Developing a post-quantum mindset for a conventional world Reissue every encryption key – by yesterday?

This week Brendan Rowan had the pleasure of moderating a panel on “Post-quantum Data Protection” in Venice as part of the inspiring and dynamic Privacy Symposium. (Chapeau Sébastien Z. and Luca Bolognini for another excellent edition).

With the expert panel of Magdalena Stobinska , Nick Espinosa and David Goodman , we delved into the topic of post-quantum cryptography and the immediate need for organisations to update their systems to prepare for a post-quantum reality.

A primer: cryptography and post-quantum data protection

Conventional cryptography comes in two forms: symmetrical and asymmetrical. Symmetrical cryptography is where the sender and receiver share the same private encryption key that encrypts and decrypts the communication. The key is most commonly protected through the encryption standard (AES 256) is almost impossible to break, however, if the key is lost or intercepted, the data is inaccessible or can be breached without detection.

Asymmetrical has two keys a private key belonging to the receiver and a public key that is generated and shared with the sender, both keys have a mathematical relationship. The public key can be readily accessed, but with only one key it is still not possible to access the data and is commonly applied in small data transfers over the internet.

?The protection of the encryption is based on difficult math problems, e.g. integer factorization, that is believed to be too difficult for conventional computing to crack, the longer the key the greater the difficulty.

?But quantum computing is not the same as conventional, it can perform different maths like the Shor’s algorithm, that can break the encryption keys readily, particularly in case of the assymetric public-private key coupling. Though the advent of a stable quantum computing system remains an open question, there is a real and serious risk to all existing encryptions in place.

Post-quantum security can look to apply new standards for quantum resistant algorithms (see recent NIST announcement[1]), leverage true randomness present in quantum states and deploy Quantum Key Distribution which is transformed by observation by a third-party.

Key takeaways:

• Post-quantum was here yesterday! While quantum computing may become a reality next year or in ten years, data is already being harvested for future decryption. The need to act is today not once all our communications are unsecure.
• We are already in the middle of a trust crisis in digital; there are more data breaches happening at a higher frequency than before. To advance in digital, to trust in big data and AI, we need to restore this trust.
• The transition to post-quantum cryptography will be gradual, it is the Y2K without a date that will require continuous upgrading of the systems globally. PQC is a software solution that can readily be deployed and sectors such as finance, defense, logistics and other critical infrastructure are leading the way.
• The fundamentals of data protection and privacy remain but how we implement them will have to change. As we progress to digital wallet identities and use more and more AI enabled assistance, our risk to our privacy is only increasing, with greater datasets and structured data being created on public cloud environments.
• Regulation is always behind tech development, with innovation comes opportunity for exploitation and regulators need to engage today to put in place the necessary actions, standards and requirements to underscore our future resilience.
• We cannot be complacent, we must be constantly on guard, we are basing our encryption methods on the belief that our math problems are too difficult to crack, but sometimes PQC encryption algorithms believed to be safe for years can be broken with an old PC in just one hour[2]. We cannot just apply PQC but all the gamut of options including Quantum Key Distribution and look at how we merge conventional and post-quantum approaches.
• The shift to PCQ demands overcoming not just financial investments but psychological barriers; organisations that have been the victims of an attack are likely to return to business-as-usual, post-trauma they believe that they won’t be attacked again but statistically 80% of ransomware victims are hacked again within six months.
• The case for investment in PQC is a difficult one, the risk is enormous but the date for impact is undefined; future problems don’t attract today’s budget lines. There is not a consolidated index or measurement of the impact and scale of post-quantum risks to data protection, the data is piecemeal and spread thinly across sources. Already, global costs of data breaches have increased by 15% from 2020 costing organisations on average 4M EUR.[3]
• There is, however, the opportunity to drive bottom-up demand, evangelising the need for PCQ within individuals, users and citizens to understand that their data may not be safe for much longer and drive investment by providers and public bodies.

?Post-quantum cryptography is not sci-fi, it is today. We may know our current momentum but not our position on the journey to the post-quantum future. It is clear that we need to build the global networks and standards around this to ensure that organisations and governments ensure the future security of our ever-greater digital fingerprint.

?Follow these global standards initiatives on INSTAR (https://instarstandards.org/) and understand how the skills for cybersecurity professionals are shifting with LEADS (www.advancedskills.eu).

[1] https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

[2] https://thequantuminsider.com/2022/08/05/nist-approved-post-quantum-safe-algorithm-cracked-in-an-hour-on-a-pc/

[3] Cost of a Data Breach Report 2023 IBM