News + Resources

1.  What is current cryptography?

Cryptography, like love, is all around us. Every secure web browsing session with the padlock and web address starting ‘https’ means that the flow of data has been encrypted. When you use BitLocker on your hard drive, you use cryptography. Pin numbers, passwords, one time codes on Multi Factor Authentication are all supported by cryptography. Mobile phones, VPNs, SatCom – all include it.

Public key cryptography (PKC) is the most common form that regular users will encounter. Around since the late 1960s, it relies on maths to produce two different keys – a public key which everyone knows and a private key which only you know. Together the keys create a very large number (whether logarithmically or factorially using prime numbers) which protects the data in the transaction. The Public key you use to encrypt; the private key you need to decrypt. Key lengths are long – in part because an element of the key is known.

The other type of cryptography at issue is called private or symmetric key encryption. This is where there is just one key – which only you, and the person you are corresponding with are supposed to have.  Ideally you should only use the key once (e.g. one time pad). Keys are shorter than with PKC, and it is quicker for individual messages but gets messier with bigger networks. See below for more about key sizing.

A third technology of relevance here are digital certificates. These are bits of code that support keys – and can contain such information as to which domain the key belongs, by whom the key was issued and the date by when the certificate or key expire.  It basically provides the element of trust that the message being decrypted is authentic and integral as well as confidential. The certificate is also dependent on PKI, itself containing the required public key.

Finally, to give an idea of the scale of the challenge, current keys are quite big (e.g. 128 bit or 256 bit) – in normal speak a 128 bit key provides 3.4 x 10E38 keys (3.4 followed by 38 zeros); 256bit gives you 1.1x 10E77; 512 bit 3.3x10E154.  So doubling the key length doubles the power of 10 – from 77 zeros to 154, for example). But even the 128bit key is now regarded as only of moderate strength: and both 256 and 512Bit keys are still regarded as quite strong. When I searched for estimates of ‘time to crack a 256bit key with normal computing’, the answer was ‘millions of years’. For which read ‘millions of years and millions of dollars’.

2. What is quantum computing and why does it matter in this context?

Quantum computing is basically super-fast computing that takes the principles of quantum mechanics to do a lot of things very quickly in the same place at the same time using quantum superposition. It is this superposition that allows the quantum computer its exponential edge over traditional computing. At this point I surrender to nist.gov, where you can find a good primer on basic stuff about quantum computing.  

Currently the biggest machines include Atom Computing at 1180Qubit; IBM Condor at 1000Qubit, China Telecom have a 504Qubit machine (Tianyan-504). Google Willow and China’s USTC Xuchongzhi-3 are both at around 105Qubit. A lot of investment has gone into error correction and most require absolute precision, supercooled wiring and lasers to work properly.  Some claim that Google Willow is ‘near’ (3 years from) to breaking a 256Bit cypher. 3 years is not long if you quantum-relate it to Moore’s Law’s 18 month doubling of computer power.

This is all very expensive stuff which must successfully operate at the atomic level. So still much more supercomputer than garage. There are alarmists out there (or security vendors) who claim that the massive computational uplift provided by quantum machines will imminently strip us of all our cryptographic defences and that all our most sacred secrets will immediately be exposed. This is nonsense. But QC does pose a threat to some of our secrets and a managed transition to the new Post-Quantum Cryptographic era has already begun. When the final RFCs are issued by the IETF and other bodies who determine how these new protections should be implemented in common systems, these will be enacted. It will not be cost-free. There will come a time when organisations will be obligated to migrate from systems that are known to be compromised – or susceptible to compromise – to ones which are known to be Quantum resistant. This is not a subject for debate: it is happening. Prepare now – pay less later.

Is the sky going to fall?

Most competent nation states have already been working for many years on the development of post-quantum cryptographic standards which will prove more resistant to the increased power that quantum computing can provide. The UK’s National Cyber Security Centre (NCSC) published an initial preparatory whitepaper in 2020 (Preparing for Quantum Safe Cryptography). And in August 2024 it issued a sequel: Next Steps in Preparing for Post-Quantum Cryptography. Both are available on www.ncsc.gov.uk.  Work is also continuing at pace in e.g. the US, through the National Institute of Science and Technology (NIST) and in Europe through the European Telecommunications Standards Institute (ETSI). The Chinese Government, through the Institute of Commercial Cryptography Standards (ICCS) – which operates under the Chinese Cryptographic Standardisation Technical Committee is advancing its own initiative to develop PQC algorithms, free of US influence.  

Possibly

There are two main fears. The first is that data countries need to secure for a long time could be intercepted, stored and rendered recoverable at some point in the future; the second and more present scenario which needs to be addressed now is that an attacker could forge certificates, compromising digital signatures and long term ‘trust anchors’.   

The doomsday scenario is that quantum computing, given its enormous increase in capability and speed, will be able to brute force susceptible cryptographic keys more quickly and therefore strip companies and organisations of the cryptographic protections that they thought they had. If nothing else were to happen over the next 10 years, this scenario may well occur. Some claim that 2028 will see the first 256bit brute force quantum takedown. But there is a lot of gap to cover between now and 2028.

You may argue that this should only apply to Government information. While there might be justification for this point of view, shareholders will take a very dim view if their secrets are outed because management failed to see that if Government secrets are under threat, it is more than likely that the threat actor will have practiced on you beforehand to polish their craft,

But unlikely. The sky isn’t falling! Not yet, at least

First, some false impressions need to be laid to rest:  

• Not every algorithm or cryptographic protocol is susceptible to quantum attack
• Quantum computing is NOT the threat actors’ silver bullet (nor is AI)
• QC is very expensive to develop and run – and will remain the preserve of nation states and major corporates for a few more years.
• Unless there are radical breakthroughs in cost and power, QC will exist alongside mainstream computing and remain specialised for a while. 

3. So which bits of today’s environment need to change, why and how?   

According to the NCSC, the asymmetric key algorithms in Public Key Cryptography (PKC) are the most vulnerable to Quantum attack. These maths-based algorithms (whether based on integer factorisation such as RSA, or those based on the ‘discrete logarithm problem’ such as Finite Field Diffie-Helman, ECDH, DSA, ECDSA, EdDSA) deal with key establishment and encryption, and digital signatures.  

Why is quantum computing such a threat? Shor’s algorithm (Peter Shor, MIT, 1994) which (very loosely) theoretically (for now) has identified how a quantum computer can process the massive computational load to break these cyphers by finding the prime numbers in any integer quickly through ‘super polynomial speedup’. However, there are a number of practical issues which still make this very hard: It needs a lot more qubits (quantum processing power) than are yet available; and the results can be affected by computing ‘noise’ and/or insufficient qubits to perform quantum error correction.

Symmetric keys appear to be more less susceptible to Quantum Attack. Why? The difference between these and those used in public key cryptography is that the symmetric keys are simple (no maths), Random (no guessing) and big. They must be the same at both sender and recipient – and therefore if secured well can be very difficult to break. Since a symmetric key is generated to be as near random as possible and there is no mathematical function or shared secret to form part of the answer, and even though there is also an algorithm by which quantum computers can attack symmetric keys more quickly (Lov Grovers’ algorithm 1996), the key size can be increased (e.g. from 256 to 512 bits and beyond) and thereby increase the time it would take to brute force the cypher. This would render such an attack prohibitively expensive in both time and computing costs. 

Put simply: quantum computer can attack the maths behind current asymmetric systems – such as the existing algorithms behind Public Key cryptography.  But brute force attacks on the very large numbers in symmetric keys will still take a huge amount of effort (and by huge we mean large percentages of a nation’s GDP over many hundreds of years).

So what are the clever people doing about it?

Quantum-resistant algorithms have already been released by both NIST and NCSC. These new algorithms, particularly for PKC, demonstrate different mathematical approaches to those currently being used. These new approaches are hard to break both through traditional and quantum approaches. They include mathematical formulae and techniques such as lattices, hash functions and multivariate equations. These also include features as Learning with Errors, (akin to fuzziness which computers cannot solve,) which can be deployed to make the problems ‘computationally intractable’ i.e. they keep getting more difficult, and there is no algorithm to solve them.

There are other issues which will be harder to resolve (e.g. WebPKI because it is very complex and decentralised; and protocols in Industrial Control Systems which may be very old and hard to alter – marine sector beware) and on which more thought will be needed.

And what should users do about it?

It is vital that companies and organisations that rely on cryptography (that means most of us) keep their systems upgraded at all times and do not allow their software to become obsolete or to go out of support.

For some (particularly the consumer market, like the padlock in your web browser) the change may be invisible, through a scheduled software upgrade. In other cases, implementation may not be as simple as a mere swapping, and there will have to be a graduated process by which post-quantum cryptographic resistant algorithms can be implemented in standard infrastructure.

There is activity in the Internet Engineering Task Force (IETF) and other bodies to ensure that new protocols are developed to implement the algorithms. This includes both key exchange and signature mechanisms, e.g. TLS and IPSec. But until the new protocols are formally published as Requests For Comments (RFC – in the jargon, the formal output of the IETF), they will not be fully complete. It is therefore only sensible for companies to wait for the final standards to be published as RFCs, since poor implementation of the standards could be worse than no standards at all.

While the threat quantum computing poses to cryptography, particularly Public Key, is real, it is still early days; the cost and power required to deploy Qubits in this activity are currently (fortunately) non-trivial.  As in so many things cyber, both threat actors and those tasked with defending against the threat are seeking to gain advantage and progress is being made both sides. Defences will be available – and ultimately inevitable.  Quantum Computing appears mainly to threaten signatures and key establishment. Quantum resistant cryptography does not appear yet to be necessary for symmetric cryptography e.g. AES 128 or 256 can continue to be used. Hash functions like SHA 256 are also not significantly affected yet, either. 

Isn’t AI just going to make things worse? 

It is not clear how AI will impact the next generation of quantum computing or the extent to which it will be relevant for cryptography in the post quantum era. Over time, these technologies may align to make the threat more potent. But we should not necessarily be over alarmed that developments in quantum computing will deprive us either overnight or imminently of our ability to defend our systems or networks from somebody with a quantum computer. Over the next decade, change is inevitable:  organisations which continue to use old systems, not regarded as quantum safe, will have regulatory and consumer issues – and in Critical Infrastructure will probably be under government mandate to make the required changes in good time. As for today, and in the meantime, basic core cyber principles must be upheld: systems must be kept up-to-date; patches applied promptly; obsolete systems retired; and people trained.

The sky will not fall, but carry an umbrella anyway.

It is easy to say, ‘you have been warned’ and leave it up to others to decide when to act and what to do.  Fortunately, the National Technical Authorities (e.g. CSIA in the US, NCSC in UK, ANSSI in France for example – and no doubt the ICCS and CAC in China) are doing a lot more than that in this environment – which is a good thing. Their approach to common standards through e.g. IETF is vital to maintain interoperability in areas which we now regard as basic infrastructure.  

Companies which depend on OT and ICS will face bigger challenges, and may be under some pressure to ensure that they do what is required to protect that which cannot be changed. At least they are being informed now, so that they have time to do something about it. Shipowners might need to note that where their fleet forms part of a national infrastructure, this pressure might become mandatory – and it is better to get on board early than risk their ticket to trade in future through non-compliance. As we said at the start of this article – and apologies for the length – if you gotta pay, better pay a little now than more later.

The final point to note is that there will be more developments in this field over the next few years than we could ever hope to capture here. We just hope that if you get engaged in a discussion about QC and the PQC era, you could inject moderation into the debate.