It seems, increasingly, like writing technology articles is becoming nothing more than covering a long list of unfolding crises. The crisis du jour is the imminent breakdown of cryptographic security, thanks to the expected arrival of quantum computers. Today’s cryptography relies heavily on implementations of RSA public-key cryptography, which is now used pervasively for data encryption and decryption in networking and computing. RSA encryption – named after its inventors: Rivest, Shamir, and Adleman – relies on the difficulty of decrypting the encoded data without a key, which requires some bodacious math to factor large numbers if you lack the encryption key.
As computers have gotten faster, RSA keys have gotten longer to try to keep data secure. However, once quantum computers enter the scene, cryptography experts expect RSA-based data security to quickly fall apart, thanks to Shor’s algorithm, which American mathematician Peter Shor developed in 1994 specifically for quantum computers, even though they did not yet exist. Shor’s algorithm quickly finds the prime factors of a large integer.
NIST (the National Institute of Standards and Technology) recognized the looming encryption crisis in 2016 and initiated a program to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Many candidate algorithms were submitted to NIST for evaluation and underwent several assessment rounds. NIST isn’t expected to complete the standardization process for quantum-safe cryptography until after 2023.
The IBM Quantum-Safe Interview
My colleague and a principal analyst at TIRIAS Research Kevin Krewell recently interviewed two people at IBM Research regarding IBM’s work on quantum-safe cryptography. The two people are Ray Harishankar, an IBM Fellow and Vice President working on quantum-safe cryptography, and John Buselli, a Business Development Executive Manager. IBM is currently developing a rapidly evolving line of quantum computers, so the company is acutely aware of how these computers will soon obsolete RSA encryption. Kevin kindly agreed to let me use the interview to illuminate the present situation regarding quantum-safe cryptography.
Buselli set the stage early during the interview:
“Our general MO [modus operandi] has not been to spread gloom and doom and come at [the issue] with the Grim Reaper. There are various points of view… as to when this may come to fruition. It’s open to healthy debate. You may be tracking what NIST is saying. I think they’ve come out very firmly [in September] and said that they anticipate that RSA 2048 will be cracked by 2035, based on their projections. There are other pundits and other analysts or followers of the industry that will say slightly different things. Our vantage point is a little bit different. Yes, we do believe that [RSA decryption using quantum computers] will happen inevitably. But what’s important is what you are doing today to prepare. Managing cryptography and transitioning crypto is not a single event. It is a continuous, if not multi-year, journey.”
“A couple more data points to call out. NIST has put out some reports and you also have national security memorandums that call out 2035 as a date. NSA announced [in September] that 2035 is the date they expect things to be compliant [with yet-to-be-published quantum-safe cryptography standards]. And then there is also this World Economic Forum article that Deloitte and World Economic Forum published – where they’re also calling out 2035 as the danger zone. And if you read through the NSA articles, they say all web servers and all of the network devices should be compliant by 2030. But this is a series of cascading tasks. You can’t expect all of them to be ready by 2030. Nobody has ever said it’s not going to happen. And to John’s earlier point, you must be prepared. That’s all we’re trying to say. And as you are trying to get yourself prepared, be aware of a few things.
“One is that there is a lead time that you need to look at for upgrading whatever you need to upgrade to quantum-safe cryptography. Software systems require a five-to-seven-year timeframe. Most of the security software, infrastructure, and architecture, if there is one, are sort of organically grown and have morphed over time, so they’re difficult to change.
“Second, you need to consider the time sensitivity of data. By that I mean that there are regulatory compliance requirements that may require you to retain data for longer periods of time. Why is that important? It’s important because there is this notion of “download now and decrypt later,” which means that [data thieves and other bad actors] don’t know how to decrypt the data today, but that’s okay. Disk is cheap. So, they download whatever they can [through data breaches] today, and then hang onto that data, gambling that they will eventually have the decrypting mechanism. Then they’ll decrypt all of [that stored data] and see what nuggets they can find. So, people need to be concerned about this now, and make sure they have a plan of action that they can put in place as soon as they are ready, and the standards are announced…
“So, given this, NIST in 2016, I believe, launched a campaign or a contest to say: ‘look, submit algorithms that cannot be broken by quantum computers [and classical computers],’ because you don’t technically need a quantum computer. All of the work we’re talking about occurs with classical computers. [NIST] had several very rigorous rounds of evaluation and testing, and after four rounds of the 80 or so [algorithms] that were submitted, on July 5th of this year, they announced four [algorithms] that passed their fourth round evaluation, and said our standards are likely to be based on these [four algorithms]. Three of these four algorithms are from IBM, working with partners in academia.”
IBM is not working just on the theoretical side of these quantum-safe algorithms. The company’s recently announced z16 mainframe equipped with a Crypto Express 8S Hardware Security Module (HSM) provides quantum-safe API access to two of NIST’s selected quantum-safe algorithm candidates – CRYSTALS-Kyber and CRYSTALS-Dilithium – implemented in the HSM’s on-board cryptographic engines. In addition, says Buscelli, IBM has been experimenting with these quantum-safe algorithms on some of its tape drives for some time.
Quantum-Safe: Not Just for Data Centers
However, before you conclude that quantum-safe cryptography is strictly for data centers, that’s not true at all. Devices on the edge – IoT devices – are also vulnerable. Consider this additional information from Harishankar’s portion of the interview:
“…now think of an automobile, which somebody once described as an IoT device capable of traveling at high speeds. Everything that has some electronic communication is going to have an exposure, and there’s an associated lead time for you to figure out [a quantum-safe strategy]. The quantum safe algorithms that we created took into account the form factor of deployment, because you cannot have the new algorithm consume enormous amounts of CPU [bandwidth], or demand additional memory, or demand [communications] bandwidth that cannot be supported by these devices out on the edge that have minimal memory and must operate on low bandwidth.”
These quantum-safe strategies must be appropriate for the target device. Harishankar continued:
“My coffee maker tells me when a coffee is made, but I don’t care if that [communication] gets broken or not. However, I don’t want someone to use that [device] as a backdoor to get into my network. Right?”
Then Buselli elaborated by recalling the Target cybersecurity breach in 2013. Criminals stole information on approximately 40 million debit and credit card accounts in that breach, and they broke in using credentials given to Target’s HVAC service supplier. Target said the breach cost the company $202 million, including an $18.5 million settlement to a lawsuit brought by 47 US states and the District of Columbia.
This breach is an example of access gained through an OT (operational technology) billing system that was linked to the company’s IT (information technology) system. Buselli pointed out that you can imagine that same sort of vulnerability for power plants, automobiles, and even the electrical distribution grid. Many networks are really just an assembly of IoT devices, any of which could be compromised to gain access to a larger network.
Buselli concluded by saying:
“And again, we’re very careful not to spread doom and gloom. We don’t want to be leading with that view. But, practically speaking, it takes time to transform. And that’s really our fundamental position. You’ve got to start, right?”
So, what’s in your quantum-safe strategy?