The Dawn of a New Cyber Threat

The history of cryptography likely began in encoding secrets of war. It is rather apt then that the common metaphor for the eternal conflict between cyber security and hackers is that of an arms race. New tools in each arsenal rapidly develop and eclipse the capabilities of existing tools and standards. Many early forms of cryptography, such as the Caeser cypher or morse code, relied on simply the secret system. This differs from modern cryptography which relies on key strength to protect the encrypted information. By increasing the length of the keys, we use, we exponentially increase the generation time, but also the time it would take to crack the keys.

The NIST currently recommends 2048-bit RSA keys but if tomorrow an incredibly fast CPU or GPU were to go on the market, that key size may prove insufficient and need to be updated. However, with a larger key size in use, the increased difficulty to crack the key would prove too much even for this hypothetical piece of hardware. In this manner the arms race has been relatively simple of late. However, on the horizon looms what many experts have called the end of modern cryptography. But what does this really mean, and why is increasing key size not the solution?

What the future holds for cryptography?

As stated, we have been coasting for some time in the cryptographic arms race in a period of what might be called relative safety. One must always be active and alert in this field as vulnerabilities can always be discovered in the systems that support cryptography, but for some time the cryptography itself has been relatively solid. RSA was developed all the way back in 1977 and is still in use in some form today.

If anything, this is a strong indication of the relative era of cryptographic safety we have been existing in, that a single standard can have such an enduring legacy in a field commonly described in terms of warfare. So, what threat looms that actually poses a risk to this long enduring form of cryptography? To understand where this threat originates from, we must first understand the basics of how cryptography works.

The radical shift in the cryptography space was based on math. While almost all cryptography is in reality based on math, a specific mathematical property in relation to computation was taken advantage of in the development of RSA. This property is the reason RSA can eventually be compromised by faster and faster CPUs, but key size has always quickly resolved the issue. This property is a form of so-called trapdoor mathematics. In some cases, a mathematical operation is easily calculable in one direction but much more difficult in the other. 

Multiplying two numbers together is something you or I can do with some difficulty depending on the size of the numbers, but it is trivial for a computer. Factoring a large number, however, is much more difficult for both a human and a computer. In fact, the larger the number, the longer it takes to factor. This scales exponentially with the number’s size and is the fundamental concept behind mainstream asymmetric cryptography.

The Quantum Threat

While we have danced around the subject up to this point, we will now directly confront the threat to modern asymmetric cryptography: Quantum computers. First, let’s talk about what makes quantum computers different. A quantum computer as opposed to a traditional computer uses qubits instead of bits. A bit can have a value of 0 or 1. Everything in a computer is stored in bits, and operations are done affecting the value of these bits.

A collection of bits is used to store information, the amount of information able to be stored and the computational complexity of operations depends on these bits functioning. A common misconception is that Quantum computers introduce a third state for their equivalent bits, called qubits, a sort of in between state where it is both 0 and 1 simultaneously. The reason for this misconception is that this model of a qubit is easier to understand. But the reality of a qubit is it has the same number of states as a normal bit. So then why is a quantum computer more computationally powerful? 

What is a Superposition?

Well instead of storing concrete values of 0 or 1 quantum computers store a superposition. These values have some level of ambiguity, and the degree of ambiguity is somewhat controllable. Instead of offering a third state, we are able to track the outcomes from having both the state of 0 and the state of 1.

So, a quantum computer of equivalent scale to a traditional computer would still have the same number of states but would function as an exponentially scaled number of computers. As a simple model, a collection of four bits in a traditional computer offers 16 possibilities, 2^n where n is the number of bits. A quantum computer offers the same number of qubits and the same number of possibilities, but with superpositions allows you to essentially run 2^n simulations in parallel. By allowing for ambiguity instead of trying a single solution to a given problem, a quantum computer can calculate multiple possibilities with a single operation.

This is the theory behind quantum computing at least. Achieving this effectiveness is not necessarily straightforward but is at least theoretically possible and with multiple players in the quantum space including companies like Google, it may be only a matter of time before we can actually realize this absurdly scaling computational power.

Returning to qubits and superpositions, the above is a simplification, at the end of the day qubits only output 0 or 1. But the key takeaway here is that the qubit is in a sort of in-between state but also there are a countably infinite number of these in-between states leaning more towards 0 or more towards 1. By correctly manipulating the superposition into an ideal state for the problem and the information known, quantum algorithms can solve complex problems however this difficulty in performing the correct manipulation scales exponentially with the size of the problem. It is difficult to know at what point the breaking point will be reached where we are able to solve these problems and gain the full potential of even our existing quantum computers.

Where are Quantum Computers now?

That’s right, there are existing quantum computers. There are computers that have successfully implemented the concept of a qubit. Quantum computers aren’t some far off fantasy, they are a real and present looming invention. They need a lot of perfecting because of the complex math and the scale of the manipulations required in order to make them work as they theoretically should. Current quantum computers are small but as we have seen in the past several decades computer growth, computational growth and the size of processors can grow at ridiculous speeds once the right conditions are found. In 2022 the largest quantum computer currently around was created by IBM with a total of 433 qubits.

For reference, if this computer had the actual theoretical strength of a quantum computer, it would only need 100 qubits to hypothetically eclipse the strength of all computational machines on the Earth. They simultaneously released a smaller but more precise quantum computer. This is one of the many variables that makes it difficult to evaluate when “cryptography will break” the number of qubits and how precise we can manipulate them as well as our understanding of quantum algorithms all work in tandem to determine how powerful a quantum computer actually is.

All of these variables are advancing independently and together in different laboratories so it is difficult to say when this will happen. But what exactly will happen? The world must move forward when, not if, this day finally comes.

Post-Quantum Algorithms

There are already post quantum algorithms that will not be trivial for a quantum computer to break; they use different math that is not easily reversible with enough computational power. There’s also symmetric encryption, symmetric encryption is not vulnerable to quantum computers. One of the main reasons that asymmetric encryption is at such a risk is the existence of the public key. As the public key is derived from the private key using mathematical functions and a widely distributed object, the mathematical operations to derive the public key can be essentially reversed with a quantum computer. There are also a variety of post quantum algorithms currently in development. Researching further into post quantum algorithms currently available is a great step in preparing your organization. 

But when do we need to be prepared for such an ambiguous date? Is it worth investing in post-quantum infrastructure at this time? The answer to that question really depends on your organization. If you store information that will be dangerous if exposed in 10 years from now, you absolutely need to invest in post-quantum infrastructure now. You might be asking yourself why not just wait. The reality is hackers have been collecting data for years now that is encrypted in transit.

Any data that has traveled over the internet or been accessible remotely, protected only by encryption using non-quantum resistant algorithms, has a strong chance of being stored on someone’s hard drive. Hackers are aware that eventually, this data will be breachable. With the ever-increasing cheapness of storage, it is trivial to store large amounts of encrypted data in an offline hard drive and wait 10 years for the potential payoff. In fact, for a cybercriminal, it would be foolish not to be doing this.

So, the reality of the current situation is with it being potentially just a matter of time before quantum computers threaten the security of everything, investing in post quantum solutions is an absolute necessity for companies looking to protect their image and protect their data.

Conclusion

We have explored the threat to modern asymmetric cryptography: Quantum computers. With this threat and some viable solutions identified, the next action is to gather information pertaining to your organization and its status as post-quantum ready. Identifying what data you have and how important the long-term security of it is can be a difficult task.

By working with Encryption Consulting, your organization will have up-to-date recommendations on the best practices to protect your data and reputation.  Encryption Consulting provides a variety of security-related services, including audits that can help ensure your organization is both compliant with the latest standards and is following industry best practices to stay secure moving into the future