In the Dutch news, it has been reported last week that intelligence agencies and other entities are urging us to start considering post-quantum security. But what did they mean by this? And just who was this message meant for?
Uh, quantum?
First, let's briefly discuss what Quantum entails. I'll keep this quick and concise. Computers, as we know them, operate in binary. Every action a computer takes is through software. This software is written in programming languages, some of which are classified as "low-level" while others as "high-level". A "high-level" language is almost as readable as any random book to a programmer, whereas a "low-level" language tends to be much more technical.
A "high-level" language is often "translated" by the computer into a "low-level" language, and eventually into ones and zeros, the foundation of binary code. We call these ones and zeros binary because they consist of only two possible values. "Bi" stands for two in this context.
In quantum computers, we go beyond the binary system, yet not entirely. Human thinking hasn't changed much, so a quantum computer still fundamentally operates similarly to a traditional computer. However, the difference lies in the fact that in a quantum computer, a one can simultaneously be a zero, and vice versa. Pay close attention to the word "simultaneously", as it's crucial here. Due to this property, a quantum computer is much more powerful and faster than a current computer. This advantage also grows exponentially.
Why is quantum exciting?
Quantum computers are primarily theoretical at the moment, mere ideas on paper. There are a few prototypes, often found in universities, and most likely also within some governmental agencies or intelligence services. Although quantum technology is still in its infancy, it will undoubtedly evolve rapidly. Eventually, it will even penetrate our homes, appearing on our desktops, laptops, and smartphones.
This is something to look forward to because quantum computers are much faster and more powerful than today's computers. It's not a new generation of hardware, as we often see now, it's truly a massive leap forward all at once.
However, at the same time, this is also concerning because a significant portion of our security nowadays relies on technology. In the Western world, we extensively use computers in our daily lives, ranging from checkout systems in supermarkets to managing patient records in hospitals, and from personal data in government registers to securing passwords for online accounts.
This security largely relies on the use of algorithms, a concept that has been applied for decades.
How quantum breaks algorithms
The idea behind using algorithms for data security is that it's a mathematical wonder. It's a process where a text like "slice of cheese" can be transformed into something unreadable, like "KPV1ppiclTJf3aHq0771Jg==". However, if you know the correct password, such as "cheese slicer" in this case, a computer can convert it back to "slice of cheese".
The security of this process relies on algorithms that are nearly impossible to crack without the correct password. That's why software developers need to regularly update algorithms to ensure security as computers become more powerful.
The fastest way to crack an algorithm is ironically by using a computer. For this reason, algorithms are designed so that the time needed to crack them is so long that it's practically infeasible, often spanning decades or even centuries.
However, quantum computers are much faster. This means they could potentially crack algorithms currently considered unbreakable within seconds in the future.
Why worry now then?
Quantum computers are barely here, even though they're on the horizon. So why worry now? Why was this already in the news? Why are intelligence agencies and governments already concerned about this?
This is due to two important facts:
- The industry needs time to respond to changes.
- Data that is stolen now could be cracked later.
So what do I mean by this? Firstly, this news primarily targets software companies, not regular citizens. Governments seem to want to remind the industry of the advent of quantum computers and encourage them to start looking into it now. The average citizen has little to do with this. However, by mentioning it in the mainstream media, they hope to spark conversations among companies. Not just IT companies, but also consumers of IT companies. Now is the time to cautiously start addressing this issue.
Who was this call intended for then?
But it's mainly about the discussion. Because concretely, there's little to be done. For example, the American NIST wrote in 2022 that four potential candidate algorithms have been selected that appear to be resistant to quantum computers.
While the standard is in development, NIST encourages security experts to explore the new algorithms and consider how their applications will use them, but not to bake them into their systems yet, as the algorithms could change slightly before the standard is finalized.
But they also indicate that these algorithms should not yet be used because things could still change. Additionally, they state that it's not intended to deploy these algorithms in so-called "production environments" yet. In the real world, that is. They mainly want IT specialists to start "playing around" with them.
What can a techie do with this?
For cryptography and encryption enthusiasts, it's noticeable that CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+ do not provide a comprehensive suite of algorithms that can fully replace commonly used forms of encryption in everyday life. Although Kyber could potentially be a good successor to AES within TLS, and Dilithium might be a good replacement for HMAC, there's still a lack of a symmetric encryption algorithm for protecting data, as well as a hashing algorithm.
So there are currently no standardized post-quantum cryptographic algorithms specifically designed as replacements for symmetric encryption algorithms for data storage, nor as replacements for hash algorithms. Furthermore, it will take some time before the aforementioned four algorithms are incorporated into common packages like OpenSSL and other software. This is important because experts need to be able to trust the implementation of the algorithm, ensuring that it's genuinely secure for use in production environments and doesn't contain any unintended side-channels or vulnerabilities.