Although the timing of the quantum threat is unknown, it’s top of mind for security conscious organizations. The Global Risk Institute, recently surveyed leaders and experts of quantum science and technology to get their opinions on the likelihood and timing of the quantum threat to public-key cybersecurity. Some patterns emerged from their responses as seen in the illustration below.
The report also outlines how organizations should assess their own level of readiness:
The urgency for any specific organization to complete the transition to quantum-safe cryptography for a particular cyber-system relies on three simple parameters:
If the threat timeline is shorter than the sum of the shelf-life time and of the migration time, then organizations will not be able to protect their assets for the required years against quantum attacks.
We take a closer look at this research and the findings of the report in our blog, "Understanding the Timing of the Quantum Threat."
Organizations need to start thinking about post-quantum security threats, because migrating to post-quantum cryptography will be difficult. One of the key reasons to start thinking about PQ early is to see how algorithms with different size, performance and throughput characteristics perform in your IT environment. When you start testing new algorithms, you can determine what breaks when PQ is introduced into your IT environment.
For the best resources for applying tools to test post-quantum resistant algorithms, we recommend:
Entrust Datacard has taken a leading role in preparing for post-quantum cryptography by collaborating with other organizations to propose new IETF X.509 certificate formats that place traditional algorithms like RSA and ECC side-by-side with new PQ algorithms.
We are also closely following the work of organizations like the National Institute of Standards and Technology (NIST), which has a project underway to develop algorithms that are resistant to quantum computing and eventually standardize them. We are also looking into developing hybrid test certificates that place traditional algorithms, such as RSA and ECC, side-by-side with new PQ algorithms. We want to help companies sustain their IT ecosystem to reduce replacements, maintain system uptime and avoid costly changes caused by a lack of preparation.
Entrust Datacard has been actively leading the discussions in IETF Forums, where solutions can be considered within the PQ community. Our public propositions are published in the IETF standards forum:
Composite Keys and Signatures for Use in Internet PKI
With the widespread adoption of post-quantum cryptography will come the need for an entity to possess multiple public keys on different cryptographic algorithms. Since the trustworthiness of individual post-quantum algorithms is at question, a multi-key cryptographic operation will need to be performed in such a way that breaking it requires breaking each of the component algorithms individually. This requires defining new structures for holding composite public keys and composite signature data.
Multiple Public-Key Algorithm X.509 Certificates
This document describes a method of embedding alternative sets of cryptographic materials into X.509v3 digital certificates, X.509v2 Certificate Revocation Lists (CRLs), and PKCS #10 Certificate Signing Requests (CSRs). The embedded alternative cryptographic materials allow a Public Key Infrastructure (PKI) to use multiple cryptographic algorithms in a single object and allow it to transition to the new cryptographic algorithms while maintaining backwards compatibility with systems using the existing algorithms. Three X.509 extensions and three PKCS #10 attributes are defined, and the signing and verification procedures for the alternative cryptographic material contained in the extensions and attributes are detailed.
Problem Statement for Post-Quantum Multi-Algorithm PKI
The Post-Quantum community (for example, surrounding the NIST PQC competition), is pushing for "hybridized" crypto that combines RSA/ECC with new primitives in order to hedge our bets against both quantum adversaries, and also algorithmic/mathematical breaks of the new primitives. After two stalled submissions, Entrust Datacard submitted a draft that acts as a semi-formal problem statement, and an overview of the three main categories of solutions.
Properly designed digital signature schemes used for authentication will remain secure until the day a suitable quantum computer actually comes online. Today’s quantum computers are limited in size and, therefore, pose no threat to present-day cryptography. And several significant engineering obstacles must be overcome before the threat becomes real.
Nevertheless, experts think these obstacles will be overcome in time. Many experts predict that a quantum computer capable of breaking today’s standard public-key algorithms will be available within the planned life of systems currently in development.
Today’s public-key algorithms are deployed for authentication, digital signature, data encryption and key establishment purposes. Once quantum computers of sufficient size become a reality, we will need replacement schemes for each of these functions.
Data encryption and key-agreement algorithms are susceptible to a recorded-cipher-text attack, in which an adversary today records exchanges protected by pre-quantum algorithms and stores the cipher text for analysis in the future — once they have access to a large-scale quantum computer. At that point they will be able to recover the plaintext. For these key purposes, depending on the required algorithm security lifetime, pre-quantum cryptography will become vulnerable sooner.
Once a suitable quantum computer exists, a signer could repudiate signatures created earlier, claiming that they were forged using a private key broken later by a quantum computer.
There are different approaches on how to prepare for secure cryptographical communications in a post quantum age. Using a hybrid approach is one of the more popular methods being proposed as a way of transitioning to the as yet undefined PQ algorithms. The hybrid approach suggests that rather than trust one algorithm, it places traditional algorithms like RSA and ECC alongside new PQ algorithms. This is helpful for current use cases while pre-quantum is an acceptable method for authentication and to test IT ecosystems against PQ algorithms.
A shared secret is derived when public and private keys are used under a defined key-exchange algorithm (e.g., Diffie-Helman, ECDH) and combined to form a unique key at each end of the exchange without private information being exchanged. A hybrid key exchange takes this principle and uses two or more shared secrets in combination to generate the unique key. The key exchange depicted below represent how a quantum resistant algorithm (e.g., New Hope, SIKE) might be used together with a classic, non-quantum resistant algorithm (e.g., DHE, ECDH) to derive a unique shared key.
Quantum computing is advancing, and while experts are not sure when there will be a quantum computer powerful enough to break the RSA and ECC cryptographic algorithms that are currently in use, many are operating under the assumption that this can happen within a 10–15-year timeframe.
Learn how quantum computing threatens the security of present-day public-key cryptography and what's being done to create quantum-resistant algorithms.