Why you should implement post-quantum security now

For years, quantum computing has been a vision of the future. It’s a technology that has been far away – a distant promise of computing power far beyond our imagination. But major tech companies have made significant leaps forward in the development of quantum computing in recent years. And it’s something that should be front of mind for cybersecurity teams now – because the pace of development will only increase. 

In 2022, Jaya Baloo (CISO at Avast) spoke at Black Hat MEA about both the immense potential of quantum computing to enable positive change in society, and the challenges it poses for the cybersecurity industry: “Because this is everything we worry about in cybersecurity, in terms of being able to keep up with the level of concern around quantum computing.” 

Last year, IBM unveiled Osprey – a quantum computer with 433-qubits of power, more than triple the 127 qubits of the previous generation processor. IBM also announced plans to scale up to more than 4,000 qubits by 2025. 

And while Baloo highlighted how incredibly exciting this is, she also pointed out the key concerns: “...the most audacious thing about this is not that they’re doing this according to roadmap and succeeding on time. But the fact that they’re doing this with this audacious goal of making a quantum computer available to everyone, from the cloud.” 

On the journey towards democratised technology, this is encouraging. People and countries that aren’t building their own quantum computer will have access to quantum computing power. But simultaneously, it has significant implications for global cybersecurity. 

Quantum computing poses a threat to cryptography 

Cryptography is based on two very difficult mathematical problems: 

1. Integer factorisation
2. Discrete logarithms 

And the strength of a one-way function relies on the time it takes to reverse that function.

“That time is the problem,” Baloo said, because “we have the advent of Peter Shor and Lov Grover who gave us algorithms to reverse these one-way functions. They made the compute time to go back in this direction just as quick as the way that we went this way.”

“And that ability to reverse these one-way functions, that’s a real threat to all of our current cryptography, especially the stuff we use all across the internet – a-symmetric cryptography.”  

What can we do now to prepare for our quantum future? 

“People are trying continuously to confound and weaken the current cryptography systems that we use across the scale of the internet,” Baloo pointed out – and this won’t change when quantum computing is scaled. 

We we have to ask questions: 

• “What can we do from a cryptographic perspective that doesn’t arbitrarily introduce weakness from the get-go?”
• “How fast do we need to act?”
• “How long do we have before there’s actually a viable quantum computer that’s capable of breaking our current cryptography?”
• If we have a quantum computer and we know we need to keep our stuff safe for a long time, how long do we have to transition from the cryptography we have now, to one that is quantum secure?” 

This is crucially important – because change in security is, conventionally, not fast. Our ability to adapt and change is one of the biggest challenges the industry faces – and we need to prioritise quantum security before it’s essential across all networks, because otherwise we won’t have time to catch up. 

And there’s another problem: “everything that we’re currently transmitting, or have ever transmitted, is being captured, held, and is waiting for decryption capability. Because old secrets are as good as new secrets.” 

So Baloo urged that governments, organisations, and cybersecurity professionals need to: 

• Develop a phased plan of defence
• Investigate options for quantum inclusion
• Investigate post-quantum algorithms and start applying them now

“Everything we currently use for a-symmetric cryptography would need to be reviewed and migrated to a post-quantum standard. And I really urge you, please start now.”

There are already cryptography systems in the quantum space that you can experiment with, including post-quantum algorithms you can use to encrypt your data, and even post-quantum VPNs that are readily available. 

With all of these measures, it’s reasonable to assume that they will break in the future. 

“And that is OK if we’ve implemented something called crypto-agility,” Baloo said, and “that we’re ready to rip and replace when needed with a new set of algorithms.” 

“The fact that things are breaking is a good thing. It’s good that it broke, that we know about it, and that we can fix it.”

So start engaging now. Add quantum cryptography as a requirement for your security strategy. And remember that it’s good to fail – because when things break, you have the opportunity to build them back better.