Quantum computing breaks encryption next decade; current data at risk

Quantum computing is arriving now and could break public key encryption in a decade – so long-term valuable data could be obtained and held now to be decrypted later.

The brave new world of quantum computing is nigh. Companies are on the verge of bringing commercial technology to market, which is both an exhilarating and terrifying prospect for business.

IBM has recently released a new API for Quantum Experience, enabling developers to build interfaces between classic computers and a cloud-based quantum platform, while D-Wave systems has announced commercial availability of its 2000Q quantum computer.

Google and NASA have proved in the lab that quantum computers could be 100 million times faster than today’s technology. The D-Wave took about a hundredth of a second to solve a problem which would take 100 days to answer with a conventional computer.

This makes quantum computing a potential force of almost unimaginable power to crack problems that rely on complex mathematics, and it offers endless potential applications for good – and for ill. But will it live up to the hype? The fact that nobody yet knows is important for businesses to bear in mind. Keep a close eye on developments for sure: but don’t lose focus on here-and-now threats.

If it delivers, quantum computing could, for example, enable huge leaps in medical science and weather prediction. But it could also be used to break the fundamental encryption systems that keep data secure and ultimately govern our safety.

Public-key cryptography protects much of today’s Internet traffic, providing security for banking transactions, encrypted chat, secure Web browsing, and so on. Breaking the codes currently requires too much conventional computer time and power to make it feasible, but all that changes in the quantum era.

In the mid-1990s, MIT mathematician Peter Shor devised an algorithm for quantum computers which factorises so fast that it will make short work of asymmetric codes. That gives public-key encryption an expiry date that could be here within a decade.

Right now this type of attack is theoretical and has only been proved at low levels of complexity. But Dr Michele Mosca, co-founder of the Institute for Quantum Computing at Canada’s University of Waterloo, estimates there is a one-in-seven chance an attack will be possible by 2026 – and a one-in-two chance by 2031.

Is your information already being harvested?

It is likely that government intelligence agencies are already targeting select traffic for interception and storage in preparation for ‘Decryption Day’, and it is not beyond the realms of possibility that cyber-criminals could attempt something similar.

While this is undoubtedly more of an issue for national security, if communications around business that your organisation is doing today could still have commercial value in 10 to 15 years’ time, then this potential threat should be on your radar too.

The good news is that not all encryption will be broken in the quantum world: some algorithms that do not use factorisation as their mathematical base will remain robust. Symmetric algorithms will still be cryptographically secure, as long as their keys are doubled in length.

Governments, international bodies, and technology houses are working on solutions to the looming crypto crisis. Researchers in Russia have demonstrated quantum-safe blockchain cryptography and the National Institute of Standards and Technology (NIST) is running a project looking for post-quantum public-key algorithm submissions.

Inventing new algorithms will take time, but the vetting, selection, adoption, standardisation, and roll-out will take even longer. This is the biggest concern.

A game plan for 2017

While it’s important to keep up to date with the fast-paced developments in quantum computing, make sure you don’t take your eye off today’s threats.

1. Review your approach to securing data in transit and at rest. Check for other obsolete or weak algorithms across your enterprise.
2. If you have data you need to ensure remains confidential in the future, consider encryption with symmetric schemes in addition to asymmetric schemes where viable.
3. Look out for current advice and security guidelines issued by international bodies.
4. Maintain your focus on the threats of today and don’t allow yourself to be sucked too far into the hype.

Published in SC Magazine