Quantum safe cryptography

Guest blog by ZA Łoziński, Quantum Safe Networks, IBM Research #NatSec2024

Quantum Computing holds the potential to solves problems that no classical high performance computer can solve. Materials science: new battery compounds for EVs. Life sciences: new pharmaceuticals. Financial services: better risk models. Logistics: opimising routing of LNG carriers. AI: more accurate machine learning models. The UK’s National Quantum Strategy has a mission to deliver Quantum Computers for UK business, academia and defence.

Alongside these benefits, there is a risk. A large scale quantum computer can also factor large numbers very quickly. (We call this a Cryptographically Relevant Quantum Computer, or CRQC). This problem threatens the heart of the cryptography that secures our digital world. This risk was discovered by Peter Shor at Bell Labs in 1994, and as Quantum Computing has moved from a theoretical concept to the fleet of IBM machines on the cloud it has become more significant.

One risk we face today is “harvest now, exploit later”. An adversary exfiltrates encrypted data now, and stores it until a Cryptographically Relevant Quantum Computer is available. Some data has a very long life: healthcare records, security clearance records. It takes time to upgrade or replace systems: your passport is valid for 10 years, an aircraft may be in service for 50 years.

Cryptography is used to secure communications; the story of Bletchley Park breaking the ENIGMA machine is famous. Today communications like WhatsApp, Telegram are secured by cryptography. Cryptography is also used to secure on-line commerce. It is used to keep data secure from prying-eyes, like your healthcare and banking records. Cryptography also allows us to ensure data is not maliciously modified: the software updates to your car, and the property ownership records (your title deeds) at the Land Registry.

There are three types of cryptography. Symmetric cryptography (e.g. ENIGMA, AES) relies on both parties using the same key for encryption and decryption, which mean securely distributing these keys. Public Key cryptography works by everyone having two keys, a public key they share which everyone uses to encrypt messages, and a private key they use to decrypt messages (e.g. RSA, Elliptic Curve). In a stroke, Public Key cryptography solves the problem of distributing keys and so it is the basis of internet and mobile security. One Time Pads, beloved of every spy movie, are totally secure, so long as you never, ever, reuse the key. Distributing the keys for One Time Pads is difficult.

In 2015, the US National Institute of Standards and Technology started a process to identify replacements for our current Public Key cryptography to protect against the threat of a Quantum Computer. They are developing algorithms for Post Quantum Cryptography, which are secure aginst attack by classical and quantum adversaries. The resulting standards will be published later in 2024.

Now is the time for CISOs to start thinking what this change of cryptographic algorithms means to their IT and OT systems. The US Government has taken a lead, and the NSA has published a roadmap to make US systems secure by 2033. Here in the UK, the NCSC published guidance on this transition.

There is industry specific guidance available to help. For telecoms, the GSMA Post Quantum Telco Network Taskforce. In finance, UK Finance has published quantum risk and quantum opportunity papers.

Build a small team representing enterprise architecture, security and operations. DeveCreate an inventory of all the systems that depend on cryptography. Understand which are vulnerable, and define priorities for updating them. Work with your vendors and the open source community to understand when and how the software and platforms you use will be updated. Implement cryptographic governance, so that you manage the risk. Automation will be essential so that you find all the cryptography in use (libraries, certificate authorities, identiry management systems, firmware and code signing). Plan for remediation: this process will take a number of years, what is important is the management and governance.

Don’t panic, but instead plan and automate.

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more