Common encryption technologies may very well be out of date soon with quantum computing right around the corner. [shutterstock: 447671734, Ruslan Grumble]
IT security experts hear alarm bells ringing: Breakthroughs in quantum computing could sound the death knell for conventional encryption techniques. The time has come for post-quantum cryptography (PQC).
Once science fiction, quantum computers are now science fact. While Europe, the USA and China are engaged in a closely-matched race to develop the first supercomputer using 21st-century technology, intelligence services are thought to be already working on prototypes that can crack algorithms considered safe today.
Even if quantum computers do not end up replacing conventional computers, they can be usefully deployed in research activities and other complex tasks. Quantum computing can achieve significant improvements in performance and efficiency for weather forecasting, for example, or the calculation of traffic flows. Yet these new possibilities are also generating new threats to IT security.
The end of the RSA algorithm?
As security experts unanimously agree, the next few years will witness the existence of a quantum computer powerful enough to break the encryption techniques now used a billion times every day. First and foremost, this affects RSA, an algorithm that is the cryptographic method of choice for consumer bank transfers, card payments, online shopping and email encryption.
In a corporate context, this affects the cloud applications now in widespread use like Office 365 and Salesforce, as well as in-house cloud-based systems. Accordingly, hackers equipped with quantum computers will find it easy to access business-critical data or manipulate software updates over the internet – and will even be able to take over entire IT infrastructures.
(…) a quantum computer built today can also break the encryption on historical data retroactively (…)
Alternatives are needed now – not tomorrow
“We should already be looking for alternatives,” warns Michele Mosca, a mathematician working at the University of Waterloo in Canada, in an appeal to IT security managers. Since a quantum computer built today can also break the encryption on historical data retroactively, companies and organizations should start looking at new ways to encrypt their data as early as possible.
One outstanding option here is offered by post-quantum cryptography (PQC). All over the world, research institutes, universities and businesses are working against the clock to develop appropriate solutions – with TU Darmstadt taking a leading role in this field in Germany. Promising approaches here include grid-based, multivariate, code-based and hash-based encryption techniques, which were developed a number of years ago and which cannot be undermined even with the application of quantum computing.
Noteworthy grid-based techniques include Ring-TESLA, LARA-CPA and LARA-CCA2, which offer a significantly higher level of protection when compared to the RSA algorithm. Since these techniques also enable shorter runtimes for encryption and decryption or the signing and decrypting of signatures, they also help to improve application performance.
While the new PQC techniques are now starting to be implemented in open source applications, things are rather different in the proprietary software market. So how can companies act to protect their data even in the burgeoning age of quantum computing while also ensuring compliance with increasingly stringent data protection law – such as the EU General Data Protection Regulation (GDPR)?
(…) solution is to use encryption gateways with customer-side key management to enable the easy integration of the more advanced PQC algorithms.
Encryption gateways offer a solution
One potential solution is to use encryption gateways with customer-side key management to enable the easy integration of the more advanced PQC algorithms. Companies using encryption benefit from this approach because they can select the PQC technique that is the best match for their individual requirements. This is an important aspect: Unlike the relative simplicity of RSA, the new PQC techniques feature a series of parameters that need to be considered by each specific deployment.
Another advantage consists of the fact that the key and access management involved in utilizing the encryption gateways remains firmly in the hands of the client company. All data leaving the company to be processed or stored in the cloud is encrypted and unreadable even if accessed by an unauthorized third party – i.e. neither by the provider of the applications to be protected nor by the provider of the cloud service.