We have all been spoilt for the last 40 years. We have been drinking the elixir that is RSA which cures all ills. RSA solves the problem of providing security of electronic communications. It allowed data to be encrypted between a sender and recipient with no prior exchange of secret information. Not only that, it allowed digital signatures to be applied to data to prove integrity and support non-repudiation. All we had to decide is the key-length, increasing this over the decades as computing power has increased to thwart brute force attacks.
This golden age of cryptography is nearing an end. The hardness problem underlying RSA can be solved by a sufficiently large quantum computer, which could exist as early as 2026, but most likely will by the early 2030s. The same is true of elliptic curve cryptography. That is not very far away.
Unfortunately to address this situation our lives are going to get a lot more complicated. There is no single algorithm which is quantum resistant and can replace RSA. We are faced with a range of relatively immature algorithms with various strengths and trade-offs. We will need to choose between encryption speed, decryption speed, and key size. As early as next year, NIST is expected to certify a number of quantum resistant algorithms. Industry will need to determine where to use each one.
There are several implications that we need to start to consider. The first is that we will be deploying a range of algorithms for different use cases. We will need to examine our requirements for our applications and pick the algorithm which provides the best fit. For IoT applications, key size will be important. For code signing, signature validation speed will be critical. Vendors will need to decide which algorithms they will build in support for, are you ready to provide your input to those decisions?
The issue of crypto agility will become critical. Given the speed at which quantum resistant algorithms will need to be rolled out, they will not have been subjected to the analysis and validation which has preceded the standardisation and roll out of previous algorithms. It is likely that some will be found to be less secure than expected, which could require a rapid replacement to maintain security of business applications. So maintaining an inventory of your crypto estate, and the organisational and technical infrastructure to replace crypto quickly will be more important than ever.
While quantum resistant algorithms are untested, we expect that a hybrid model will prevail in which legacy and new crypto will be combined to provide the classical strength of current algorithms bolstered by the quantum resistant algorithms. This can be achieved in different ways, which NIST are currently evaluating. As with any new standards, interoperability will take time. The fact that we will be living with a number of quantum resistant algorithms as well as backward compatibility considerations, will likely create additional interoperability issues.
My perspective is seeing how organisations have struggled with relatively straightforward crypto updates such as the migration from SHA-1 to SHA-2. This was difficult, and took a lot longer than it should have (introducing corporate level risks in the process). That was a walk in the park compared to the transition to quantum resistant crypto. I advise you to start your planning now to establish your crypto inventory and assigning ownership of initial planning activities.
To learn more about Post-Quantum security, watch our video.