SAN FRANCISCO, March 12, 2019 - The RSA Security Conference last week was abuzz with the need for security practitioners to support and enable "business digital transformation." But nearly lost in that message was a more important warning around the emergence of quantum computing and its impact on data privacy in the future.
"The quantum disruption is likely to be announced in the next six to ten years, according to predictions. And quantum-powered cracking tools will have the capacity to cut through PKI like a hot knife through butter, and even threaten symmetric encryption by breaking key exchange security," says Dennis Moreau, Ph.D., Senior Engineering Architect, Cybersecurity Directions, Synergies and Architecture, in VMware's Office of the CTO.
Quantum computing, while still in infancy, is already proving useful enough for specific scientific and communications applications to drive an early-days "quantum arms race."
For example, China is already heavily invested in quantum computing, including for use in interspace communications. In a countermove, the U.S. House of Representatives in September passed a bill to try and keep up with China's quantum developments.
In addition to state-sponsored programs, "a lot of this quantum computing is going start in the cloud with big, quantum parallel processing, such as in Google [AI Quantum]," says Mark Thompson, Vice President of Product Management for KeyFactor. "What we will need is more elastic encryption management."
Thankfully, some industry working groups are already pooling their collective brain power around this upcoming problem of using quantum computing to crack crypto algorithms. In January, NIST, through its Post-Quantum Cryptography Standardization project, revealed 26 new cryptographic algorithms that are being researched for their potential to stand up against quantum cracking.
A key issue will be migration, which may prove difficult based on the impact of these new algorithms, their challenging key sizes and computational loads. As such, the KeyFactor report indicates that it will take at least five years for organizations and vendors to migrate to new cryptographic systems.
Some help will likely come from cloud platform providers. Moreau points to the automated reference architectures behind AWS and Azure that could ultimately be used to support analogous encryption reference models of the future.
"The key is making our crypto frameworks more decoupled, so that if a new threat comes up, we can flexibly embrace a new algorithm," Moreau adds. "But it is too easy to underappreciate the complexity and disruption that will accompany migration, operationalization and potential re-migration [if the first migration fails]."