What Your Enterprise Must Know About Quantum-Safe Cryptography

Quantum computers leverage the properties of quantum mechanics to process data in a way that differs from binary computers. From the dawn of electronic computing with ENIAC and Colossus in the 1940s up until today, all of our computers are designed to process binary data. Binary data is in bits, and each bit can be 1 or 0. Quantum computers process qubits, and each qubit can be 1, 0, or both 1 and 0 simultaneously. Without getting into a lot of very high level physics and mathematics, quantum computers have the potential to conduct much more sophisticated math. 

After decades of research and development, quantum computers are finally here. D-Wave Systems Inc. launched what is probably the very first commercially available quantum computer in 2017, the D-Wave 2000Q. IBM soon followed by launching their first commercial quantum computer, the IBM Q System One, in 2019. There is no publicly available information about how many of these quantum computers have been sold and are in use. But a Q1 2024 investor report from D-Wave indicates that they had 128 customers during that period. A quantum computer isn’t something one can walk into Best Buy to purchase. Some of the customers D-Wave has confirmed include Lockheed Martin, Volkswagen, and Los Alamos National Laboratory. They’re the kind of customers that would have purchased Cray supercomputers decades ago. IBM likely has a similar and possibly overlapping customer base for their Q System One computers. 

All of the encryption that we use to secure our computer data in transit and in storage today is based on binary computing. As early as 1994, renowned MIT mathematician Peter Shor warned the world that quantum computers can quickly and easily crack binary encryption. If quantum computers fall into the hands of cyber criminals, it could be very dangerous to all of cybersecurity and wreak havoc on our everyday lives. For example, most adults use personal banking and shop online. Various applications of cryptography are essential for keeping our bank accounts and credit cards relatively secure from threat actors. Imagine if a cyber criminal took control of a quantum computer and cracked thousands or millions of accounts almost instantaneously! 

That’s an eventuality that the National Institute of Standards and Technology (NIST) has been preparing for. In December 2016, just before the D-Wave 2000Q was launched, NIST announced their Call for Proposals for Post-Quantum Cryptography Standardization. The call for proposals asked cryptographers for new post-quantum cryptographic standards. Sometimes post-quantum technology is referred to as quantum-safe or quantum-resistant cryptography. It means cryptography that binary computers can use that will be resistant to being cracked by quantum computers. When I interviewed well known cryptographer Whitfield Diffie (we all interact with his Diffie-Hellman key exchange when we use the internet) for one of my books a couple of years ago, he was especially excited about NIST’s initiative. 

A few years have gone by, and we’ve now seen some of the fruits of the labor of various cryptographers submitting to NIST. In July 2022, NIST announced that they have approved of the first four quantum-resistant algorithms. Their press release started like this: 

“The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.” 

The lucky winners are CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilthium, FALCON, and SPHINCS+ for digital signatures. Those were selections that started in Round 1, which closed in 2017. There have been three more rounds since then. Round 4 started in July 5^th 2022 with BIKE, Classic McEliece, HQC, and SIKE. NIST will approve of some more algorithms in the next few years. 

A couple of years has passed since the approval of the first four algorithms, which has hopefully given technology vendors some time to deploy them in the cryptography products that they sell to enterprises everywhere. 

Quantum computers being harnessed by cyber criminals isn’t a matter of “if,” but “when.” And what I wonder is when the first quantum cyber attacks are conducted, will we know about it? Will SIEM (security information and event management), SOAR (security orchestration, automation and response) and related technologies that enterprises use to detect cyber attacks be able to detect a quantum cyber attack? 

That’s food for thought because network security technologies are designed for binary computers and binary networks. And when quantum computers are connected through quantum networking, any attempt to look at qubits in transmission will change the qubit data itself. You cannot intercept a qubit without changing it, thus is the wacky nature of quantum mechanics. 

It’s time for NIST, IBM, and D-Wave to help cybersecurity vendors develop technologies to detect quantum cyber attacks.

About Kim Crawley: Kim is a prolific writer and researcher specializing in cybersecurity. With experience writing for major tech companies like AT&T, BlackBerry, and NGINX, Kim has made significant contributions to the field.

Her impressive portfolio includes books such as "The Pentester Blueprint" and "8 Steps to Better Security." Kim's expertise and insights will enhance our content, providing valuable perspectives on cybersecurity trends and best practices.

Stay Safe, Stay Secure.

The CybersecurityHQ Team