Cryptographic technologies have long been essential for securing data through encryption and maintaining data integrity with digital signatures. However, recent advancements in quantum computing technology are poised to challenge this security paradigm. Owing to their superior computational capabilities, quantum computers can execute certain mathematical calculations in a short period that conventionally could not be done within a realistic timeframe. Quantum computers are also expected to be applied to use cases such as drug discovery, logistics, and fraud detection. However, there is growing concern that quantum-led security threats will render cryptographic technologies ineffective in the future, requiring a change in how organizations encrypt their data.
But has that not always been the case? With the emergence of any new technology, there is often a corresponding rise in potential threats exploiting these innovations.
Similar to the AI revolution, which is being regarded as the greatest innovation in a generation, scaled quantum computing is poised to disrupt several aspects of technology, including cybersecurity, and it is time we started preparing to deal with its consequences.
Potential Threats to Cryptographic Technologies
Before discussing quantum computer threats, it is crucial to note that despite the emergence of quantum computing, the conventional threat from supercomputers to cryptographic technologies persists. The traditional defense against cyberattacks powered by supercomputers is to use longer keys (measured in bits) for encryption and digital signatures. However, this also makes the encryption and decryption processes slower for users with valid keys.
With the migration of critical services and data to the cloud, traditional data center security measures are no longer sufficient, increasing our reliance on advanced encryption methods to safeguard information. Similarly, workforce decentralization necessitates effective encryption protocols to protect data moving across geographies and business units. These protocols include virtual private networks (VPNs), which create secure tunnels for data between devices and networks, and transport layer security (TLS) and secure sockets layer (SSL), which encrypt the data exchanged between web browsers and servers. At the same time, advanced network technologies, such as software-defined wide area network (SD-WAN), which optimizes data traffic across multiple connections, and secure access service edge (SASE), which provides secure access to applications and data by combining network and security functions, rely more on advanced encryption techniques rather than traditional boundary security measures, such as firewalls, to protect sensitive information.
However, these encryptions are powered by cryptographic algorithms based on complex mathematical problems. Quantum computing’s ability to solve these mathematical problems rapidly could render current encryption methods obsolete, exposing sensitive data to unprecedented risks.
One such commonly used cryptographic algorithm is the Rivest-Shamir-Adelman (RSA) algorithm, which uses the principles of prime factorization of large numbers to perform encryption. Today, RSA-led encryption finds numerous applications ranging from software applications such as email clients and browsers to hardware devices such as smart cards and routers. RSA is also leveraged across the supply chain of these systems, from component manufacturing to software update distribution. It is estimated that a quantum processor needs to contain at least 1 million qubits to counter RSA encryption.
To give some context, the smallest classical computing element is a bit, which stores information as either 0 or 1. Its quantum equivalent is a qubit, which works on quantum mechanics principles and can store information as 0, 1, or any combination of the two values simultaneously. Therefore, quantum computing scales exponentially—1,000 qubits would, in some respects, be more powerful than the world’s most powerful supercomputer working on classical computing principles. Currently, the maximum capacity of the world’s largest quantum processors is just a little north of 1,100 qubits. However, IBM and Google plan to build quantum computers with 1 million qubits by 2030.
However, this does not prevent malicious actors from stealing highly sensitive financial and national security information and decrypting it in the future once a quantum computer of sufficient power becomes available. This attack is popularly known as a “capture now, decrypt later” attack or a “harvest now, decrypt later” attack.
According to a NASSCOM-Avasant joint report, quantum technology will reach an inflection point in the next two to three years. It will be poised to manage mature quantum applications, including sensing and cryptography, and perform computations with limited variables. This implies it will be capable of breaking vital public encryption schemes currently in use. It would severely threaten the confidentiality and reliability of digital interactions across platforms.
The emergence of this potential threat to cryptographic technologies has led to the creation of post-quantum cryptography (PQC) algorithms, which are immune to quantum computers. Unlike older standards, PQC algorithms rely on more complex mathematical problems that even quantum computers find difficult to solve.
The Global Community Is Rallying around Quantum Readiness
The security industry has been gearing up to face the potential threats posed by quantum computers to classical cryptography. This includes evaluating various encryption algorithms, including digital signature algorithms and key establishment mechanism (KEM) algorithms, along with considerations such as extensible security architectures, technology switching costs, and interoperability, enabling a greater variety of industry use cases.
The following are the major players contributing to developing quantum-resilient cybersecurity measures.
International standardization bodies: While various organizations, such as the National Institute of Standards and Technology (NIST) in the US and the European Telecommunications Standards Institute (ETSI), are establishing standards, a unified global strategy is needed to consolidate technical advancements and enhance their effectiveness, fostering greater consistency within the market.
In January 2024, the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) formed a joint committee on quantum technologies. This committee aims to spearhead key initiatives and facilitate collaboration with other international entities, such as the British Standards Institution (BSI).
Global system integrators: Service providers actively invest in developing quantum-resilient cryptography solutions through collaboration with the startup community, leveraging their niche capabilities in this domain. Leading providers, including Accenture and Eviden, have successfully tested PQC solutions to secure networks and communication systems. Similarly, Infosys collaborated with QuintessenceLabs, an Australian cybersecurity firm, to build a solution that generates random encryption keys using quantum mechanics. These random keys can then be incorporated with classical cryptographic algorithms, making them more robust.
Having developed confidence in their quantum security capabilities, service providers are now looking for commercial success in this area. Capgemini and NTT DATA offer quantum security risk exposure assessment services and have also developed migration road maps for their customers to help them pivot to quantum-resilient cybersecurity. To facilitate PQC adoption for its clients, TCS has signed an MoU with PQShield, a UK-based startup. PQShield offers platforms to deploy PQC solutions by integrating PQC algorithm libraries and hardware solutions to support cryptographic operations.
Cloud service providers: Microsoft, IBM, and other cloud service providers are active contributors to the R&D efforts of regulatory bodies and industry consortia, including the NIST National Cybersecurity Center of Excellence and the Linux Foundation’s Open Quantum Safe project. These industry consortia include academia, government bodies, and industry players and play an integral role in determining industry best practices and preparing a road map for enterprise adoption of quantum-resilient cybersecurity measures.
Leveraging their research and innovation capabilities, cloud service providers have also launched new PQC offerings and integrated quantum security into their existing solutions. Google has introduced an algorithm that generates quantum-safe security keys for FIDO2 encryption, a common method for passwordless website authentication. It has adopted a hybrid approach by combining a traditional cryptographic algorithm vulnerable to quantum computers with CRYSTALS-Dilithium, a post-quantum algorithm standardized by the NIST. Similarly, AWS has integrated post-quantum algorithms into its key services, including the AWS Key Management Service (KMS), which protects data by creating, managing, and controlling cryptographic keys, and AWS Secrets Manager, which helps protect access to applications, services, and IT resources.
Enterprises Must Brace for Impact
Beyond concerns about encryption, advancements in quantum computing pose additional threats, particularly when combined with generative AI and large language models. When run with malicious intent on quantum computers, these technologies can drive faster and more precise cyberattacks.
Consequently, the defensive strategies adopted by enterprises must evolve to match this advanced threat landscape. They must proactively assess the post-quantum readiness of their information security systems, analyze the long-term impacts of deploying quantum-resilient security measures, and devise robust migration strategies to move ahead in their crypto modernization journeys. Organizations should conduct a business impact analysis of security breaches on different types of encrypted data. While some encrypted data types, such as encrypted financial transactions or temporary communication logs, have a limited period of relevance, other types, such as personal identification information or trade secrets, retain their value indefinitely once decrypted. Enterprises must prioritize applying quantum-resistant encryption to their most valuable and sensitive data.
A key aspect they should consider while formulating their plans is crypto agility. Crypto agility is crucial when an encryption algorithm is found to be vulnerable, breaks suddenly, or faces a security compromise. In such cases, organizations must quickly switch to a different encryption method to minimize damage. Implementing crypto agility requires organizations to have comprehensive visibility of their information assets, encryption technologies deployed, and automation capabilities to expedite issue remediation.
PQC adoption has started to gain momentum. Apple has recently integrated a PQC layer into its existing cryptographic algorithm, implementing a hybrid approach to enhance the security of its iMessage instant messaging platform. The new PQC protocol, PQ3, also includes a feature that allows for the periodic refreshing of encryption keys, replenishing security even in cases where previous keys are compromised. Apple has collaborated with academia to validate and refine the solution, leveraging their quantum computing and cryptography expertise.
Sustained collaboration with global system integrators, cloud service providers, and industry consortia can give enterprises a head start, enabling them to leverage the R&D efforts and investments made by these players in quantum-safe cybersecurity. Moreover, partnerships with academic organizations specializing in quantum security can help enterprises implement tailored upskilling programs for in-house security teams and run ongoing solution improvements and validations.
Enterprises must implement these strategies to emerge victorious in this race against quantum-savvy adversaries.
By Gaurav Dewan, Research Director and Vibhanshu Agarwal, Senior Analyst, Avasant