Post-Quantum Crypto: Don't Do AnythingNo Need to Panic, Cryptographers Say; Just Wait for NIST Guidance
There's good news for anyone worried about the rise of quantum computers and the risk that they could be used to crack modern, public-key crypto systems, thus imperiling the security of much of today's data, both in transit and at rest. Leading cryptographers advise: Don't panic, and above all, don't do anything about it right now.
"Do nothing, just wait for the NIST process," said Dan Boneh, a professor at Stanford University, in an RSA Conference panel last week devoted to post-quantum cryptography and answering this question: "Is time running out?"
Boneh was referring to the U.S. National Institute of Standards and Technology, which in December 2016 launched a post-quantum crypto project designed to identify quantum-resistant public-key cryptographic algorithms. NIST is accepting submissions until Nov. 3, and it plans to issue guidance in five years (see Tackling Quantum Computing Threats to Cryptography).
One current concern, however, is that multiple intelligence agencies are likely intercepting all the encrypted data they can get their hands on today in the hope that it can eventually be cracked via quantum computers, said co-panelist Scott Fluhrer, the technical leader for Cisco's engineering security and trust organization. Accordingly, organizations handling sensitive information need to remain aware of the timeline for when such capabilities might become possible, versus the expected time that sensitive information will remain sensitive. "I advocate acting as if someone will have a working quantum computer in 10 years," Flurhrer said.
But when it comes to getting a quantum computer that's strong enough to crack some cryptosystems, significant technical challenges remain, he added. "It seems like a quantum computer is going to be like a moon landing - a very difficult problem which can be broken down into a number [of defined steps]." Many of those steps have yet to be solved.
Don't Lose Sleep
One risk from quantum computers is that they could potentially crack all modern public-key crypto systems now in use, using what's known as Shor's algorithm. Algorithms such as RSA are built by factoring large prime numbers, and cracking them using classical computing would require an immense - and currently unfeasible - amount of computing power, as well as time. But Shor's algorithm would dramatically reduce the time required to run related calculations if a sophisticated enough quantum computer could be built.
So far, however, the sky is not falling. "I wouldn't lose too much sleep over quantum computers," said Boneh's co-panelist, Israeli cryptographer Adi Shamir - the "S" in the RSA asymmetric cryptographic algorithm.
"Quantum computers are not at the top of my list of worries," added Shamir, who's also the Borman Professor of Computer Science at Israel's Weizmann Institute. "I think there is a higher chance that RSA could be broken by a mathematical attack."
Shamir also expects there to be plenty of warning if powerful quantum computers become a reality. "The big question everyone should be trying to answer is when we should start worrying," he said. "Is it something that's likely to happen in only one location, deep in a basement in Maryland?" he asked, in reference to the National Security Agency, which is known to be conducting related research.
Instead, Shamir expects to see multiple labs begin reporting any large quantum computing advances at the same time, providing sufficient "advance warning" should the technology reach fruition. "We are not at the moment in an emergency situation," he said.
Extensive Vetting Required
Cryptographers on the panel also cautioned against rushing to embrace new cryptosystems that might be resistant to being cracked via quantum computers.
"Should we switch now, as a cautionary step, to a quantum-resistant algorithm?" Shamir asked. "If someone would come up with something that is both quantum-resistant and better than our current algorithms, we win." But knowing whether any new algorithm might be better or worse than what's currently available requires careful vetting - a process that might take years.
All of the cryptographers on the panel agreed that the best way to roll out a post-quantum algorithm would be to hash it together with a classic algorithm. "You cannot deploy a post-quantum algorithm by itself; it must always be deployed with a classic algorithm," Stanford's Boneh said.
For now, Shamir said everyone should stick to the tried and true. "Remember, we are celebrating this year the 40th anniversary of the RSA algorithm; it was invented in 1977."
Inventory Current Crypto
Although enterprises should steer clear of post-quantum cryptosystems for now, co-panelist Michele Mosca, a professor at Canada's University of Waterloo, said now is a great time to "enumerate where the crypto is in your tool suite - just doing that inventory is good cyber hygiene."
"And get rid of MD5 and SHA1," said panel moderator Bart Preneel, a professor at the computer security and industrial cryptography group at Belgium's KU Leuven university. Both of those cryptographic algorithms are known to be insecure, yet still remain in wide use.
Boneh, acknowledging that "the level of paranoia is extremely high" surrounding post-quantum crypto, said enterprises should be focusing their energy instead on "buffer overflows, SQL injection, cross-site scripting and those types of bugs."
Boneh also reiterated that companies should also wait for expert post-quantum crypto advice. "The strategy is, we're going to wait for the NIST process to terminate. So as a company, you should not actually be doing anything right now," he said.
Business Case Unclear
Furthermore, there's no business case now for developing bigger quantum computers for the purpose of potentially breaking some cryptosystems, Boneh said. And regardless, cryptographers have time to get and stay ahead of any emerging advances. "Quantum computers are not being developed to break crypto because by the time they will have been developed, they will not be able to break the crypto that we are using."
One business case for building better quantum computers is that they're really good at simulating physics, he said, adding that relatively small quantum computers might turn out to work fine for such experiments, thus obviating any push to build bigger ones.
Policymakers Are Watching
Cryptographers aren't the only ones keeping an eye on quantum computing and its security implications. Related efforts are also afoot on the policy side, U.S. Rep. Michael McCaul, R-Texas, told the RSA conference in a keynote speech.
McCaul, who's chairman of the House Homeland Security Committee and an original co-chair of the Cybersecurity Caucus, said that he wants the United States to "lead a coalition of like-minded nations" to explore what security changes and defenses will be required "for the quantum future." He and some other lawmakers have been calling for a rapid increase in related research and funding (see Rep. McCaul: U.S. Must Gain Decryption Edge).