Quantum Computing & Crypto

Amazing effort by the Cyber hero's Bill Newhouse (Cybersecurity Engineer at NIST) and Cherilyn Pascoe (Director of Cyber Security at NIST) on their work to prepare multiple industries for Post-Quantum Cryptography. Also many thanks to Larry Letow for organizing a deep dive on Crypto.

Key Sections -- Ground Breaking Research from NIST, EY, PWC, Forbes, McKinsley, etc...

1. Imagine the Future
2. Predictions
3. High Level Risks
4. Where Am I the Most Vulnerable Today?
5. Practical Advice to Get Started
6. NIST - What Encryption Should I use?

Imagine The Future

1. If you could solve a maze by taking every single path simultaneously
2. You could calculate if a coin was heads and tails at the same time
3. Multiply that concept by a million and imagine you can compute every possible permutation of DNA splicing as well as the results, pro’s and con’s instantaneously.
4. Significant advancements in pharmaceutical, disease etiology, material science, energy, aeronautics, weather forecasting, blockchain and finance

Predictions

Currently as of late last year IBM has already setup a quantum computer to solve a problem that stumps existing methods, which is quickly being termed the “quantum advantage”.. Fast forward further..

• 2025-2026 - Quantum cryptographic algorithms become more available
• 2027 - 2033 - Quantum-Resistant crypto is developed and rolled out
• 2030 - fully error-corrected quantum computers could be available
• 2037 - Quantum computers are expected to mature by 2037? -- Eviden

Funding Of Quantum View

Risk Lens

High Level Risks

The Internet and all computer devices which use Cryptography are at risk, because this technology means our existing ways to secure our devices needs to be upgraded and re-deployed across our entire technology estate

1. Your Internet Connection - Protected securely via HTTPS which if captured today could be brute forced using quantum computers.. using a “harvest now, decrypt later” attack to get at the data with these computers
2. Your Computer - Protected by the startup process (firmware) or encryption on the computer (becomes comprisable) impacting your device's integrity
3. Your Mobile Device - Protected by firmware and device encryption would have to be protected

In Simple Terms

-???????? Integrity - Not being able to validate data has not been tampered with

-???????? Confidentiality – Not able to ensure our data is kept secure

-???????? Authenticity – Not able to know if we are talking to who we think we are

Before and After

• BEFORE - It takes 300 trillion years to crack RSA-2048 which uses prime factor encryption
• AFTER - It will take 10 seconds using a 4,099 qubit quantum computer
• AFTER - four million Bitcoins will be vulnerable?as per Forbes Magazine

Where Am I Most Vulnerable Today?

• Step 1 - Protecting long data shelf life - Symmetric keys are assumed to be mostly protected, however you will probably need update your key strength from 128 to 256 as well as have more memory for larger ciphertext.

Note - Key strength increase is due to Grover’s algorithm – which speeds up attacks by effectively HALFing the key length associated with symmetric algorithms..? 128bit .. so 256k becomes the new 128 bit

• Step 2 - Focus on Assymetric algorithms such as RSA being used for authentication / logins - Due to Shor’s algorithm developed in 1994 this cracks the logarithm algorithm using factoring and discrete math for the elliptical and Diffie-helman once a quantum computer becomes available. .. With the latest research in 2023, Jin Cai a Chinese American mathematician and pHD at cornell. Now faculty at Yale.

That said, I would suspect there will be service level enhancements that most companies can migrate to if they are using a cloud based offering. Therefore the work will be more for people having on-prem implementations.

NOTE - While digital certificates are also vulnerable if a historical transaction were to be compromised it is probably less risky, as the connection has already occured. Example: payment has already been made.

Global Investments on Quantum - In the Billions!

China, Israel1?and Russia2?have all developed quantum computers, with China’s efforts on its Jiuzhang quantum computer claiming quantum supremacy3?in 2019.

Practical Advice - Don't Wait till It is too late

1. Understand Your Inventory - Where are you currently using cryptography

1a. Internal Inventory - All Websites using HTTPS, All Secure Connections (VPN Tunnels), Firmware, Smart Cards, etc

1b. Third Party Risk - Identify all Vendors that are using cryptography.

1c. Understand the data flows and where cryptography is used to secure data

There are multiple discovery tools coming out to help you find your crypto.

2. Prioritize Based on Risk

2a. Crown Jewels – Most critical services generating revenue, has the most sensitive data or intellectual property

2b. Widest Blast Radius - Pervasive infrastructure such as DHCP, DNS, Networking, Firewalls

3. Determine Scope for Historical Data

3a. Data Shelf Life - How long do you have data that needs to be protected

or needs to be re-encrypted?

3b. System Shelf Life - How long does your system have to stay online and secure

4. Determine Your Speed of Migration

4a. Development Cycle - How long will it take to do the necessary development and migration

4b. Changing of vendors

4c. Upgrading HSM's, re-issuing certificates, etc

5. Select Your Approach

5a. TACTICAL -- Enhancing traditional encryption -- moving from RSA-1024 to RSA-2048 encryption may extend security lifetimes by one to three years. Also some articles are focusing more on Homomorphic Encryption as we know that data masking alone is not sufficient.

5b. STRATEGIC -Most to a preferred encryption algorithm that is quantum resistant such as Kyber, Dilithium or Sphincs as outlined below.

What Encryption Should We Use?

As per NIST guidelines

1. PREFERRED: One-key encapsulation mechanism (KEM) -- CRYSTALS-Kyber, designed for general encryption purposes such as creating secure websites, is covered in FIPS 203;
2. PREFERRED: CRYSTALS-Dilithium, designed to protect the digital signatures we use when signing documents remotely, is covered in FIPS 204;
3. ALTERNATIVES -SPHINCS+, also designed for digital signatures, is covered in FIPS 205;
4. ALTERNATIVES: FALCON, also designed for digital signatures, is slated to receive its own draft FIPS in 2024.)

How to Get Involved - With NIST

There has been tremendous thought leadership and communities coming together to establish a center of excellent for quantum computing and quantum cryptography

Further Guidelines Coming Out

References

1. Amazon – AWS – Reinvent – Matthew Campagna – Senior principal engineer? - https://www.youtube.com/watch?v=tNveX1aR_pc
2. McKinsely - https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/when-and-how-to-prepare-for-post-quantum-cryptography
3. EY - https://www.ey.com/en_us/consulting/what-c-suite-must-know-about-post-quantum-cryptography
4. PWC - https://www.pwc.co.uk/issues/cyber-security-services/insights/building-quantum-into-your-cyber-security-strategy.html
5. Eiden - https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2024/post-quantum-cryptography-and-nist-standards/
6. Forbes - https://www.forbes.com/sites/davidbirch/2023/08/30/quantum-cryptography-should-be-part-of-your-security-strategy/?sh=61c0f8b415b5
7. NISTIR 8105, Report on Post-Quantum Cryptography, April 2016, publication is available free of charge from:?https://dx.doi.org/10.6028/NIST.IR.8105 [2] NCSC whitepaper,
8. Quantum-safe - Cryptography?https://www.ncsc.gov.uk/whitepaper/quantum-safe-cryptography [3] NCSC whitepaper, Preparing for Quantum-Safe
9. Cryptography, November 2020,?https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography [4]?https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round