Modern cryptography, including elliptic curve cryptography, is being used extensively for securing our internet payments, banking transactions, emails and even phone conversations. The majority of today’s cryptographic algorithms are based on public-key encryption, which is considered to be secure against attacks from modern computers. Quantum computing can simply break this security by reverse computing private keys faster than a conventional computer.
Risk of Quantum Computing
Although quantum computers are still in their infancy and non-operational, with publicly known experimental quantum computers too small to attack conventional cryptographic algorithms, many national governments and organizations have begun to understand the risk involved when this technology becomes a practical reality.
Military agencies and leading technology companies have already increased fundings and accelerated processes in developing quantum computers because of the fact that it can process massive amounts of data in a relatively short amount of time. With the amount of practical and theoretical research being carried out, the birth date of a practical quantum computer is not far away.
Conventional cryptographic systems offer computational security but does not ensure absolute or unbreakable security. The strength of the current cryptographic algorithms rely on complex mathematical problems, such as integer factorization and elliptic curve discrete logarithm problem.
These problems can be solved using large-scale quantum computers and therefore can easily crack conventional algorithms. As a result, security experts have begun designing new encryption algorithms that are considered quantum-resistant that can’t be cracked as quickly as conventional algorithms.
Threat to Cryptography
Recently, The National Security Agency (NSA) acknowledged the quantum computing threat by publicly announcing their plans for transitioning to quantum resistant algorithms. Public recognition of the quantum computing threat has raised concerns over Public Key Infrastructure (PKI) that is used extensively in securing the world wide web.
Quantum computers will be a threat to both symmetric key algorithms (Block ciphers), and asymmetric public key algorithms (RSA, DSA and ECC). These computers can break every single popular public key algorithm in a trivial amounts of time. Quantum algorithms, such as Shor’s algorithm, could be used to recover an RSA key in polynomial time, but quantum computers with sufficient strength currently do not exist.
Post-quantum cryptography is being used for designing cryptographic algorithms that are considered to be secure against attack by quantum computers. It is estimated that 2048-bit RSA keys could be broken on a quantum computer comprising 4000 qubits and 100 million gates. Although there are few public-key algorithms that are considered unbreakable, they are not well-studied or used in the present day.
Quantum cryptography is based on hard and complex mathematical problems to provide security that is stronger than traditional cryptography. If quantum computing becomes a reality, it will result in re-engineering and enhancements in current cryptographic systems.
It will definitely take a while before the large-scale quantum computers become a reality. Experts are trying to figure out cryptographic mechanisms to transition to new schemes that resist quantum attacks. This transition should take place well before our systems become vulnerable to attacks. One should also note that this transition or migration would be a tough problem to solve.
About the Author: Ashiq JA (@AshiqJA) is a cyber security consultant and security writer with solid experience in the security field and expertise in risk management for banking applications, vulnerability management, security audits and assessments, security policies and procedures, risk mitigation, application penetration testing and secure software development. In his previous role as a security consultant, he performed application and network penetration tests, secure code reviews, server and device hardening checks, and conducted regular server and device configuration audits to ensure that systems are secured as per the security policy and plan, performed vulnerability assessments for identifying inconsistencies that may indicate various types of security loopholes.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock