This article was previously published in Cybersecurity Trends, authored by Aron Seader, Eclypses Sr. Director of Core Engineering
Society has already benefited from quantum computing, and we continue to witness how quickly this powerful technology can simulate and test theories. But not everyone uses this technology for good – with more powerful technology comes more advanced bad actors who will use it maliciously. We cannot continue to wait for these hackers to use quantum computing against us, so preparation now is critical. To combat these threats, it will take proactive, thoughtful approaches to cybersecurity and a new understanding of best practices that may seem foreign but will be instrumental in protecting our data and companies moving forward.
How does quantum computing work, and what makes it vulnerable to cyberattacks?
Quantum computing works on the same principles as modern computing, representing the world through complex mathematical equations. The difference is that instead of being restricted to a binary (yes/no, on/off, 0/1) answer, quantum computing can use qubits and superposition to represent more complex answers.
Because they are quantum particles, Qubits can exist in 2 states at once, and it is the superposition, the amount it is in one state versus the other, that can be utilized to answer more complex questions. Classical computers can only compute one answer at a time, systematically computing through lots of individual equations to reach an overall conclusion.
Quantum computers, on the other hand, can do many related calculations simultaneously to arrive at an overall conclusion in one operation. This ability becomes very concerning in cybersecurity and encryption because it exponentially speeds up public key and brute force attacks.
Data encryption & its vulnerabilities
These quantum algorithms, specifically Shor’s and Grover’s, will supply a way to break both asymmetric and symmetric style encryptions. Asymmetric encryption, in this case, refers to the key agreement used to set up the encryption, not the encryption algorithm itself. These key agreements allow endpoints to share a public key insecurely and generate private keys to encrypt and decrypt data. This method is widely depended upon because it enables endpoints to have no previous knowledge of each other, making it very flexible and easy to set up. It is also important to note that these agreements are used in various instances (i.e., digital signatures), and the following points apply to all.
Today, these asymmetric algorithms are safe because the calculations needed to break them take so long to execute that it is not a practical attack vector for cybercriminals. Quantum computers, on the other hand, can perform the factorization and logarithmic algorithms needed to break asymmetric algorithms at an alarmingly fast rate, making them an efficient attack vector. Cybercriminals using quantum computing will target asymmetric algorithms first, not only because it is so widely used but also because they can manipulate a public key to get a private key.
On the other hand, symmetric style encryptions are widely accepted as more resistant to quantum computing attacks because there is no public key to manipulate into a private key. Only a private key exists that must be securely stored on the encrypting and decrypting devices or securely provided to the encryption algorithm when needed.
This style of encryption, in turn, is typically compromised by brute force methods. Even when using key chaining, once one key is exposed, one can apply the same chaining to that key to gain other keys. These brute force methods are currently linear operations where conventional computers guess keys one at a time until they recognize the data as decrypted (for reference, this style of brute force would take the Fugaku supercomputer an average of 23 trillion years to perform on an AES-128 encrypted payload). Contrastingly, quantum computers can try every encryption key in parallel and reveal the data in hours instead of years.
Advanced computing requires advanced safeguards
These problems of tomorrow call for a unique solution unlike what is in use today. There are two strong possibilities for this solution; it could not use encryption at all or could manage encryption keys in a way that removes quantum vulnerabilities.
The first possibility may seem farfetched as anything outside encryption seems otherworldly, but it would be relatively simple in theory to produce an alternative quantum-resistant technology. Drawing upon successful schemes of the past, which have proven to be some of the most secure data protection methods, the one-time pad would be a great model to work off.
Developed in WWI, the one-time pad takes data protection to the byte level, shifting each byte of data by a different random amount instead of altering an entire piece of data with a single key as encryption does. It does this by using a sample of random data that is the same length as the data being secured and XORing each byte of both data sets to get a secure third string of bytes. This byte-level replacement of actual data for random data is robust and eliminates quantum computers’ advantage of guessing a key to decrypt an entire payload. Guessing of keys only works because there are recognizable clues in a payload that verifies if the guessed key is correct or not. Brute forcing at the byte level becomes astronomically harder than verifying an entire payload because of the lack of contextual clues.
The trouble with the one-time pad is that the random data must match the data length and somehow get to both sides for the securing and un-securing actions. These are complex challenges to overcome, primarily when the basis of most modern systems are zero-knowledge and session handshaking. However, the new push for zero-trust full-knowledge environments and the use of secure deterministic random bit generators (DRBGs) make these challenges manageable. They enable secure endpoint relationships to persist between sessions and simultaneous generation of random data at any length, respectively.
The second possibility of managing keys might seem like a solution already offered, but the popular answers are anything but quantum resistant. This solution takes the process of key generation down below the level of encryption and removes all third parties and humans from the mix. It would eliminate the need to share public/private keys by systematically generating random single-use encryption keys when needed, only keeping them around while in use and never reusing them.
This method allows keys to change with every transmission instead of the session-based approach of TLS and other securities. Also, making the keys random means there is no basis on the data or any other key, eliminating the links that quantum computing manipulates. Creating such a method seems like a tall order, but again it only takes a shifting perspective for the proposition to seem obtainable. The generation of the keys via DRBGs would allow two paired endpoints to generate encryption keys simultaneously without ever sending any key information.
Removing the need to send a public key eliminates the most significant attack surface quantum computing has on encryption. The problematic piece to figure out is how do these two endpoints synchronize. Drawing again on the fact that environments are driving towards zero-trust with full knowledge, the seeding of the DRBGs could draw from knowledge both endpoints already know, thus eliminating credential sharing and handshaking. Also, if the secure relationship persists between sessions, the registration of endpoints could be more secure and stringent than today’s since it would only need to happen once during the first use of an endpoint.
These two solutions can even be combined using byte-level substitution for highly sensitive pieces of data and random key generation for larger, less sensitive data. This combined approach would be a highly secure yet efficient solution with endless flexibility to accommodate any environment.
Readily available quantum computing is on its way, and the time is now to start future-proofing systems for its arrival. Waiting until we have the first quantum computing breach is too late. Gone are the days of monitoring being enough; quantum computing has the power to obliterate an environment within seconds of discovering a vulnerability. There will not be enough time to quarantine and take the reactive steps relied upon currently. Data needs to be the focus of security, and that security needs to anticipate the power of quantum computing.