Errors
- Unknown style found:
fastfactsheader - Unknown style found:
fastfactstext - Unknown style found:
fastfactsheader - Unknown style found:
fastfactstext - Unknown style found:
fastfactsheader - Unknown style found:
fastfactstext
For your first task at work, you check your emails. There is an urgent email from one of your coworkers, titled “Is our data safe? How are we affected?” The content of it are the articles “Q-Day has come; for the first time a quantum computer managed to factorize large integers into its prime factors breaking asymmetric cryptography,” and “The cryptographic apocalypse happened.” At first, you don't really understand the consequences of what you just read, but the more you read through the articles, the more your stomach drops. It becomes clear to you that the company is not ready for this, and all your company's data is at risk.
The scenario I describe above is a nightmare for all chief information security officers (CISO). It reads like it's from a movie. The main question I will systematically address in this article is, “How dangerous is the threat that quantum computers pose on our current crypto landscape?” The article includes a brief introduction to cryptography, and highlights in a case study the security impact of having a quantum computer on a company.
To answer the main question, I will first give you a basic understanding of quantum computing, so you get better insights into its power. Quantum computing has evolved dramatically, moving out of university research labs and into industry. At present, several companies work on different platforms for quantum computers, and some applications of quantum mechanics such as quantum key distribution systems have been rolled out already and are in use. However, full quantum computing platforms are still on the verge of being useful for real-world applications. The platforms differ in their maturity, but all are steadily improving in qubit quality and count, pushing the boundaries of what is achievable with current hardware.
At their very heart, quantum computers work fundamentally differently than classical computers (the computers we are using now). Instead of working with bits, a quantum computer works with qubits. A qubit represents a state, but unlike a bit, a qubit takes more than just a single value at a given time. For example, a bit either takes the value 0 or 1, often also coined with “false” (=0) and “true” (=1). In contrast, a qubit can not only take the values 0 or 1, but it can also take both values at the same time!? Does this sound like magic to you? The first time I heard about this, that's what I thought. This black magic essentially results from a theory developed by Max Planck and later Erwin Schrödinger almost one hundred years ago. From there, most of the prominent physicists of the modern era such as Albert Einstein, Niels Bohr, and Richard Feynman worked in one or another way with (or on) quantum physics. Over the last decades, the power of quantum physics, and especially its sub-discipline quantum computing, became increasingly clear, and the advantage of quantum computers over classical computers to solve certain kinds of problems was formally proven many times.
For example, quantum computers are especially good for factorizing numbers. When factorizing a number, the goal is finding the prime factors of a number, or in other words, “Which two integers do I need to multiply to get a certain number?” The question appears at first sight extremely easy, and not interesting. However, as we will see in a second, it's an essential question when it comes to cryptography and security. But for the start, let's do a trivial example; factorize the number 437. How would you start? Simple trial and error? Fix one number as prime, then try the next prime, and the next, until something works? No matter which way you choose, at some point you figure out that 437 = 19 * 23 but just trying is inefficient. It turns out that this problem is not only difficult for us, but also very difficult for classical computers. The best-known algorithms nowadays still require more than a polynomial amount of time and hence remain inefficient for large numbers. In contrast, and this is the important message here, a quantum computer can solve this problem in polynomial time.
I just told you that factorizing integers is related to security, so you may ask yourself, “What does factorizing integers have to do with security? Why should I care about such mathematical details?” Many cryptographic algorithms, such as RSA, rely on the difficulty of finding the prime factors of large integers. RSA is not the only scheme at risk—efficient quantum algorithms also threaten other common cryptographic primitives such as elliptic curve cryptography. The implications are tremendous: Q-Day refers to the day when quantum computers will be able to run algorithms that threaten current cryptographic systems. When that day arrives, attackers will be able to recover all data protected by such compromised primitives, putting billions of bytes at risk. We rely on these primitives everywhere: in email systems, in signing documents digitally, in API communications—and this is just part of a very long list.
It is a real-world strategy for an attacker to collect data now, and break the encryption later with a quantum computer, often referred to as harvest-now-decrypt-later. In fact, the large-scale recording of data for later analysis is already taking place, making your data vulnerable to decryption by a quantum computer in the years to come. For some ephemeral data, this may not impose such a problem, but consider medical records, or important documents such as company secrets or intellectual property. This information must remain confidential for an indefinite amount of time and must not leak to anyone under any circumstance.
What Are Qubits, and What Makes Quantum Computers so Powerful?
Let me be more precise about what a qubit is. As a reminder, a classical computer bit takes one of two values; 0 or 1. So the state-space is a finite set with the values {0, 1}. To perform operations with bits, you combine them using gates—AND, XOR, and OR at the lowest level. High-level programming languages hide these details from us, making our lives much easier when writing large-scale software. A qubit in a pure state (mixed states exist but are not considered here) no longer takes only one of two values. The state of a qubit is a vector. You have two basis states, i.e., basis vectors, written as |0⟩ and |1⟩. You can think of these basis states as the vectors [1;0] and [0;1] in the two-dimensional plane if you like, and they are the counterpart to the classical bits 0 and 1. When you look at the basis states individually, they behave similarly to classical bits. However, the main difference is that a qubit is not required to be either |0⟩ or |1⟩. A qubit is a vector so it may be in any superposition of these two states. We don't have a classical counterpart for this. So, naturally, you may ask yourself: “How many states can a qubit take?” The answer is shocking: infinitely many, because there are infinitely many ways to superpose |0⟩ and |1⟩. The coefficients in this superposition correspond to complex numbers whose absolute values squared sum up to 1. Figure 1 depicts a visualization of the pure state of a qubit using the famous Bloch-sphere.
Now you know what a qubit is but just having it without doing anything with it is rather pointless. What can you do with it? All operations on qubits correspond to linear operations (at a very high level, of course some restrictions apply), and you can do two different things with a qubit: measure it or apply a quantum operation on it. Applying a quantum operation is the simpler of the two; it just changes the qubit's state—rotating it, for instance. Measuring a qubit is trickier because it's probabilistic. A measurement probabilistically yields an outcome and that outcome tells you the qubit's state after the measurement. In other words, the way the state of the qubit changes under a measurement is a probabilistic process. As an observer, the outcome you see tells you which state the qubit collapsed into. Measurement outcomes are governed by a probability distribution, and that distribution changes depending on the qubit's state at the time of measurement.
For example, when a qubit is in an equal superposition of |0⟩ and |1⟩, and you measure with regards to the |0⟩ and |1⟩ basis, the qubit collapses into |0⟩ or |1⟩ with equal probability (50% each). However, if the qubit is an unbalanced superposition, such as sqrt(1/3) (sqrt here means taking the square root) for the |0⟩ state and sqrt(2/3) for the |1⟩ state, the very same measurement yields |0⟩ and |1⟩ with probabilities of 1/3 and 2/3, respectively. Measurements also come with an important consequence: In general, you can't infer what the state of a qubit was by just making a single measurement. And as the state changes due to the measurement, you can't repeat the measurement. As you can see this is quite tricky, and Einstein back in his days was not happy with this probabilistic nature of quantum physics. In a letter to Max Born, he wrote:
*Quantum theory yields much, but it hardly brings us close to the Old One's secrets. I, in any case, am convinced he does not play dice with the universe.
*A single qubit is not interesting, is it? Quantum computers use multiple qubits to do interesting things. For the sake of simplicity, you should know that one can easily extend the above framework with measurements and quantum operations to multiple qubits.
With a basic understanding of quantum computing in hand, I will explain the key differences between classical computing and quantum computing. One of these differences corresponds to how quantum computers process information. As I pointed out, qubits of a quantum computers can take more values than just 0 or 1 at a particular point in time. In fact, qubits can be in superpositions. And more importantly, as all quantum operations are linear, all these constituents of such superpositions evolve all at the same time! So, whenever you apply a quantum operation to a qubit in superposition, this operation will apply to all the constituents of a superposition. This lies at the heart of the first reason a quantum computer is so powerful.
Think about an algorithm to evaluate a linear function f. To evaluate this function for n input values, classically we must invoke f for every input once, namely n times. For a quantum computer, a single invocation suffices! You may wonder why and how. Unlike a classical computer, a quantum computer can track all computation “branches.” Hence, by preparing a superposition of all the n input values and applying the function f to this superposition, we apply f to all constituents of the superposition. Figure 2 compares the two approaches. Measurements, however, may collapse the superposition to read out information.
The second property that makes quantum computers so powerful is their ability to become entangled with—and thus linked to—other quantum computers. For classical computers, the computational power scales linearly as you increase the number of computers. For example, if one computer has the computational power of 10 (just to have an abstract notion for computational power), then two computers have a computational power of 2*10 = 20. The computational power of quantum computers scales differently. If a quantum computer has a computational power of 10, then two quantum computers have a computational power of 102 = 100. 100!!! That's insane!!! Three quantum computers have a computational power of 1000, and so forth. Figure 3 compares the growth in computational power for classical and quantum computing. You may wonder how this works? That's basically due to superpositions (which you already know by now) and entanglement, the most distinguishing characteristic of quantum mechanics. Entanglement is a very strict correlation between two (or even more) qubits, not present in classical physics. Simply put, entanglement tells you that you can't just look at a single qubit, as qubits may be so tightly coupled to each other that every time you change one of them, it will also affect the other. This happens without even having a physical connection between the qubits! Once entangled, they stay entangled even without a connection. Modern physics still has no explanation for it, but its existence was proven experimentally numerous times. However, to not lose the focus in this article, we won't dive deeper into entanglement, as this would require another article to cover it.
Quantum computers are super powerful, but what is all this processing power good for? Where could such a powerful computing platform help us to solve things faster, or more precisely? I will give you two concrete examples.
First, consider an algorithm that searches an unstructured data set. Such an algorithm turns out to be super useful for a wide variety of problems, like database queries but also in cryptography (which we'll discuss later). At its very heart, Grover's algorithm utilizes superpositions of qubits to speed up the search. It requires the implementation of an oracle function that marks the searched element in superpositions. Due to this marking, Grover's algorithm speeds up searches in unstructured data quadratically compared to classical computers. This comes with drastic consequences for database searches, as it means we can search large data sets with a quadratic increase in speed, which has implications on database providers but also data science and AI-driven applications.
Another especially important field for quantum computing is the simulation of molecules and quantum systems. Such simulations have a tremendous value for drug discovery and research on how our bodies process drugs. To understand how a drug compound works, scientists must calculate key values by accounting for its individual atoms and their quantum mechanical properties. A quantum computer is the natural platform to simulate such molecules and their interactions, as the qubits already map one-to-one onto the problem. Quantum computers can also simulate the binding affinity of a drug (i.e., how well the drug will “dock” to the target molecule) with much higher accuracy than classical computers, making them the perfect platform for future drug discovery.
Table 1 compares the expected runtimes for a normal computer, a supercomputer, and a quantum computer to complete certain tasks.
How Quantum Computers Impact Security
What about security? You now know about the basics of quantum computing, which is vital for what follows.
Next, I need to give you a primer on classical cryptography to lay the foundation for the threat quantum computers pose to classical cryptography. In case you are not familiar with classical cryptography, don't worry; I'll give a brief, both symmetric and asymmetric. Let's start with what cryptography in general is about.
Cryptography is an umbrella term for many different schemes aiding security including confidentiality, in terms of encryption and decryption, but also authenticity and integrity via digital signatures or message authentication codes, just to name a few. When it comes to encryption, we distinguish two kinds of schemes, namely symmetric and asymmetric.
In symmetric encryption (also referred to as symmetric ciphers), the goal is to protect the confidentiality of data by using a single key. It applies an encryption function that may operate on blocks of input data (block cipher) or on the stream of data (stream cipher) by utilizing the cryptographic key. The key together with the encryption function ensures that the output of the encryption, which we call a ciphertext, is unreadable and unguessable by anyone not knowing the key. Many block cipher algorithms have been proposed and are in use, including prominent schemes such as the Data Encryption Standard (DES) or the Advanced Encryption Standard (AES). For stream ciphers the most prominent examples are RC4, Salsa20 and ChaCha20. As you may guess, the strength of all these schemes depend on two factors—the random nature and length of the key, and the encryption function itself. If one or both are weak, this will have a direct impact on the security of your data. When recovering the plain message from the ciphertext, one uses the same key (that's also why it is called symmetric cryptography) used for encryption. State-of-the-art symmetric ciphers are AES with either 128-, 192- or 256-bit key length or ChaCha20 (with Poly1305 as authentication code). Mathematically, such ciphers build on top of finite fields. Figure 4 shows a schematic for how symmetric cryptography works.
I need to point out that symmetric ciphers suffer one major difficulty. As you may have noticed, for a symmetric cipher to work, the two parties that wish to exchange confidential messages both need to use the same key, as the same key that encrypts a message is the key that also decrypts it. This poses a major challenge for symmetric ciphers, as it necessitates the use of other schemes to exchange such a symmetric key.
In contrast to symmetric encryption, asymmetric encryption schemes use two keys that “fit” to each other. These two keys have the property that one of them, the public key, encrypts the message (which you can think of locking a box) and the other one, the private key, decrypts the encrypted message (which, of course, means it unlocks the box). The public key must be publicly known by everyone, as it is used to encrypt information for someone. However, the private key, as the name suggests, must be kept private and protected. Asymmetric schemes rely on different mathematical concepts than symmetric ciphers, and hence also have different security assumptions and guarantees. The most widely used asymmetric encryption schemes correspond to RSA or ECIES (elliptic curve integrated encryption scheme). The former one—RSA—uses at its very heart the product of two unknown prime integers for its security whereas the latter one exploits group-theory (another mathematical sub-discipline) on elliptic curves. When encrypting a message with an asymmetric scheme, the sender of the message uses the public key of the recipient to encrypt the message. The receiver consequently uses its private key to recover the original message. Figure 5 visualizes how asymmetric encryption works.
Asymmetric schemes remove the necessity to exchange (or agree upon) a symmetric key shared by two parties, which makes them especially useful in practice. When I want to send a message to someone, I only need to know the recipient's public key, and that's all! Asymmetric cryptography is also especially useful for performing key exchanges, most notably the famous Diffie-Hellman key exchange. In this key exchange, two parties exchange their public keys to agree on a common shared secret key for both parties. Figure 6 shows the underlying idea. The principle is quite simple and was adopted by most communication protocols we use nowadays. The parties of the key exchange consequently use the resulting shared secret as a cryptographic key for symmetric encryption.
Asymmetric schemes such as RSA or elliptic curves are applicable to other cryptographic primitives, such as digital signatures. Here, the role of the private key is to sign a message, and the public key serves the role to verify a signature of a message. Its purpose is clear: Digital signatures ensure that any tampering with a signed message will be detected by everyone. This mirrors the role of its historic counterpart: the handwritten signature. The look of a hand-written signature depends on the person that signs, and forgery is extremely difficult because they are so unique. The same is true for digital signatures: Due to this unique pairing of private key and public key it's certain that when a signature verifies for a public key, the corresponding private key must have been used to create the signature in the first place. Figure 7 shows how digital signatures use asymmetric cryptography to work.
Let's focus now on how this relates to quantum computers; we had enough of a detour into classical cryptography. What real-world threats do quantum computers impose on all this?
To understand the threat of a quantum computer on classical cryptography, I must outline the mathematical primitives that lie at the heart of them one by one. This will give you an understanding of where these schemes exactly break, and where the real problem lies.
I will start with RSA. The security of RSA builds around integer factorization, namely the task of determining the prime factors of a given number. It's that simple. When using RSA, independent of whether you are going to use it for encryption or signing messages, you first choose two prime numbers, let's call them p and q, that give rise to an integer n = p*q. The integer n should be very long in terms of its bit-wise representation, e.g., 2,048 or 4,096 bits. Next you sample an integer e and compute its multiplicative inverse d in the finite field defined by the least common multiple of p-1 and q-1. In most implementations the value of e is hardcoded to 65,537, since the security of the scheme depends on the values of p and q when determining the inverse d of e. This sounds complicated, but in real life it's pretty straightforward. The integers p, q, and d are kept secret, while n and e are made public. In cryptography, d serves as the private key—or, more broadly, p, q, and d together, since all three are unknown to the outside world—while the pair (n, e) is called the public key. Using a classical computer, it is difficult to determine d from the publicly known value e when only knowing n but not its prime factors p and q (from an attacker's perspective of course, as the attacker doesn't know your private information). If p and q are publicly known, the security falls apart, because an attacker first determines the least common multiple of p-1 and q-1 and using that, the attacker recovers d due to its knowledge of e. Wait, wasn't factorization of integers what quantum computers are so terribly good at? Wasn't there Shor's algorithm that factorizes numbers? YES! And that's the reason a quantum computer poses such a significant threat to RSA. An attacker can acquire the values n and e that make up your public key, as they are anyway publicly known by everyone, and from there, Shor's algorithm on a quantum computer recovers your private key!
By knowing the RSA public key
nandeof someone, a quantum computer determinespandqefficiently via Shor's algorithm which allows them to recover the private keyd.
But quantum computers pose a threat not only to RSA. Other schemes, such as elliptic curve cryptography, also fall apart. To understand why, we'll take a detour into elliptic curve cryptography, remaining on a high level without the underlying mathematics. Elliptic curves correspond to special curves in the two-dimensional plane where the points of the curve form a group, a mathematical concept in algebra. Simply speaking, on an elliptic curve one can define an addition operation for points on the curve that ensures every time I “add” two points according to this operation I get another point on the curve. Why is this interesting? These groups are finite when using coordinates from finite fields instead of numbers. In fact, by choosing a special point on the curve that we refer to as generator point G, any point on the curve can be written as sG where s is an integer from a finite field. This is where asymmetric crypto comes into play: suppose you sample an integer s and keep it secret. This secret integer maps to a point on the elliptic curve by multiplying it with the curve's generator point: P = sG. Classically (that means with a classical computer) it is very hard to determine s from knowing only P, also known in the literature as elliptic curve discrete logarithm problem (ECDLP). How does this relate to encryption? When encrypting information using ECIES (remember, that was the elliptic curve integrated encryption scheme), a sender encrypts data by using the point P (public key) of the receiver, and the receiver decrypts the ciphertext using s (private key). This situation looks entirely different from our previous example with RSA, as we are not dealing with integer factorizations into prime numbers, so why is this now also at risk of being broken by a quantum computer? The answer is simple: There exist variations of Shor's algorithm to solve the elliptic curve discrete logarithm problem efficiently! Therefore, if an attacker manages to acquire your public key P the attacker could decrypt data protected by it by recovering the private key s! The elliptic curve discrete logarithm problem is a special variant of the discrete logarithm problem, which is also highly relevant in cryptography. And, for these kinds of problems there exist variations of Shor's algorithm that break them.
For elliptic curves, variants of Shor's algorithm allow a quantum computer to solve the elliptic curve discrete logarithm problem efficiently, putting your private key at risk of recovery when using elliptic curves.
What about digital signatures? The tech readers of you that are a bit more familiar with elliptic curves may also wonder how a quantum computer will impact blockchains, as they use elliptic curves to generate signatures for transactions. Unfortunately, what I have described above, namely the ECDLP is independent of whether you use elliptic curves for encrypting information (using ECIES) or whether you use such curves to sign transactions. Therefore, digital signatures using elliptic curves won't be secure anymore once quantum computers solve the ECDLP for real-world keys, which puts your crypto coins at risk. Also, signature schemes using RSA will fall apart, as the core problem, as I described above, applies to both encryption and digital signatures using RSA.
Is this all? What about symmetric cryptography? Is this at least a safe bet for now? It turns out the situation is entirely different for symmetric ciphers, as they appear comparably robust against attacks from quantum computers. However, for symmetric cryptography a quantum computer also poses a threat. Recall that I said symmetric ciphers use a cryptographic key when encrypting information. When thinking more about the purpose of this key, it becomes clear that the right key decrypts the ciphertext, whereas all other keys will decrypt to garbage. Hence, when you use a key of bit length b then there is a chance of one out of 2b to get the key right. Doesn't this sound like the problem which Grover's algorithm solves? In fact, it does. And this is a problem for all symmetric ciphers using short cryptographic keys, as Grover's algorithm results in a quadratic speed-up! What does it mean? See the quote!
Grover's algorithm breaks symmetric ciphers quadratically times faster than a classical computer does. This means a quantum computer halves the complexity (in terms of key length) for brute-force attacks.
There are more cryptographic primitives at risk, but I think for the moment I have given you a good overview of how quantum computers impact the security of most modern, widely used, cryptographic primitives.
A Case Study
Let's walk through a simple example of how all of this can impact a company and its infrastructure. Suppose you're running a start-up company that figured out a way to predict the stock market very accurately by developing your own AI models together with some very sophisticated, proprietary algorithms and parameters that you want to keep secret at all costs. What are the things that require protection?
First, and most important, you protect your data, namely the AI model together with your algorithm and all the data for it in a database by encrypting it with AES-128. Alongside this data you also store other valuable information, such as a customer directory and bank account information for billing amongst other valuable information. To comply with current best practices in security you supply the key for AES-128 via an environment variable to the database provider. So, in summary, you use a recommended block cipher in accordance with security best practices, so you're safe.
When it comes to communication with your development team, and some of your partners and customers, you use some messenger solution, one that has been proven secure. Let's assume that this messenger uses ECIES. ECIES, which means elliptic curve integrated encryption scheme, is an asymmetric encryption scheme we came across before in which the sender of a message uses the public key of the recipient to encrypt a message. The scheme requires choosing both a secure elliptic curve and appropriate key lengths for the private keys. You comply with all the regulations and best practices nowadays, so you're safe here, right?
To implement your product and offer it to customers, you adopt the microservices architecture, and you use REST APIs for some communications. The endpoints for this API offer HTTPS as a transport protocol, and you simply rely on the utilized standards and defaults as secure fallbacks. Therefore, the services you offer use the current best practices.
When it comes to finalizing and signing documents, you bought a digital document management system so you don't have to print and manually sign documents anymore. This document management system uses RSA for signing documents. The keys have a length of 4096 bits, the currently recommended key length when using RSA for digital signatures. Each of your employees has their own private key, and so do your customers which you sign contracts with. The signed documents you store in an internal database, hidden from the world. Figure 8 shows the situation.
These are the facts. Now let's rewind to this article's introduction. Q-Day just happened, which unleashed the cryptographic apocalypse, and now you are worried about the consequences of your choices. You thought you did everything you could to protect your data. But did you really? Is your data safe? Let's examine your security landscape and see how robust it is against a quantum computer.
I start with the AI model, your algorithm (and all its data), customer data and bank account information. You have chosen to encrypt the entire database with AES-128. Recall that AES-128 requires a key of length 128 bit to perform the encryption. Hence, when guessing the key, an adversary with a classical computer has a chance of one out of 2^128 to find the right key. A quantum computer is quadratically times faster, which means here instead of one out of 2^128, a quantum computer guesses the right key in one out of 2^64 guesses roughly speaking. OK, that's serious since it is quite possible when thinking about a powerful quantum computer! If your database, even when encrypted, leaks to an attacker right now, the attacker can use a quantum computer later to break your encryption and read your data!
For your communications, the situation must turn out better, correct? You protect your communications with a state-of-the-art messenger, even using fancy asymmetric encryption schemes utilizing elliptic curves. This must withstand an attack by a quantum computer! Again, sorry, but you're wrong, and now you even know why! An attacker could record all communications now, even have recorded them already for several years, and store them somewhere offline for decryption later (remember “harvest now, decrypt later”). Since the messenger uses elliptic curves, an attacker could run Shor's algorithm—which solves the discrete logarithm problem for elliptic curves—to derive the private keys of every user. Thereby the attacker can read all the messages that were sent between the communication partners, including messages of your customers and partners. All the details you were talking about with anyone on that messenger will get leaked to the attacker.
I will point out one further detail I did not mention before. When you send requests via HTTPS, it uses TLS (transport layer security) under the hood. TLS is a security protocol, and it is the successor of SSL (secure socket layer). The transport layer security protocol uses asymmetric cryptography, either RSA or elliptic curves, to negotiate or arrive at a symmetric key to be used in combination with a symmetric cipher such as AES to encrypt all data in transit. As you may guess, here a quantum attacker has a nice attack surface. A quantum computer could break the key exchange/public key exchange, as it involves exchanging public keys from asymmetric cryptography in terms of RSA and elliptic curves, and thereby decrypt all communications through REST APIs using HTTPS. Also here, an attacker could record all the traffic now and decrypt it later using a quantum computer. The attacker runs Shor's algorithm when public keys are exchanged, derives the corresponding private key, and ultimately decrypts all communications to your services.
“But what about my contracts?” you may wonder. “I'm using RSA with 4096 bits—that's pretty strong,” you tell yourself, hoping that at least one of your primitives will survive. Here comes the tricky bit: A quantum computer could recover your private key from your public key used by your customers to verify your signature on a contract. After recovering your private key, the attacker can sign contracts on your behalf. That is fatal for your business and probably ruins your company.
Figure 9 summarizes the situation of how a quantum computer will affect your security landscape. As you can see, nothing survives this cryptographic apocalypse.
How Can You Prevent the Worst Case?
The picture I painted in the previous section is very scary, I know. And unfortunately, the picture is quite accurate. The philosophy of “harvest now, decrypt later” already sank into the mindset of many attackers. As quantum computers become more mature, Q-Day comes closer.
There are things you can do—quite a few, in fact. Covering all the mitigations for these issues would exceed the scope of a single article, so I decided to show you how to solve one of them, to give you a taste of what is possible.
For example, let us revisit the database encryption problem using AES-128. I previously told you that the main problem lies in the key length, right? Grover's algorithm requires only 264 guesses, roughly speaking, to recover the right key out of all of them. NIST's current recommendation reflects this directly: to maintain the same security level that AES-128 offers against classical computers, you need to double your key length to 256-bit. When it comes to symmetric cryptography the solution to this problem is to double the key length. It still remains unclear whether this is sufficient or not, but for the moment, it's the best we can do.
Conclusions
In this article I gave you a primer on the threat emerging from quantum computers onto our current cryptographical schemes. Looking at how fast quantum technologies mature now, Q-Day could happen soon, and the threat of it is a reality, not only on present data but even on data recorded in the past. Hence, there is not much time left to secure your data, and the sooner you analyze your security landscape and migrate it to quantum-safe primitives the better.
If you would like to know more about how to prepare yourself for Q-Day, and how to safeguard your data against quantum computers, reach out to CODE on how to do that.
<div class=`article-tables`>
<table id=`table1`>
</th> </tr>
Please provide the text you'd like me to analyze and reformat.
(linear time)
(linear time)
(sqrt faster than others)
(medium molecule)
(2048bit)
</td></tr>
</table>
