Thoughts From the CEO of Cyberleaf
May 17, 2024
“Harvest now, decrypt later (HNDL) is an unseen bleeding wound.”
Yup- that is the headline from Qrypt, a company that focuses on providing quantum secure encryption products for Post-Quantum Cryptography (PQC).
As you might know, this is a real threat from the forthcoming advancement and development of quantum computing. An outcome of this is the ability of quantum computers to decrypt existing and ‘non-quantum secure’ encryption algorithms.
“Because quantum computers will eventually be able to decrypt your organization’s data, you are already in trouble right now. The longer you wait to adopt quantum-secure cryptography, the more of your data will later be decrypted and exploited.
Capturing encrypted data as it travels over the internet has always been easy to do. There just wasn’t much point so long as RSA and other common forms of encryption were expected to remain secure. Now that a range of corporations, governments, and universities are building new generations of quantum computers, we can see that at some point in the future, quantum computers will be powerful and accurate enough to break conventional forms of encryption. That unknown day is often referred to as ‘Y2Q’ ”.
This means the last 47+ years of RSA encryption and related utilization of passwords are all exposed. Within this scenario, is the supposition and reports (none that we can confirm) that China, Russia, and others have been hoovering up data and storing it so that they can decrypt it when they have such quantum computing. While not proven that this is occurring, it is too easy a task not to do, and the rewards from doing so are enormous.
How serious is this? Very. To be blunt, this will happen. It can be as soon as 12 months or less. IMHO, it is several years (4-8) away based on current advancements and research, but that is for another blog. When it does occur, all data that is not quantum secure will be compromised.
So, what will PQC break or decrypt? Most encryption uses public-key cryptography (PKC) systems that have a public and private key. The complexity of the secret key can be brute forced, and as you may know, the efficiency of the PQC environment is theorized to render such large numbers as insufficient to protect the privacy of the key(s). Subsequently, the brute force work that would take many years to solve can theoretically be done in seconds.
So, what can you do about it now?
NIST is working on a set of standards that will be released shortly. You can read more about it here. In the meantime, companies like Qrypt and others are delivering services with claims of post-quantum encryption capability. We have not vetted this ability and there are many in the space and a constant competition amongst quantum cryptographers to challenge, break, and test these. That is not the subject of this blog, but we will also address this at a later time.
As of this writing, there are six approaches to PQC. They are listed below, and several are generally accepted to be PQC-able. There is great criticism and skepticism of which one to choose (however, wait for the next article). Some cryptographers and quantum researchers are very skeptical of AES for example, as well as various hashes with proofs using classical computing to break these (so, not even using quantum). The fact is that how you apply your encryption is as important as the underlying cryptography.
Approaches to PQC:
- Lattice-based cryptography (There was a scare just last week that this was broken by the way. A serious peer-reviewed effort showed that this was not the case…just to keep you nervous.)
- Multivariate cryptography
- Hash-based cryptography
- Code-based cryptography
- Isogeny-based cryptography
- Symmetric key quantum resistance
Each of these has its proponents and critics. But what else can you do now? Since we are out of space on this blog, follow our link for future resources on our site, and stay tuned for review, analysis, and recommendations on preparing now for a PQC world!
-Adam Sewall, CEO Cyberleaf
Access the full Qrypt article here.
