By Frank Guanco, Research Analyst, CSA
Consider this scenario: A CIO at a Fortune 500 company receives a call from a reporter asking how the company is responding to the announcement of the new commercially available quantum computer that can “break” RSA and Elliptic Curve Cryptography (ECC). This CIO has no plan, so he politely offers a “no comment” to the reporter. He then calls an emergency meeting with his executive team to figure out what can and should be done to protect the company’s data residing in the cloud.
While this story is fictional today, it could become a reality in the not-too-distant future. The Quantum-Safe Security Working Group (QSSWG), formed within the Cloud Security Alliance to help promote the adoption of technologies to protect data in the cloud even after quantum computing becomes readily available, recently released a position paper titled ‘What is Quantum-Safe Security?’ The document examines the need for a proactive defense against a multi-purpose quantum computer that should be available by 2030 and able to crack RSA and ECC encryption algorithms.
2030 is still so far away – why should we worry now? In 1977 when the RSA algorithm was originally introduced, it was estimated that it would take 40 quadrillion years to decrypt an RSA-129 (a variant of RSA) encrypted message. RSA-129 was cracked in 1994, less than 20 years later. While most of the encryptions used now are safe, quantum computers will drastically change everything, as they will be able to rapidly factor RSA keys of any length.
There are currently two technologies under development that intend to address the looming threat of quantum computers: Post-Quantum Algorithms (PQAs) and Quantum Key Distribution (QKD). PQAs consist of a number of new algorithms that are designed keeping in mind the known capabilities of quantum computers. QKD is physics based and allows keys to be exchanged between two different locations by using the quantum properties of photons. If an adversary attempt to intercept the key exchange is detected, changes in the measured quantum properties are made.
For now, the QSSWG recommends using both PQA and QKD, in an integrated solution, to guarantee that encrypted data in the cloud is safe against quantum computers. For more information, please refer to the full paper, ‘What is Quantum-Safe Security?’