But in the tech industry, change is always on the horizon, which means you need to get used to the idea that what you thought was invulnerable today might easily be threatened tomorrow. One of those changes is quantum computing, and it’s a field that’s developing quickly. For example, earlier this year, Google announced that it had built the largest quantum computing chip ever: a 72-qubit (a quantum bit) processor.
To put that into context, it’s important to explain how a qubit differs from the bit you learned about back in computer science class. Those bits are basic units of information represented by either a 1 or a 0. Qubits, which are represented by the symbol ‘0> and ‘1>, can also encompass values of 1 or 0, but can then extend those values to essentially an infinite number of states in between 1 and 0. What happens is that the probability of some number changes as you move between 1 and 0.
We’re not going to go into detail about how this works (you can read more about it here), except to say that, by having more potential values between 1 and 0, you can perform some types of computation faster. In some cases, many thousands of times faster than what’s possible with today’s more advanced desktop CPU architectures, like the Intel i9.
Because of the way quantum computers work, they can be used for jobs that are difficult for these more traditional CPU chipsets. This would include tasks such as multidimensional modeling, simulations, and, yes, codebreaking. It’s the codebreaking and encryption cracking that’s worrying security experts, and is also freaking out some folks involved with cryptocurrencies as well as those involved with the many other developments being made possible by blockchain technology. Blockchains and cryptocurrencies are, after all, simply very large numbers used to create a unit of whatever currency you’re considering. Bitcoin, for example, depends on public key cryptography. Public key cryptography is considered one of the most vulnerable to cracking by a quantum computer, which is part of what’s making folks with large Bitcoin investments sweat.
What this means to you is that some types of encryption that you depend on are no longer considered secure. Exactly how that may apply to you is described in more detail in this “Report on Post-Quantum Cryptography” published by the US Department of Commerce’s National Institute of Standards and Technology (NIST). What you’ll find in this NIST paper is that public key encryption is vulnerable to cracking by using algorithms on a quantum computer. But other means of encryption, including Advanced Encryption Standard (AES), which uses symmetric keys, and Secure Hash Algorithm (SHA-2 and SHA-3), will remain secure with some modifications.
Table 1 – Impact of Quantum Computing on Common Cryptographic Algorithms – Credit: NIST
The most widely used version of AES, which uses 256-bit keys, is actually relatively secure against quantum computing attacks. AES-256 is commonly used for mundane tasks such as Wi-Fi encryption. However, another commonly used version of encryption, secure sockets layer (SSL), uses public key encryption.
Calming Your Quantum Computing Fears
For now, you don’t need to worry, though as an IT professional, you should start to plan. Despite the rapid development of quantum computing, researchers don’t appear to have reached the point where they can routinely decrypt routine business communications. While that may come someday, you’re still fairly safe for now as long as you remember these key points:
- SSL communications are still safe; and because they are ephemeral, your users don’t need to worry that there’ll be a stored copy of their banking session or credit card purchase to be retrieved and cracked at a later date. However, that may change in the future.
- AES-256 will be safe, even against quantum attacks, for some time. Unless your data is valuable enough for a nation-state to spend millions of dollars to crack it, you don’t need to worry. However, if your business handles national security data, then maybe you need to find a better way and it’d be a good idea to start staying on top of devleoping cryptographic trends.
Age is important. Unless you need to protect your data for decades against future quantum attacks by using advanced algorithms, then some form of symmetric encryption (including AES) will do.
- Be prepared for encryption using longer key lengths because those are much harder to crack. Some keys can be found by using brute force techniques but, if the time to crack them by using the fastest quantum computer exceeds the expected age of the universe, then you’re probably safe. Longer key lengths will require more computer power to handle, but probably not enough to bog down your systems when they’re needed.
Remember that the quality of encryption is only one part of the security puzzle. Poorly executed encryption, weak or faulty software surrounding the encryption, and poor security practices can still expose your critical data through other vulnerabilities. For example, it doesn’t help to encrypt your communications if the bad guys can walk into your office and steal the data out of an unlocked file cabinet or, more often, the trash can.
While some forms of encryption now have a limited lifetime, the fact is, you still have time to determine what data you have that may have vulnerabilities because of encryption, and then evaluate whether or not the risk down the road will affect you immediately. For most day-to-day operations, it won’t. But if you deal with sensitive data that has a long lifetime, then you need to start planning for the future now.