It's not time to move to post-quantum cryptography yet -- too many things are still up in the air. But you can start to become prepared by making sure your infrastructure is agile.

Yehuda Lindell, Chief Scientist at Unbound Tech and Professor of Computer Science at Bar-Ilan University

August 26, 2019

4 Min Read

If you believe the quantum computing hype, within a few years we will have achieved "quantum supremacy" — meaning that quantum computers will be able to carry out computations not possible with classic computing infrastructure — and within 10 years all cryptography will be broken as a result. This hype is fed by researchers vying for grant money, companies selling post-quantum secure encryption, and the fact that no one can say that they are actually wrong.

Personally, I'm a semi-skeptic. On the one hand, I'm not convinced that quantum computers at scale (at least at a scale large enough to break cryptography) will ever be built. On the other hand, they are possible, but I don't think they will happen anytime soon.

What about those who tell us that quantum supremacy is around the corner and all cryptography is about to be broken? I think they're fearmongers. First, quantum supremacy doesn't mean that computers will be strong enough to break cryptography. Second, reliable researchers that I have listened to and spoken with say that there are still very significant problems to be solved in quantum computing. But if they continue to use the word "possible" when describing quantum computing, I can't actually say that they're wrong.

So, what should we be doing now about the potential "quantum threat"? First, the cryptography research community should be focused on post-quantum secure cryptography. The good news is that this effort has been going on for years and is ongoing. The role of this research community is to make sure that we have the cryptography we need in the decades to come, and they are taking the issue seriously. (As a side note, symmetric encryption and message authentication codes are not broken by quantum computers, to the best of our knowledge.) Second, the cryptography research community should start thinking about standardization so that businesses are ready if the quantum threat does prove real. Once again, the good news is that NIST has already begun the process.

But all of this is about what the "community" should do. What should you — as someone who uses cryptography to secure your business — do? Let's start with what you shouldn't be doing. You shouldn't buy post-quantum encryption and the like before standardization is complete. What if you need to encrypt something that has to remain secret for 20 years? In my opinion, you should still hold off. However, if you are very concerned, you can encrypt using a method that combines post-quantum and classical schemes. Such a method requires an attacker to break both schemes in order to learn anything.

This is the proposed method since although we have confidence in post-quantum secure schemes that have been proposed, they are less well-studied than RSA and ECC. Among other things, this affects our understanding of the required key sizes. If you do insist on moving forward now, I recommend using an academically validated post-quantum scheme combined with a classical scheme, as explained above.

While I don't think most organizations should deploy post-quantum secure cryptography now, there is one thing that everyone should do: transition your cryptographic infrastructure to one that is "agile" — that is, one that makes it possible to relatively easily switch algorithms, key lengths, and so on. When the algorithm and lengths are hard-wired into the code, the cost and complexity of changing can be overwhelming. This is why people continued using MD5 and SHA1 years after they were broken.

Cryptographic agility is an important property even aside from the issue of quantum computing because algorithms are sometimes broken, and key and other lengths sometimes need to be updated. You will therefore be doing yourself a favor even if quantum computing never happens. But if it does, you'll be ready, and you'll be able to replace your existing schemes with the best known at that time. This is my recommendation to everyone.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: Haas Formula 1 CIO Builds Security at 230 Miles per Hour

About the Author(s)

Yehuda Lindell

Chief Scientist at Unbound Tech and Professor of Computer Science at Bar-Ilan University

Yehuda Lindell is the CEO and Co-Founder of Unbound Tech (previously, Dyadic Security) as well as professor in the Department of Computer Science at Bar-Ilan University. Prior to Bar-Ilan in 2004, he was a Raviv Postdoctoral fellow in the Cryptographic Research Group at the IBM Thomas J. Watson Research Center. He received his Ph.D. in 2002 from the Weizmann Institute of Science, under the supervision of Oded Goldreich and Moni Naor. He is the director of the Bar-Ilan Center for Research in Applied Cryptography and Cyber Security. Unbound Tech uses secure multiparty computation to protect cryptographic keys.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights