The hype cycles that come with emerging technologies can be perilous waters for early adopters and buyers.
From the immutable yet seemingly impractical blockchain to artificial intelligence systems that are really just machine learning systems (which in turn are often really just rules-based software with data analytics), it’s common for marketing departments to blur the lines between innovation and grift when selling new technologies, and for businesses to get snookered.
One field that does appear to have long-term transformative potential is quantum computing and its cybersecurity cousin, quantum code breaking. But before we get started: actual quantum computers are not here. Not yet.
A small group of government-funded labs, industry titans and startups are toiling away, steadily increasing the number of cubic bits – or qubits – their supercomputers are capable of processing each year, but it will likely be a long time before businesses and other organizations can realistically buy one, or unleash its exponential computing power on their organization’s problems.
However, a related issue is likely to be closer on the horizon: protecting the computers, systems and data we have today from the quantum code breaking techniques of tomorrow. While experts don’t know when or where a quantum computer will emerge that can break most forms of classical encryption, most agree that enterprises will need to replace their encryption protocols well in advance of that day. Beyond that, the threat of foreign governments or other actors harvesting your encrypted data today to crack it with quantum computers tomorrow is a real concern.
While government agencies and standards bodies are currently racing to test and vet new quantum resistant algorithms for widespread consumption, a small but growing industry of vendors has already popped up offering to sell such protections to the broader public. That leaves many in the business world facing thorny questions like when they should buy or implement such solutions, when is it too soon and when is it too late?
"If you are not paying attention, you will get left behind,” said Dan Meacham, chief information security officer at Legendary Entertainment when asked for his thoughts on moving to quantum resistant encryption.
Still, like many in business today, Meacham finds himself struggling to separate the substance from the marketing.
“Innovation is a good thing…I think there is a lot of ‘quantum’ that really isn’t quantum – much like how AI and machine learning really are not AI or machine learning in some solutions,” he said. “At best, we need to partner with the vendor to fully understand what are we trying to solve, and if a quantum solution really is the answer.”
Setting the stage
The estimated size of the quantum encryption market is tiny, reflecting both the nascent state of the technology and likely a lack of awareness or urgency on the part of buyers. Forecasters peg the global market today at between $100-$200 million, but predict robust compound growth over the next five years. The overall encryption market is exponentially larger than that, and is likely to grow substantially over the next decade as more organizations switch out their classical encryption with quantum resistant versions.
Unlike other emerging technologies such as blockchain – where it’s far from clear the practical applications and use cases will ever justify the hype and speculation it unleashed – most experts in quantum physics and cybersecurity do think quantum-based encryption will become essential to data security in the not-too-distant future.
It’s that last part, figuring out just how distant the future is, that makes purchasing in this area today so tricky.
Quantum supercomputers managed by the federal government and industry titans like IBM and Google have been quietly chugging along for years, processing ever higher numbers of qubits. While each new development been met with excitement and reinforced the technology’s potential, most experts believe we are still between 5-10 years away from processing the number of qubits capable of breaking classical encryption algorithms like RSA.
“It’s not just the number of qubits, it’s also the error rates and the accuracy that one needs to get” to break modern forms of encryption like RSA, said Josyula Rao, chief technology officer for IBM during an event hosted by national security think tank Center for Strategic and International Studies in June.
Rao said IBM’s research on quantum supercomputers indicates that the number of qubits required to bust today’s encryption would require processing approximately 6,200 qubits and 2.7 billion operations. IBM said last year that they are working to build a quantum computer capable of processing 1,000 qubits by 2023.
“So we do have some ways to go before we get to the error rates we need to field a machine and run programs that can actually pose a threat to the security and cryptography that we’ve deployed today,” he said.
Others in industry dissent from that view, or argue that the concept of “technological surprise” tells us there’s at least some chance that experts are underestimating the maturing pace of the technology. Lisa O’Connor, managing director of global security research and development at Accenture said “we may be closer than we think” to the kind of breakthroughs that would move quantum-based code breaking from the theoretical to the real.
“It doesn’t take solving all, it takes targeted focus and it takes targeted focus at an adversary going after that communication or that thing they want, past or present,” O’Connor said.
Post-Quantum, a British company founded in 2009, sells encryption and identity software solutions based on the Classic McEliece algorithm (currently a National Institute for Standards and Technology finalist). In an interview, CEO Andersen Cheng said that he while the timeframe for a commercially available quantum computer may be a decade or more away, he believes military and intelligence agencies that employ teams of hackers are probably closer to developing something that can break classical encryption. If such a breakthrough were to happen as part of a classified government project, he worries the country behind it would have numerous incentives to keep it secret and use it to conduct digital espionage and intelligence gathering.
“I’m not talking about a [quantum computer] that JP Morgan can buy to do their own trading analysis or credit risk analysis, I’m talking about the sheer power to do code breaking,” Cheng said. “I can almost bet my house that whoever’s got a functional computer [first] will be keeping quiet about it, They will not be going to the press. They will not be like Google, claiming quantum supremacy.”
A quantum of (buying) solace on the horizon
NIST has spent years carefully vetting different types of algorithms that could be capable of withstanding quantum codebreaking in the future. The structure of NIST’s program reflects our current imperfect understanding, as well as the possibility that things could go wrong. There are currently 15 separate finalist algorithms being evaluated by the agency, after cutting dozens of other potential candidates in a multi-round process.
The agency plans to pick a handful of diverse algorithms to standardize by the end of this year, with the rulemaking and public comment process expected to push finalized encryption standards to 2024 or 2025. This could provide much needed clarity to potential buyers about the technologies and processes that will make their way into procurement, contracting and industry standards.
However, NIST officials have given clear, unambiguous advice to businesses in past years when it comes to buying such solutions today: don’t. At least not until they finish the new standards.
“We still recommend waiting to purchase commercial products for quantum resistance,” Dustin Moody, a NIST mathematician who leads the post-quantum cryptography project, told SC Media in an email this month.
Moody was blunt about NIST’s view of the potential dangers that come with buying quantum resistant encryption products today, noting that even as the process has increasingly tested each finalist, “we have seen algorithms broken in each round of the process.”
Due to the time and financial costs that come with switching out encryption protocols, as well as the likelihood that NIST’s chosen algorithms will underpin future federal contracting or industry standards, he stressed that “it’s important to get it right the first time.”
“By purchasing and implementing early, you risk using algorithms that are not the ones that end up being standardized. You risk not being interoperable with those that will use the standard,” Moody said. “Although there is always a security risk that a cryptographic algorithm may be broken [or] attacked, the risk is higher using algorithms that have not been standardized - particularly in this field of post-quantum cryptography.”
NIST does not discount the possibility of data harvesting. In fact, those concerns helped drive the creation of the project in the first place. However, Moody noted that this threat, while real, is likely less dire than perceived.
It’s true that large-scale quantum computers will eventually be able to completely break encryption that relies on asymmetric, public-key algorithms, but much of our data is encrypted using symmetric key block ciphers, and here the impact is likely more modest. Cryptographers believe that using larger key sizes for their symmetric encryption would be sufficient to protect such data from quantum codebreaking, though even here there is uncertainty since many symmetric key algorithms rely on asymmetric encryption protocols to establish a shared key.
However, most encryption experts believe that switching over to these new encryption protocols will be a laborious process, taking up to 1-2 years for most organizations and as long as five years for larger enterprises. In the meantime, NIST standards do allow for the use of hybrid solutions that use both classical encryption and newer quantum-resistant algorithms, as long as the classical algorithm is FIPS compliant, though the agency warns that these standards “were not necessarily designed to provide post-quantum security.”
Meanwhile, the National Security Agency’s cybersecurity division has said it expects to incorporate one of the lattice-based algorithm signature and key encapsulation method to guard their national security systems, and a hash-based signature for certain “niche” applications. Even here, the agency provides notable caveats as to their long-term reliability.
“At the present time, [we] do not anticipate the need to approve other post-quantum cryptographic technologies for NSS usage, but recognize circumstances could change going forward,” the agency said. “A variety of factors — including confidence in security and performance, interoperability, systems engineering, budgeting, procurement, and other requirements — could affect such decisions.”
Denis Manich, chief technology officer at Qrypt, told SC Media that his company is mainly interested in selling to certain industries with extremely sensitive data and high regulatory requirements around keeping them safe. He pointed to a partnership Qrypt did with Telefonica earlier this year to incorporate their random number generating technology into the Spanish telecom's cloud-based virtual data centers.
“Our primary goal is to leverage banking, telecoms and large industries that have a compliance mandate and critical infrastructure,” Manich said when asked about the kind of customers Qrypt pursues.
Cheng said the sectors with the most urgent timelines for implementing quantum-resistant encryption are likely government agencies or enterprises which have data that they have to keep for the next ten, twenty or thirty years, like health care organizations.
The underlying math and physics behind quantum computing can be unbearably complex, even for many IT and cybersecurity practitioners with highly technical backgrounds in other fields. (It’s so complex that this reporter has intentionally left out a fair amount of detail in this debate to spare readers from being buried in jargon).
At the same time the need for data encryption that can withstand post-quantum hacking is nearly universal, as relevant to the small, mom and pop business as it is to Fortune 500 companies and government agencies. This has created an information asymmetry problem between consumers and sellers, with many businesses lacking the in-house expertise to spot lemons or snake oil solutions.
Multiple encryption vendors reached by SC Media cited two features they claim are key to responsibly selling quantum cryptographic solutions today.
Several have tied their products to algorithms that are finalists in the NIST process, something they say greatly increases the odds that they will be relevant to a post-quantum environment after three rounds of vetting.
“What I want to say is we are working closely with NIST and we understand the position when they give such warnings,” said Dr. Ali El Kaafarani, CEO and founder of PQShield and a visiting professor at Oxford University’s Mathematical Institute.
Kaafarani and others acknowledged that the potential for lemons or snake oil in the post-quantum cryptography market is high. He gave three examples of what he considers red flags for potential buyers: vendors that are not using one of the finalist NIST algorithms under consideration; those who sell anything resembling “crypto box” devices, rather than a process or solution for building encryption into your existing IT infrastructure; and solutions that are only designed to support a single algorithm.
Kaafarani, Cheng and others also strongly endorsed the concept of crypto agility – essentially designing your encryption protocols in a way that can facilitate the swift replacement of the underlying algorithm. The logic here is that future research may discover new attacks or weaknesses that can be exploited to render any one particular algorithm obsolete. It’s why NIST will ultimately choose multiple algorithms to standardize and hold another handful close at hand as backup options.
"Regardless of when NIST finalizes any quantum-resistant encryption, or when [they] become capable of breaking today's encryption, crypto-agility is a capability that is needed today," said JupiterOne CISO Sounil Yu.
One startup, Qrypt, has intentionally foregone using any of the quantum resistant algorithms being considered, instead relying on a much older form of classical encryption called one-time pad encryption, to generate random numbers for encryption keys. Though it was first developed back in the 1940s, cryptographers and mathematicians believe this form of encryption is unbreakable and capable withstanding brute force attacks from a quantum computer, provided the parties never use the same key twice. It’s the method that was used by the White House to protect communications for their direct line to Moscow during the Cold War.
We have already seen commercial technologies based on one of the most popular methods of quantum encryption fail. In 2010, researchers from the University of Toronto in Canada released research demonstrating how they were able to break the quantum cryptographic protocols used by encryption startup ID Quantique, namely by exploiting errors in the process they used to generate random numbers and create secret keys. While this error was correctable, it’s a reminder of how difficult it can be to give security assurances around a still developing technology.
More recently, NIST has had to reevaluate one of their finalist algorithms, dubbed Rainbow, after researchers discovered two new attacks that substantially reduce the number of security bits and weaken its encryption.
Cheng, who has worked in the quantum encryption space for more than a decade, said the number of companies popping up with little backgrounds in the field, using unvetted algorithms or making outsized promises around the potential risks. Executives should proceed with caution, he warned, lest they unwittingly create new security problems in the future.
“This is the industry we are seeing today, which is getting dangerous by the way, because…if you do it purely from an academic angle, it will cause what we call secondary characteristics [that classic forms of encryption like] RSA or elliptic curve never had,” he said.