In the tech sector, pundits are always hyping the next, disruptive technology on the verge of changing, well, everything. “Embrace this transformative new force or ignore it at your peril,” they warn. Sometimes, they even get it right. Quantum computing may very likely be one of those times.
If you haven’t heard, the race is on to build the world’s first commercially viable quantum computer. If you believe the buzz, anyone with a quantum computer—be it a hostile government, business competitor, or lone hacker—would be able to crack any cybersecurity encryption on the planet instantly.
Before you run screaming for your information security officer, let me put your mind to rest. Despite the hype, quantum computing is not right around the corner—nor can it instantly crack any encryption. That said, quantum computing will no doubt arrive, and it will be an immensely powerful tool for good as well as for evil. Here’s what you need to know.
Encryption is everywhere
To understand why cybersecurity experts are concerned, you need to know a little bit about how encryption works, where it is used, and how quantum computers are fundamentally different from today’s digital computers.
Encryption is a cryptography method for protecting digital data by making it unreadable in the event it is stolen or intercepted by an unauthorized party. Encryption transforms readable text into unintelligible code or cyphertext that requires a “key” in order to decrypt the data and make it readable. The longer the key, the harder it is to crack the code.
You don’t need to work in the military or intelligence community to use encryption. It is literally everywhere.
- If you buy or sell anything over the web, that credit card transaction is protected by encryption.
- If you or your employees use a Virtual Private Network (VPN) to protect corporate information while working remotely, you’re using encryption.
- If you use direct deposit or any other type of electronic funds transfers, you rely on encryption.
Today’s web browsers automatically encrypt text when they connect to a secure server, and its use is growing thanks to stricter industry and government mandates, such as the GDPR, for the protection of personal data.
Quantum computing is a different breed of cat
The digital computers we all use today operate using a sequence of binary bits: ones and zeroes. Each bit is always in one of two definitive states, acting as an on or off switch to drive computer functions. Quantum computers are different beasts altogether—to explain that difference, we need to get into a little bit of quantum physics. I promise it won’t be painful.
According to quantum mechanics, subatomic particles exist in all possible states at once until someone observes them. (You may have heard of Schrödinger’s cat, the thought experiment that places a hypothetical cat in a box and asks “is the cat alive or dead”? The answer is both, until you open the box to find out.)
Because of this “superposition,” as it’s called in physics, the quantum bits, or qubits, in a quantum computer can represent both a one and a zero at the same time. This enables a quantum computer to process highly complex problems with a vast multitude of different outcomes (such as long-key encryption) far faster than the fastest digital computer.
The quantum advantage
Superposition gives quantum computers both speed and parallelism, enabling them to work on millions of computations at the same time. In order to crack an encryption key, a traditional digital computer would have to try every possible key one at a time. The longer the encryption key (64 bits, 128 bits, 256 bits), the more combinations the computer must try to find the correct key. If the key is 64-bits long, then there are 264 possible keys, for example.
A digital computer can crack a 64-bit key in under a minute. That’s why most organizations have moved to 128-bit or even the 256-bit Advanced Encryption Standard (AES). There aren’t enough digital computers on the planet or time in the world to crack a 256-bit key.
The hype surrounding quantum computers would have you believe that they will be able to break any encryption key instantly, but that’s not exactly true. The quantum advantage basically enables you to figure out the correct key as if that key were half as long as it really is. The take away here is that a quantum computer would treat a 128-bit key, which is the current standard for symmetric e-commerce encryption, as if it were a 64-bit key…and break that key in under a minute.
A quantum computer would still have a hard time with 256-bit encryption, which is why businesses with security concerns are already moving to 256-bit encryption for some applications.
The sky is falling…but not quite yet
While quantum computers exist on a small scale today, they are highly unstable, need to be manually coded and staffed with quantum PhDs. The cost to operate them far exceeds what they’re presently worth. But this will change. A few big tech companies and vendors with a vested interested in quantum computing will tell you that commercially viable generic quantum computers are just around the corner. In reality, we’re probably 5-10 years out and there are many technical issues that need to be solved:
- A quantum computer computes only once. You must reset it after each function.
- Qubits are prone to error, with two-thirds being down at any given time.
- You need enough qubits to crack a key, and they all need to be in the same state (superposition) at the same time.
Until a viable quantum computer emerges, the industry has time to continue its research into cryptography methods that would be resistant to quantum computing. To learn more, you can read what Cisco’s Advanced Security Research Group is doing in this area. Ideally, research will be completed and quantum-resistant security products will be deployed before that day comes. Realistically, there’s a lot of work that still needs to be done.
What can you do in the meantime?
Plenty. Tell your OS vendors and your network equipment suppliers that you want to know what their quantum resistance roadmap is. Until further guidance is released from agencies like NIST, quantum resistance is primarily concerned with supporting longer keys than the current market typically requires—support for 256-bit symmetric keys, for example. Vendors should at least have a plan. Pressure from you will help get a fire going if they don’t.
Here’s the bottom line: Quantum computing is a threat to cybersecurity, but it’s not an imminent threat. If you use shorter keys, like 128 bits, quantum computing is going to be a problem for you. If you’re in an industry that requires long-term storage in an encrypted state, you should consider re-encrypting that data with substantially longer keys. If your RFPs call for support of quantum resistance through use of longer key lengths now, you will help mitigate a major risk that is going to appear sooner or later.