Quantum computing holds the potential to be one of the most era-defining innovations. So much so, that itโs almost impossible to predict the exact effects it will have across the world of technology. But thereโs one thing that most in the tech industry agree on โ it will eventually signal the end of asymmetric (public-key) cryptography, which underpins the system of machine identities enabling our online world to exist. Now, the world is racing to discover algorithms resistant to cracking by quantum computers and achieve โquantum safetyโ. And NIST has taken the lead by announcing the first four contenders.
Forward-thinking CISOs will want to start preparing now, despite change not being imminent. And they should assume that the switch between pre- and post- quantum worlds will be defined by hybrid use of both new and old machine identities.
Cracking the cryptographerโs enigma
Todayโs digital systems uses a binary numerical system โ zeros and ones โ to store and process information. Quantum computers on the other hand use qubits โ these are quantum particles that donโt behave according to the traditional rules of physics. This allows them to be a zero and a one simultaneously, which theoretically will reduce the overall time required to solve mathematical problems and process data.
At its core, this presents significant issues for cryptographers. Current public-key encryption systems rely on mathematical challenges, which computers struggle to solve due to sub-standard processing power. On the other hand, quantum computers have the potential to solve these problems in the blink of an eye, meaning they could break current encryption standards with ease.
The internetโs transfusion wonโt happen overnight
Why does it matter if our current encryption standards are upended? RSA produced the first crypto system in 1977, establishing public key cryptography as the primary mechanism for determining trust and authentication online. This underpinned the digital certificates and cryptographic keys that give machines an identity and laid the foundations for our entire system of encryption. Now, these machine identities are the primary method for securing all our online communications โ from sensitive customer data to financial transactions or even national security secrets.
They ensure that all machines can communicate securely, including everything from servers and applications to Kubernetes clusters and microservices. They run through our digital world like blood travelling around the circulatory system of the body. So, replacing these standards with quantum will be akin to giving the internet a transfusion.
Weโve all seen the discussions around the so-called โcrypto-apocalypseโ โ when quantum computers come online and crack our current systems of cryptography wide open. In truth, the reality isnโt quite as dramatic. There wonโt be a single catastrophic doomsday event where the worldโs secrets are brought into the light and the global economy ceases to function. No, weโre likely to see a slow and steady journey to quantum which is driven by the needs of leadership teams and markets.
It’s now been 40 years since the inception of the original RSA crypto-system, and the journey to achieve our current encryption standards has been long and onerous. The move to quantum resistance is likely to take decades too, if not longer.
Establishing a standard
Leading the charge to develop a post-quantum cryptographic standard for organisations is the US governmentโs National Institute of Standards and Technology (NIST). Thereโs been a lot of progress since 2016 when NIST called on the worldโs leading minds in cryptography to devise new ways to resist attacks from quantum computers. None more so than from Julyโs update, where the world of cryptography reached a vital milestone when NIST announced the first group of four quantum-resistant algorithms. And we are set to see four more announced soon.
By releasing eight algorithms, NIST recognises that cryptography is deployed in a multitude of use cases, and therefore diversity in encryption is a must. Itโs also essential to mitigate the risk of potentially vulnerable, early-stage algorithms.
For this, NIST selected the CRYSTALS-Kyber algorithm for โgeneral encryptionโ, due to its relatively small encryption keys and operation speed. And for digital signatures, such as the oneโs used within TLS machine identities, it selected the CRYSTALS-Dilithium, FALCON and SPHINCS+ algorithms. As the primary algorithm, NIST recommends CRYSTALS-Dilithium, and FALCON is regarded as useful for applications which require smaller signatures. Meanwhile, SPHINCS+ is larger and slower than the others, but is useful as a backup option due to its slightly different mathematical approach.
With things accelerating from a standards perspective, organisations now have a clearer path towards planning their own post-quantum journey.
Beginning the journey
Many will be tempted to turn a blind eye to these early algorithms. Theyโll no doubt see that this kind of planning will take considerable effort โ after all, weโre talking about a transformation on the same level as changing the way you ride a bike. Yet, while the current machine identity system is working fine now, this wonโt always be the case. And sooner or later, CISOs will have to act.
While early-stage standards exist, it makes the most sense to start planning laboratory condition testing. Start by choosing a single application and understanding the performance impact of the new algorithms, how to deal with larger machine identities, and how to operate dual pre- and post-quantum modes. The latter point is especially key, because for the next few decades, the world is likely to transition to quantum safety via a hybrid approach โ much like how weโve seen the switch to electric vehicles via hybrid cars. The old will work alongside the new.
Having a control plane to automate the management of these machine identities will be crucial to this hybrid mode, enabling visibility over what machine identities are being used with different context, and how they perform.
Of course, it will be difficult to truly predict how long this transition period will last. Itโs likely that many currently within the industry will not see the end of it. But, like climate change, itโs not something that we can push down the road for a future generation to deal with.
So, pick an application to test and factor it into next yearโs budget. Set yourself a five-year plan to have the first quantum-resistant app up and running. While the road may change course, the destination certainly wonโt. Itโs time to take the first steps.
Kevin Bocek is VP Ecosystem and Community at Venafi. He brings more than 17 years of experience in IT security with leading security and privacy leaders, including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, NCipher, and Xcert.