Era” with the support of Ascertia and DigiCert at Ploes Floating Venue at Palaio Faliro.
During the event, Dr. Avesta Hojjati, VP of Engineering at DigiCert, delved into the implications of quantum computing on cryptographic systems and outlined a strategic roadmap for organizations to prepare for future quantum threats. Hojjati’s key talking points are discussed below.
The Potential and the Impacts of Quantum Computing
Quantum computing harnesses the principles of quantum mechanics to perform computations at unprecedented speeds. This capability opens new frontiers in several fields, including high-precision simulation, optimization of large and complex systems and more accurate and timely weather forecasts.
Despite these benefits, quantum computing's extraordinary power also severely threatens current cryptographic systems. Classical cryptographic algorithms rely on the difficulty of solving specific mathematical problems, like integer factorization and discrete logarithms. Quantum algorithms can solve these problems exponentially faster, rendering current encryption methods vulnerable.
Asymmetric cryptography, including widely used methods like RSA and Elliptic Curve Cryptography (ECC), faces significant threats from quantum computing. RSA is particularly vulnerable because Shor's quantum algorithm can factorize the large integers that RSA relies on, effectively breaking the encryption. Similarly, ECC is compromised by quantum attacks, making both encryption methods inadequate in a quantum computing era.
Although symmetric cryptography is less vulnerable and suffers less than asymmetric, symmetric algorithms, like AES, still face threats. Grover's algorithm can reduce the effective key length by half, making a 128-bit key as secure as a 64-bit key against quantum attacks.
Preparing for Post-Quantum Cryptography (PQC)
Organizations must transition (in a timely manner) to quantum-safe cryptographic algorithms to mitigate quantum computing risks. Ponemon Institute, sponsored by DigiCert, conducted a study to research the organizations’ approach to PQC. 3 out of 4 of the respondents are concerned about harvest now, decrypt later (HNDL) attacks, while the majority of them are concerned about the preparedness of their organizations to address the security implications and challenges of PQC, including:
- Architectural Overhaul: Adopting PQC is not a simple plug-and-play solution. Extensive changes to existing cryptographic infrastructures are required.
- Interoperability Issues: Ensuring that new quantum-safe systems work seamlessly with current technologies is critical.
- Cost and Resource Allocation: Transitioning to PQC will require increased IT spending and comprehensive workforce training.
Organizations preparing for quantum-safe cryptography should act proactively, as future vulnerabilities are today’s risks. They shall begin with a comprehensive assessment and planning phase. This involves thoroughly evaluating current cryptographic systems and identifying critical assets most vulnerable to quantum attacks.
Based on this assessment, organizations can develop a detailed implementation roadmap that prioritizes the protection of these high-value systems, especially today, where emerging tech accelerates security threats, ensuring a targeted and effective transition.
The next step is the adoption of quantum-safe algorithms. Integrating Quantum Key Distribution (QKD) and other quantum-resistant cryptographic methods into existing security protocols is crucial. Various quantum-safe asymmetric algorithms, most of them based on the lattice cryptography approach to quantum cryptography, have been selected by the National Institute of Standards and Technology (NIST) to complement the existing public-key cryptographic algorithms found in FIPS 186-5, the Digital Signature Standard (DSS), as well as NIST Special Publication (SP) 800-56A Revision 3. Crystals-Kyber, Crystals-Dilithium, FALCON, and SPHINCS+ intend to offer robust security against potential quantum threats and should be incorporated into the organization’s cryptographic infrastructure.
Finally, staying aligned with regulatory compliance and standards is essential. As the quantum landscape evolves, organizations must keep pace with changes in cryptographic standards. NIST recently released the first three finalized PQC Standards. Following their guidelines will ensure the organization’s security measures remain up-to-date and compliant.
The Path to Crypto Agility
NIST and Homeland Security highlight that maintaining crypto agility, i.e., switching between cryptographic algorithms without significant changes to the underlying infrastructure, is crucial during this transition. With increased connectivity, the scale of what needs to be updated also increases. Maintaining interoperability, migrating critical systems faster, and reducing switching costs is imperative.
The crypto agility approach ensures that organizations can adapt to new threats and standards as they emerge and is being built on four essential functions:
- Discover: Identify and evaluate quantum vulnerabilities throughout the ecosystem of your digital certificate.
- Manage: Utilize scalable and automated management tools to optimize certificate lifecycles and ease efficient PQC transitions.
- Automate: Reduce mistakes and operating expenses by facilitating an efficient PQC transition through automated operations.
- Deploy: Expedite the quick deployment of quantum-safe certificates to ensure optimal performance with minimal disruption.
Additional key factors for achieving crypto agility include implementing hybrid cryptographic systems that integrate both classical and quantum-safe algorithms, along with thorough interoperability testing across internal and external systems to detect and address potential risks.
Implementing Quantum-Safe Measures to Leverage the Quantum Era
According to Dr Avesta Hojjati, a robust PQC incorporates stakeholders’ engagement and training, thorough risk assessment, planning, implementation, and deployment of best practices, and tracking to future-proof enterprise systems. Moreover, DigiCert’s toolbox is equipped with complementary tools to enable integration, interoperability, and performance testing.
Immediate actions your business shall take include:
- Thorough Research: Understand the impact of large-scale quantum computing on public-key cryptography and its implications for your organization.
- Internal Assessments: Perform detailed analyses to uncover how cryptography is currently used within your organization and prioritize assets for migration.
- Collaboration with Vendors: Engage with key vendors to align their roadmaps with your quantum-safe strategy.
Within the following months of initiating the adaptation process, your organization should collaborate with internal teams to develop a detailed migration plan for transitioning to quantum-safe cryptographic systems. At this stage, it is critical to engage your vendors to ensure their roadmap supports your transition needs.
Quantum computing holds immense promise but poses significant risks to current cryptographic systems. Transitioning to quantum-safe algorithms requires careful planning, resource allocation, and a commitment to staying ahead of evolving threats. By adopting the outlined proactive strategic roadmap and becoming crypto-agile, organizations can navigate the complexities of the quantum era and maintain robust security in the face of future challenges.