The rise of quantum computers, thousands of times more powerful than conventional IT, will herald the obsolescence of current cryptographic standards, warn security experts.
At risk: Not merely problematic or weak software installations, dodgy security certificates or outmoded crypto implementations, but the actual math underlying even the most advanced forms of encryption.
“[C]ryptographic standards rely on the expectation that the computational power required to break their encrypted output is simply above and beyond our combined means as a species,” states Kaspersky Lab’s 2016 Threat Predictions report. “But what happens when we take a paradigmatic leap in computational capabilities as promised by future breakthroughs in quantum computing?”
Quantum computers, according to the security firm, have fundamentally changed the game. Since cryptography is assessed based on its difficulty to solve using classical computing power, quantum machines — which operate up to 3,600 times more quickly than current supercomputers — are expected to make quick work of even the most advanced cryptographic measures.
Kaspersky has called for the development of post-quantum cryptography to counter the looming threat. Juan Andrés Guerrero-Saade, senior security expert at Kaspersky Lab, told FedScoop that “there are already research efforts underway to come up with quantum-resistant” cryptography.
The problem, however, may be one of culture rather than capability. Guerrero-Saadi pointed to a widespread inadequacy in the implementation of SSL protocol as speaking “to the difficulties with wide and effective adoption of proper cryptographic standards that make a large-scale need for change so problematic. If we knew that developers had experience rolling out good crypto, we might consider post-quantum cryptography a matter of regular patching in need of a good scheme implementation and not a potential crisis scenario.”
Quantum computing is a relatively new breakthrough, with only a slew of very expensive models for sale to the public. This in itself affords a certain amount of protection, since extensive quantum resources will at first be available only to large institutions.
“We shouldn’t characterize it as a sort of Y2K parallel because it isn’t a situation where all cryptographic standards become obsolete overnight, specifically because of the foreseeable limited availability of quantum computing,” said Guerrero-Saade. “At first, it may mean that very high-end private companies or research institutions are able to decrypt the output of specific standards and, thus, begin a process of erosion of trust in these standards. Ultimately, the threat is relative to the availability of quantum computing power at scale.”
In the mean time, Kaspersky has urged research into new methods of cryptography while encouraging organizations to ensure they’re doing their utmost to meet current standards.
“We are still at a stage that requires endorsement of high caliber research into post-quantum cryptographic schemes. That is not an easy or trivial task. It’ll take money and bright minds,” said Guerrero-Saade. “Governments and companies would do well to throw their support behind this research at the appropriate levels.”