SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond.

The quantum computer debate is full of questionable cybersecurity assumptions circling around the cryptopocalypse — a term coined to describe the inevitable breaking of current and ubiquitous public key encryption (PKE) by quantum computers. 

Since we know that the power of quantum computing will destroy current PKE (for example, employing Shor’s algorithm), NIST has been leading a drive to develop improved replacement encryption, which it describes as post-quantum cryptography (PQC).

The first questionable assumption is that the cryptopocalypse is dependent upon quantum computing. It is not. It could happen at any time — and technically, it could have already happened. The cybersecurity concern over PKE is simply not dependent on the arrival cryptanalytically relevant quantum computers (CRQC).

The second questionable assumption is that PQC will solve the problem with new uncrackable crypto algorithms. It cannot do that. Any algorithm can be — and eventually will be—cracked; and it might not require quantum computers to crack PQC.

We need to understand the so-called cryptopocalypse if we are to make the best possible plans to prevent our currently protected intellectual and confidential data suddenly being exposed to our enemies through the practice of steal and wait (‘harvest now, decrypt later’, also known as retrospective decryption).

However, having said that, it must be stated that the timing of the cryptopocalypse, the strength of NIST’s PQC, and the arrival date of CRQC are all speculation, with many different opinions. The one unalterable fact is that cryptopocalypse is coming, and that almost all secret data stolen beforehand will rapidly become cleartext to anyone in possession of that data.

Quantum computers vs PKE

The NSA and other authorities have said the quantum risk is feasible by at least 2035. “Commercial quantum computers do indeed exist today, although they have yet to demonstrate the projected computational scale without significant limitations. However, it is only a matter of time before our Years-to-Quantum (Y2Q) become months and days – not years,” comments Philip George, executive technical strategist at Merlin Cyber.

It is the ‘matter of time’ that is unknown and the subject of speculation. Quantum computers use the additional state afforded by quantum bits (qubits, which with the additional state of quantum superposition means a bit can be either 0 or 1 or a combination of both) to provide their computing power. But qubits are inherently unstable and likely to ‘collapse’, reverting to the two states of 0 and 1.

Two terms are particularly important in the race toward practical quantum computers: coherence and logical qubits. Coherence refers to the ability to maintain that usable third state of the quantum bit triad (both 0 and 1 or neither). A qubit that meets this requirement is generally referred to as a logical qubit. Because of the instability of qubits, acquiring the logical qubit is usually achieved through error correction from other qubits. The number of additional qubits to provide 1 logical qubit varies depending on the quality of the error correction algorithm in use — but can be as much as 1,000 qubits to provide one logical qubit.

Achieving coherence is fundamental to providing usable quantum computers and is the focus of much research. “Coherence times refer to how long qubits can maintain their quantum state before decohering, and longer coherence times enable more complex computations,” explains Steve Hollands, CEO and CISO at Blackhills Quantum Computing.

During 2023, new research into developing logical qubits without the need for very large numbers of error correcting qubits began to emerge. “We believe that 2024 will be the year of logical qubits, or quality over quantity,” suggests Skip Sanzeri, co-founder of QuSecure. 

‘Traditional’ quantum development is increasing the qubit counts – Atom computing has announced a 1,225 qubit computer, and IBM has announced a 1,100 qubit computer. “But the real key is error corrected and noise reduced qubits,” continued Sanzeri. “Logical qubits don’t need error correction and are thus a good measure of the true power of a quantum computer.”

As an example of this new research, DARPA and Harvard announced on December 6, 2023, they had “created the first-ever quantum circuit with logical quantum bits (qubits), a key discovery that could accelerate fault-tolerant quantum computing and revolutionize concepts for designing quantum computer processors… Harvard has built quantum circuits with around 48 Rydberg logical qubits to date in their laboratory, the largest number of logical qubits in existence. Rapidly scaling the number of logical qubits is anticipated to be relatively straightforward thanks to the nature of Rydberg qubits and how they can be manipulated.”

Sanzeri put some figures on this to demonstrate its importance. (Remember that without this approach, a quantum computer requires something like 1,000 qubits to provide one stable logical qubit.) “These are fully error corrected; so, that machine has compute power at 2^48 or a capacity of 280 trillion different states.” If DARPA’s claim of ‘relatively straight forward’ scalability proves correct, “This would move us into an era of usable quantum machines in the near term,” concludes Sanzeri.

It is still speculation. Ignoring the DARPA/Harvard claims, IBM appears to be leading the race to quantum. During 2023 it announced its Quantum System 2 (QS2), introducing a modular approach. For now, QS2 can interconnect three separate quantum units, each having 333 qubits. IBM expects the individual units to comprise 5,000 qubits by the end of 2024 – meaning we will have a 15,000 qubit computer by the end of this year.

Despite this, IBM remains cautious. John Beane, founder and CEO at MemComputing, points out, “In a recent segment on ‘60 Minutes’, IBM indicated that major developments in their quantum computing capabilities are not expected before the end of the decade. The specifics of these comments reflect a cautious yet realistic timeline for advancing this technology.”

It would seem that something like three to ten years remains the most optimistic prediction for quantum computers, but is still speculation and may take longer before we reach the quantum-inspired cryptopocalypse.

ASICs vs PKE decryption

The quantum threat to cybersecurity is the potential for powerful quantum computers to crack PKE in near real time — but quantum computers aren’t the only computing with this potential. MemComputing is exploring the potential for in-memory processing ASICs to achieve the same effect.

Beane explains, “MemComputing’s research… has shown promising results in software emulation tests. These tests on problems ranging from 30 to 300 bits demonstrated that the circuit could generate appropriate congruences, leading to prime factorization of RSA benchmarks. The time needed for factorization followed a second-degree polynomial in the number of bits, which is a significantly slower increase than the exponential time increase seen with classical computers.”

MemComputing plans to extend the effective range beyond 300 bits and realize this capability in an ASIC. Beane suggests that based on current R&D, “There’s a potential for solving a 2048-bit factorization problem in sub-second time, which could be available in the next few years.”

The implication is that a non-quantum cryptopocalypse may be achievable before the arrival of quantum computers.

QKD vs PKE decryption

Technology advances may see a resurgence of interest in quantum key distribution (QKD) in 2024.

QKD uses light particles (photons) to communicate encoded data between two parties via a fiber optical cable. It relies on the same quantum instability that is problematic for the development of quantum computers, to protect the integrity of data. Because of the nature of light and fiber, any attempt to eavesdrop on the transmission will disturb the quantum state of the photons and alert the parties concerned.

This makes it, theoretically, an ideal method for secure key distribution (that is, the very part of encryption that is most threatened by quantum computers). It gained considerable early interest because of the amount of dark fiber (fiber cables that have been laid but are not used) in the US. 

But there are technical challenges: primarily in range, scalability, cost, and integration. As a result, focus moved from QKD to PQC as a method of providing universally available quantum resistant encryption.

The QKD challenges may diminish from 2024 onward through the development of QKD-on-a-chip and improving satellite communication. “With knowledge of the threats to data security that come with quantum computing becoming ever more prevalent, QKD adoption via QKD-on-a-chip will soar,” comments Hollands. “Their first use case is likely to be unhackable communications secure for IT security, banking and medicine.”

This is an important consideration. QKD is quantum computer secure, while PQC is quantum computer resistant. QKD-on-a-chip reduces the cost, scalability, and integration challenges of the initial concept, while satellite communications eliminate the range problem.

“Limitations on distance and performance for QKD will be a thing of the past since satellite QKD will become more mainstream,” continued Hollands. “Quantropi can today offer QKD based entropy at a speed of 142 Mbps between Ottawa and Frankfurt over the classical internet — no need for fiber everywhere.”

QKD can in theory eliminate the cryptopocalypse, whether it derives from quantum computers or ASICs.

Post quantum cryptography (PQC) vs PKE decryption

Aware of the quantum threat to current encryption, NIST launched a PQC Standardization program in December 2016, requesting researchers and developers to submit candidate algorithms resistant to quantum decryption. The process is now well-advanced.

“This year [2023], CISA, the NSA, and NIST have been leading the charge on PQC initiatives, publishing fact sheets and other helpful resources to address threats posed by quantum computing,” says George. 

“Next year [2024],” he continued, “NIST is set to publish its first set of PQC standards. This is an early step towards preparing federal agencies as well as private companies to adopt new encryption standards that are designed to protect systems from being vulnerable to advanced decryption techniques fueled by quantum computers.”

Aaron Moore, EVP of engineering QuSecure, provides more detail. “According to Dr. Dustin Moody, NIST’s PQC project lead, it is highly probable that NIST will publish its standards for KYBER, DILITHIUM, and SPHINCS+. NIST is currently deciding on whether to standardize BIKE or HQC and may announce their selection in 2024. Classic McEliece may be selected for standardization later if at all.  NIST’s cryptographic algorithm validation program (CAVP) is intended to be ready as soon as the standards are published.”

PQC algorithms are described as ‘quantum-safe’. Sadly, quantum-safe is not quantum-secure – quantum security cannot be guaranteed. What is made by mathematics can be unmade by mathematics – effectively, PQC merely buys us time until they too are cracked. Illustrating this point is the decryption of the promising SIKE PQC in 2022. While praising the NIST contest for developing ‘quantum resistant algorithms’, Sanzeri adds, “That being said, we’ve seen weaknesses in some of those algorithms, such as when SIKE – a promising post quantum algorithm – was broken by someone with a PC in one hour.”

In their report announcing the crack, the researchers wrote, “Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges… in about 4 minutes and 6 minutes, respectively. A run on the SIKE parameters, previously believed to meet NIST’s quantum security level 1, took about 62 minutes, again on a single core.”

The only pre- or post-quantum cryptography that can be guaranteed as secure is the one-time pad (OTP) – but this is incompatible with everyday use. “OTP is a theoretically perfect encryption technique,” comments Sanzeri, “but it has limitations and practical challenges that make it less commonly used in modern cryptographic applications.”

These challenges include key management, key length (the key must be as long as the message), key distribution (the same problem that bedevils all crypto systems, but writ much larger), one-time use leading to unacceptable computational overhead, and the challenge (not impossibility) of using truly random keys. While the one-time pad is a conceptually perfect encryption method, its practical limitations and challenges make it less commonly used in real-world applications. It will primarily be used only for highly secure military communication.

NIST’s PQC algorithms are not perfect and cannot guarantee security against the cryptopocalypse. Nevertheless, it is creating a new generation of stronger encryption, and lack of perfection is no argument for not using the best possible.

Agile cryptography vs PKE decryption

The need to migrate to PQC and agile crypto is here now. This is not specifically because of the future threat of quantum computers, but because of the existing and future threat to encryption. PQC algorithms are mathematically more difficult to break, while crypto agility will allow us to switch to a different algorithm as soon as one is broken (which will happen).

“Crypto agility refers to an information security system’s ability to quickly adopt an alternative to its original encryption method or protocol without requiring a significant change to the system, its infrastructure, or connected systems, services, or applications,” explains Torsten Staab, Principal Technical Fellow at Raytheon. “The next generation of IT/OT solutions must be crypto-agile to enable a successful transition from today’s classical encryption to tomorrow’s post-quantum cryptography. Being crypto-agile is also important because nobody can provide a 100% guarantee that their encryption algorithm, including NIST’s new PQC algorithms, is unbreakable.”

Sanzeri adds, “We expect that even some of these NIST finalists that have made it this far could also fail so we’ve built in cryptographic agility which is a key component to be able to switch algorithms quickly if one goes down. Our advice to enterprise and government organizations would be to ensure that they are able to easily switch algorithms and key strengths to make sure they optimize for the organization.”

The problem is that any use of encryption is a leap of faith into the unknown: we don’t know if or when any algorithm might be cracked by adversaries. We don’t even know for certain that crypto agility will enable us to switch from a broken algorithm to an unbroken algorithm, nor – if unbroken – how long it will remain unbroken. All we know for certain is that NIST’s PQC algorithms are likely to be the strongest available, and that current PKE will be defeated by quantum computers.

“Time is the greatest asset in achieving post-quantum agility,” says George, “and if organizations don’t start now, they will have nothing to show for it when time runs out.”

Retrospective PKE decryption

The threat to existing PKE is that it will be broken, possibly — perhaps probably — within the next decade. Sadly, we cannot wait that long. Our adversaries, whether criminal or nation-state, but especially the latter, are aware of the coming cryptopocalypse. 

It is possible that one or more national intelligence agencies have already cracked RSA. They certainly wouldn’t tell us — but there is no publicly available information to suggest that any adversary can yet decrypt 2048 RSA in anything nearing real time. Nevertheless, knowledge that this time is approaching has led to what is commonly considered the ‘harvest now, decrypt later’ threat. It is believed that adversaries are currently and quietly stealing as much data as possible, knowing that in the future they will be able to decrypt it.

This is a problem. For the last two decades, encryption has been a cornerstone of our cybersecurity — so much so that regulations have intimated that encrypted stolen data is not actually stolen data. The idea of the cryptopocalypse demonstrates that this is false logic. Encrypted data is only secure until the encryption algorithm is cracked. That will happen in the future and could happen within a few years. At that point, any confidential business plans, intellectual property for future product, military blueprints and state secrets will be plaintext to any adversary that has them.

“If we think nation states aren’t collecting data now to gain insights later, we are fooling ourselves,” warns Greg Ellis, GM of application security at Digital.ai. “Who knows what that will ultimately reveal? However, despite our best efforts, there will be ‘secrets’ revealed due to these decryption efforts that will yield actionable results for some period of time.”

What we don’t know is the extent of this practice, although according to the FBI, China has stolen more data than all other nations combined. As the cryptopocalypse gets closer, this data theft will likely increase. “We believe that nation-states will continue to harvest data at increasing rates which will give the opportunity to change the balance of power, globally,” comments Sanzeri. “Anyone who is harvesting data from others is simply building power and capability ahead of the curve.”

The problem is that we can no longer rely on encryption alone to protect our confidential data. The only real solution is to prevent it being stolen.

Summary

Quantum computers are coming. They will defeat current PKE encryption. The cracking of current PKE is called the cryptopocalypse, because so much of our encryption depends upon PKE. But this cryptopocalypse is not dependent upon quantum computers — it could happen through other means, at any time. So, an unexpected benefit of the quantum threat is that it makes us rethink our absolute dependence on encryption.

This new knowledge that RSA will, after all, not keep encryption safe for longer than the expected life of the universe should be applied to all and any encryption. But this does not mean that we can or should abandon encryption as part of our layered approach to cybersecurity. We should absolutely use the best encryption available. 

Today, that means migrating to NIST’s PQC algorithms, building in crypto agility, and where feasible considering QKD. Encryption will never prevent the decryption of stolen data once the algorithm used for encrypting is broken; but we can, should, and must make it as difficult as possible for the thieves. 

The time to start this process must be no later than now.

Related: US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

Related: Quantum Computing Is for Tomorrow, But Quantum-Related Risk Is Here Today

Related: IBM Delivers Roadmap for Transition to Quantum-safe Cryptography

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse