The IT decision makers that we interviewed for our 2019 Post Quantum Crypto survey registered concern. Over half (55%) of them said that today it was a “somewhat to extremely large threat,” while others looked towards a darker horizon, with 71% saying that if it isn’t today, it will definitely become one in the future.
When will tomorrow come, and how far away do quantum threats loom? Estimates differ as to when quantum computing will be available – some say 5 years, some say 10, and others say 25. The estimates go up and up. One thing is clear: The timer has started.
In late 2018, researchers at the University of Munich proved that quantum computers have an edge over classical computers, by developing a quantum circuit that can solve problems that were comparatively unattainable for a classical computer. 2019 was a banner year for quantum. IBM kicked it off by revealing Q System One, the world’s first commercial quantum computer.
Later that year, Google announced that its current quantum project had begun to solve problems which were impossible for classical computers and reached “quantum supremacy”. So, the race to fulfil the potential of quantum computing has begun in earnest, and for all of the bountiful goods that it can provide the world, it can also pose considerable threats.
Quantum computing — coming soon to an enterprise near you?
Quantum will break much of the encryption that underpins the modern internet. That’s at least what the US National Institute of Standards and Technology says.
While classical computing speaks in bits, a language composed of 1’s and 0’s, quantum computing speaks in qubits. Like normal bits, a qubit can either be a 1 or 0, or it can be an indeterminate state. It’s that seemingly small difference which makes quantum, well, the quantum leap that it is.
This brings us to the 2048-bit RSA Key – the minimum possible key length used to protect computer systems. Using classical computing, DigiCert has predicted that it would take several quadrillion years to defeat such a key. By comparison, the right quantum computer could break one in a matter of months.
The computer that can beat RSA or elliptic-curve cryptography – the algorithms on which internet security relies – has not yet been built. We are still on the first generation of quantum computers.
Quantum Cryptography: The next-generation of secure data transmission
In January last year, the US National Academy of Sciences released a report entitled ‘Quantum Computing: Progress and Prospects’, and said that the computer that can do this must be five orders of magnitude larger and requires technological advances which have not yet been invented.
However, quantum computing, and thus quantum threats, have been proved possible in the last few years, and everyone is betting big on it. According to Gartner, 20% of all companies will be investing in quantum in the next five years. So, when do organisations need to start preparing?
Michele Mosca, co-founder of the Institute for Quantum Computing, devised a formula for organisations to determine when they have to start transitioning to quantum-safe algorithms:
D + T ≥ Qc
D represents how long a piece of data needs to remain secret; T represents how long it will take for all systems to become quantum-safe, and Qc is how long before a quantum threat arrives.
If Qc turns out to be less than the sum of D and T, then an organisation is vulnerable. Establishing the values of D and T will be a more difficult task, but it sets out a useful frame of reference for quantum preparation.
Commercially available quantum computing might not be here yet, and that gives us time to prepare. Unfortunately, wide cryptographic changes often take a long time to take effect, and there are often decades between the call to update and the actual update.
There are still organisations around today who cling to long outdated cryptographic protocols. By the time quantum becomes an imminent threat, there will still be plenty of computers that are using obsolete cryptography. Whether quantum arrives in 25 years, 15 years, 5 years or tomorrow, the clock is ticking, and organisations should start preparing now.