The Quantum Threat to Security
While quantum can solve computing challenges far beyond what is possible today, its ability to find the factors of large prime numbers makes it the ideal cybersecurity safe cracker once quantum computing systems mature in their scale, quality, and speed. Every computer system and every bit of “secure” data could become vulnerable to attack from quantum-equipped nefarious actors. The World Economic Forum “estimate(s) that over 20 billion digital devices will need to be either upgraded or replaced in the next 10-20 years to use the new forms of quantum-resistant encrypted communication. We recommend that organizations start planning for this now.”
What constitutes “adequate size” might give us some false comfort: a 2019 study suggested that a computer with 20 million qubits would take eight hours to break modern encryption. Today’s quantum computers are on the order of only 100 qubits. But while that implies that the threat is in the distant future, one must consider that a bad actor doesn’t need to wait for the massive quantum system to materialize. The “Steal now, crack later” approach leads to a latent future security threat. Consequently, organizations should deploy quantum-safe security as soon as possible to minimize future risk.
Stopping Quantum Attacks Before They Begin
Consequently, the National Institute of Standards and Technology (NIST), a bureau of the U.S. Department of Commerce, has been conducting an ongoing search for quantum-safe security algorithms that are both secure and efficient. After all, we need our laptops, cars, and mobile phones to also be able to resist attacks from quantum-equipped bad actors. After four rounds of submissions, NIST selected four algorithms from a slate of 82 candidates. IBM Research had submitted 3 of the four chosen algorithms. All submissions have been subjected to research by industry scrutiny by government agencies, academic scientists, and mathematicians. This process is now reaching its conclusion; the NIST is expected to publish standards based on these 4 algorithms sometime in 2024.
The NIST contest covers the two aspects of security that could be vulnerable to quantum computing: public key encapsulation (used for public-key encryption and key establishment) and digital signatures (used for identity authentication and non-repudiation). For the former, NIST selected the CRYSTALS-Kyber algorithm. NIST selected three algorithms for signatures: CRYSTALS-Dilithium, FALCON, and SPHINCS+, with CRYSTALS-Dilithium as the primary algorithm in the signature category.
The Telco Industry Steps Up to Address Quantum Safe
On September 29, GSMA announced the formation of the GSMA Post-Quantum Telco Network Taskforce, of which IBM and Vodafone are initial members, to help define policy, regulation and operator business processes to enhance protections of telecommunications in a future of advanced quantum computing. Since virtually all organizations and sectors conduct commerce on the internet, and the 800 providers whose pipes that carry all the internet traffic, the Telco industry is a good place to start. We expect other sectors to follow suit, perhaps starting with banking, government, and health care.
IBM Adds Quantum-Safe Security to the IBM z16
Given the magnitude of the potential risks, and the predominance of IBM Z systems in security-critical applications, IBM has included future-proof digital signature support in its latest z16 mainframe using CRYSTALS-Kyber and CRYSTALS -Dilithium algorithms selected by NIST. z16 implements this algorithm across multiple layers of firmware to help protect business-critical infrastructure and data from future quantum attacks. IBM has said it is also working to bring these new methods to the broader market.
In addition, IBM has developed a multi-step process to assist clients toward rapidly making institutions quantum safe. The company works with clients to identify where they are vulnerable to quantum-based cryptography attacks, assess cryptographic maturity and dependencies, and identify near-term achievable cryptographic goals and projects. The risks clients may face vary substantially based on the type of applications and data an organization handles and the state of its current cryptography.
Quantum computing’s potential threat to global information security may seem to be a distant and abstract risk. However, the inevitable advances of quantum technology and the “Steal now, crack later” approach bad actors are undertaking to make quantum-safe a genuine and pressing matter for vendors and IT organizations. IBM wasted no time bringing that technology to market in the IBM z16. IBM Research has contributed three of the four algorithms the NIST quantum-safe contest has selected to be the most viable, secure, and efficient of the 70 techniques evaluated.
Beyond the NIST-approved algorithms, IBM Is working to provide “crypto agility”, helping organizations not only replace the soon-to-fail existing algorithms but also transform their security practices to remain resilient as new threats emerge in the post-quantum world. Creating crypto observability, enabling ongoing monitoring and actions on crypto-related security items, will help keep the world safer from bad actors with virtually unlimited computing capacity at their disposal.
More information can be found here.