Cybersecurity has rightfully gained a fair amount of mindshare of governments, enterprises and citizens alike. However, the advancement of technologies such as Quantum Computing (QC) and Artificial Intelligence (AI) is causing much apprehension about digital environments hitherto considered secure to be vulnerable.
In the digital world that we live in today, cryptographic encryption and authentication are the de rigour techniques employed to secure data, communications, access to systems as well as digital interactions. Public-key cryptography is a widely prevalent technique used to secure digital infrastructure. Codes and keys used for encryption and authentication in these schemes are specific mathematical problems such as prime factorization that classical computers cannot solve in a reasonable time.
This is the fundamental assumption on the basis of which our digital eco-system is secured. As numbers get exceptionally large, especially over 2048bits, classical computers are believed to be incapable of factoring them.
To protect digital infrastructure, the Rivest-Shamir-Adleman (RSA) cryptosystem is a popular public-key cryptographic scheme that relies on the difficulty of factoring large numbers into prime factors. Hence systems and data secured by such encryption standards such as 2048-bit public keys are almost impossible to breach by classical computers or supercomputers.
Given the current performance capabilities of the most powerful supercomputer, it is estimated to take around 300 trillion years to break a 2048-bit RSA encryption.
In 1994, mathematician Peter Shor devised an algorithm that a sufficiently powerful quantum computer could use to solve the factorization problem. It has since been demonstrated by researchers that by applying Shor’s algorithm, purpose-built quantum computers could break 2048-bit RSA encryption in a matter of hours.
While it is not exactly known when quantum computers would be powerful enough to crack such encryption, a NIST (National Institute of Standards and Technology), USA report surmises that breaches could occur in 2030.
The German government assumes that breaches of its most sensitive data with 2048-bit encryption is expected in 10 years time. This is an indicator of the seriousness of the matter and brooks no delay in countering the situation.
In the above scenario, it is imperative to protect sensitive data by inventing new quantum-safe encryption and authentication techniques, also referred to as Post Quantum Cryptography (PQC) techniques.
Such measures would secure digital environments from quantum and classical cyber-attacks. It is essential to find mathematical problems that are difficult for both quantum and classical computers to solve. Quantum safe cryptographic techniques change the approach from factorization of large numbers to solving lattice problems or hash functions, making it challenging even for quantum computers.
NIST, USA has formalized the world’s first quantum-safe or PQC standards. It has just released the first three standards for encryption algorithms on 13th August 2024. They are:
1. Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) for key encapsulation for general encryption to access secure websites etc.
2. Module-Lattice-Based Digital Signature Algorithm Standard (ML-DSA) for general purpose digital signature protocols.
3. Stateless Hash-Based Digital Signature Algorithm Standard (SLH-DSA), a stateless hash-based digital signature scheme.
Algorithms, which do not use hash functions or lattices in their approach are also under consideration for standardization.
The first group of encryption standards are designed to secure and protect privacy in the quantum era. This includes securing email messaging, online banking, and other financial/ e-commerce transactions, among others. The above new algorithms are also more resource efficient as they run faster.
It is pertinent to note that telephony systems are also vulnerable in the quantum era. In India, C-DOT (Centre for Development of Telematics), a premier research establishment of the Government of India, is developing quantum safe (PQC) solutions based on NIST standards. Besides, it has developed indigenous Quantum Key Distribution (QKD) protocols for use in quantum communications, a secure way to transmit and receive digital information in the quantum era. Thus, India is gearing up to secure itself in the quantum era.
As standards for the quantum era have been introduced, PQC-based solutions are being introduced in the market. Governments and organizations across the spectrum must move quickly to enhance their cyber resilience to tackle the challenges of the quantum era. The imperative is not only to prepare for an era of readily available powerful quantum computers that could attack incumbent systems but also devise mechanisms to deal with the imminent possibility of decryption of data secured by classical encryption techniques. This could be the existing encrypted data or those that were stolen prior to the availability of quantum-safe encryption standards and hoarded in anticipation of the availability of quantum computer assisted tools to crack them.
It is critical for every cybersecurity professional must assume that the most secure vaults in the digital eco-system are no more unbreakable and create a blueprint to make them quantum-safe. Irrespective of the estimates of when quantum computing would be a real threat in the future, the time to initiate quantum-safe counter measures is NOW.
By Aiyappan, Founder, Congruent Services | Senior Member IEEE