As they emerge from labs and enter the real world, quantum computers will doubtless prove very useful to humankind. They will not replace ordinary machines, but when it comes to tasks reducible to optimization and number crunching, they will leave their predecessors eating dust. Unfortunately, the revolution will not be confined to searching for new medicines and developing more advanced aircraft, but will include cracking computer encryption. It may take five or twenty five years for such hacks to become feasible, but rest assured, there is encrypted data out in the world now that needs to remain protected over that time span and beyond. That is why large companies and government agencies need to start planning for the quantum future today.
The main obstacle to that planning is the absence of clear standards. The global community of cryptographers has already developed several promising algorithms that will be resistant to quantum attacks; however, these algorithms have to pass multistage testing and verification. The algorithms must be demonstrably resistant not only to quantum attacks, but to attacks of the classical sort as well. The fastest and most resource-efficient have to be determined so that they can be used in devices, such as IoT devices, with limited computing power, and the parameters (key length, etc.) will have to balance reliability and performance optimally.
But that is far from the end of it. Existing communication standards (for example, TLS) will have to integrate the algorithms, and we will have to establish rules for the new ciphers to coexist with the old. Clearly, this work will take years. What should app and platform developers, makers or autonomous cars, and strategic data custodians do in the meantime?
A roundtable of cryptography experts at RSAC-2020 sees the solution in “cryptographic agility.” Simply put, if you are currently developing or supporting a data encryption or hashing system, do not set tight restrictions. Ensure that the algorithms in use are updateable, and allow for generous adjustment to the key and buffer sizes — in short, give the system plenty of growing space. This is especially important for embedded or IoT solutions, because such technologies take a long time to implement and decades to modernize. So, if you buy a new system, ask the developers about cryptoagility.
If they ignore it, it will be very painful later to uproot the obsolete encryption algorithms and implant new ones. A good example comes from Microsoft’s Brian LaMacchia. When it became clear that the MD5 hash could be cracked, and was no longer suitable for generating digital signatures, Microsoft decided to pull the plug on it. A long audit showed that company’s products contained about 50 (!) independent versions of MD5-calculation code, and each would have to be removed separately. As a result, the process took about two years to complete.
Another potential problem likely to become more acute as traditional algorithms get replaced by quantum-resistant ones is lack of memory for storing keys. If your system developers decided at some point that a 4096-bit buffer was enough key storage space for any encryption algorithm, then you will run into serious difficulties when implementing post-quantum encryption — even if the system supports the addition of new algorithms.
To check the cryptoagility of your systems, try deploying cryptographic solutions that are based on those algorithms vying for the title of official post-quantum encryption standard. Many budding algorithms and protocols are already available via the Open Quantum Safe project. In addition to the source code of the algorithms themselves, the site offers ready-made builds of popular software products such as OpenSSL and a post-quantum version of OpenVPN, made by Microsoft.