Moving into the new decade, one talking point that’s bound to come up more and more is quantum computing and the post-quantum cryptography that will be needed to secure our networks and endpoints when quantum computing arrives.
The word “quantum” will be used so often over the next few years that you’ll wish you’d bought stock in it. You’ll see it in marketing across multiple industries. It will be the subject of TED Talks, news stories, business journals — it will saturate all forms of media.
And while most of these conversations will be needed and worthwhile, there’s one very important fact that needs to be front and center: We are not there yet.
So, be vigilant — but also patient.
Quantum Computing Will Decimate Modern Cryptosystems
Quantum computing is still in its nascent stages. When it finally becomes viable, quantum computing is going to cause massive disruptions to our modern security solutions. But the key segment of that sentence is “when it finally becomes viable.”
Right now, primitive quantum computers exist, but we’re still learning to understand them and successfully run functions on them. It is quite literally still theoretical right now.
So, with that in mind, let’s clear up some confusion around “post-quantum” or “quantum-proof” security, also touching on why you should be cautious on both fronts.
Quantum computers, when viable, will have little trouble rendering modern cryptosystems obsolete. Encryption is really just math. In antiquity, the math was performed by humans. Nowadays, it’s done by computers, which can perform complicated calculations far more efficiently than we ever could.
But given how proficient modern computers are with math, the encryption standards we’ve designed needed to be economical to compute one way, but prohibitively difficult to reverse. We call this “computational hardness.”
If the computer doing the encryption knows the proper value — the key — it can encrypt or decrypt data with nominal effort. But without the key, it would take that same computer thousands of years to reverse the encryption.
So, when you attack a cryptosystem, what you’re really doing is attacking the key — trying to crack the key by guessing its value.
This is complicated by the principle of exponentiation. Modern computers operate in binary. That means they use bits that can either be 1s or 0s. A 2048-bit RSA key is just a 2,048-bit-long string of 1s and 0s in its binary form.
The reason it takes so long to crack one is that a modern computer can only make one attempt to guess the value of the key at a time. After all, a bit can only be a 1 or a 0.
So the computer needs to successfully guess every single bit in the string to crack the key. And that gets exponentially harder by the bit. There are two potential values for a one-bit key, four for a two-bit key, eight for a three-bit one. 2 x 2 x 2 … all the way up to 2^2048.
The length of the number resulting from 2 to the 2,048th power would take several lines to write out. It wouldn’t even look real. But that is the number of possible combinations that a contemporary RSA key has, and a modern computer would have to guess them one at a time.
Quantum Computing Will Have No Problem Cracking Keys
Quantum computers don’t operate in true binary. They don’t use bits. Instead, they use something called a quantum bit or a qubit. A qubit, thanks to a quantum physical phenomenon known as “superposition,” can actually be both a 1 and a 0 at the same time.
While that might not intuit all that well, let’s focus on what computing with qubits means: Quantum computers are exponentially more powerful than modern computers.
If a qubit can be both a 1 and a 0 at the same time, it can make multiple guesses at once. A one-qubit quantum computer can make two guesses at once. A two-qubit computer can make four. Three qubits means eight. It gets exponentially more powerful with each qubit you add.
Google currently has a 72-qubit quantum computer.
But before you start worrying, remember we’re still a long way off. Google is rumored to be approaching the point where it can actually get its quantum computer to run functions exceeding the capabilities of a powerful supercomputer, but even once that milestone is reached, we’ll still be years from having quantum computers that are ready for mainstream use.
Fortunately, We’re Working On Post-Quantum Cryptosystems
Research into post-quantum cryptography is underway. But much like quantum computing itself, these various approaches are still in their early gestational periods. We are literally researching new kinds of math.
And while progress has been made, nothing has been thoroughly vetted or standardized.
And standardization is not a smooth, seamless process, either. Take for instance DSA, the digital signature algorithm. First proposed by The National Institute of Standards and Technology (NIST) in 1991 after evaluating several different approaches, it wasn’t officially standardized until 1994. And even then, it was met with significant resistance from various industries that had bet on digital signatures made with Rivest-Shamir-Adleman (RSA).
Right now, NIST is still doing its initial assessments. More than a dozen different post-quantum cryptographic approaches are vying for standardization. The process will inevitably take years.
And in reality, that’s fine. We still have some time to get it right.
The threat of quantum computing is one you most definitely need to pay close attention to. But it’s not one you necessarily need to start budgeting for this year, or likely even next.
Instead, focus on crypto agility — another hot buzzword for 2020. Crypto agility means ensuring that you have the flexibility to swap out cryptosystems and possibly even vendors when the time comes.
It means building your products and applications so they have space to incorporate new post-quantum standards when they become available.
Stay vigilant, and be ready to act when the time comes.
Whenever that may be.
This is a syndicated post. Read the original post at Source link .