Will Hybrid Cryptography Protect Us from the Quantum Threat?
By Roberta Faux, Director of Advance Cryptography, BlackHorse Solutions
Our new white paper explains the pros and cons of hybrid cryptography. The CSA Quantum-Safe Security Working Group has produced a new primer on hybrid cryptography. This paper, “Mitigating the Quantum Threat with Hybrid Cryptography,” is aimed at helping non-technical corporate executives understand how to potentially address the threat of quantum computers on an organization’s infrastructure. Topics covered include:
–Types of hybrids
–Cost of hybrids
–Who needs a hybrid
–Caution about hybrids
The quantum threat
Quantum computers are already here. Well, at least tiny ones are here. Scientists are hoping to solve the scaling issues needed to build large-scale quantum computers in the next 10 years, perhaps. There are many exciting applications for quantum computing, but there is also one glaring threat: Large-scale quantum computers will render vulnerable nearly all of today’s cryptography.
Standards organizations prepare
The good news is that there already exist cryptographic algorithms believed to be unbreakable—even against large-scale quantum computers. These cryptographic algorithms are called “quantum resistant.” Standards organizations worldwide, including ETSI, IETF, NIST, ISO, and X9, have been scrambling to put guidance into place, but the task is daunting.
Quantum-resistant cryptography is based on complex underlying mathematical problems, such as the following:
- Shortest-Vector Problem in a lattice
- Syndrome Decoding Problem
- Solving systems of multivariate equations
- Constructing isogenies between supersingular elliptic curves
For such problems, there are no known attacks--even with a future large-scale quantum computer. There are many quantum-resistant cryptographic algorithms, each with numerous trade-offs (e.g., computation time, key size, security). No single algorithm satisfies all possible requirements; many factors need to be considered in order to determine the ideal match for a given environment.
There is a growing concern about how and when to migrate from the current ubiquitously used “classical cryptography” of yesterday and today to the newer quantum-resistant cryptography of today and tomorrow. Historically, cryptographic migrations require at least a decade for large enterprises. Moreover, as quantum-resistant algorithms tend to have significantly larger key sizes, migration to quantum-resistant systems will likely involve updating both software and protocols. Consequently, live migrations will prove a huge challenge.
A cryptographic hybrid scheme uses two cryptographic schemes to accomplish the same function. For instance, a hybrid system might digitally sign a message with one cryptographic scheme and then re-sign the same message with a second scheme. The benefit is that the message will remain secure even if one of the two cryptographic schemes becomes compromised. Hence, many are turning to hybrid solutions. As discussed in the paper, there are several flavors of hybrids:
- A classical scheme and a quantum-resistant scheme
- Two quantum-resistant schemes
- A classical scheme with quantum key distribution
- A classical asymmetric scheme along with a symmetric scheme
However, adopting a quantum-resistant solution prematurely may be even riskier.
Hybrids come at the cost of increased bandwidth, code management, and interoperability challenges. Cryptographic implementations, in general, can be quite tricky. The threat of a flawed hybrid implementation would potentially be even more dangerous than a quantum computer, as security breaches are more commonly the result of a flawed implementation than an inherently weak cryptosystem. Even a small mistake in configuration or coding may result in a diminishment of some or all of the cryptographic security. There needs to be very careful attention paid to any hybrid cryptographic implementation in order to ensure that it does not make us less secure.
Do you need a hybrid?
Some business models will need to begin migration before standards are in place. So, who needs to consider a hybrid as a mitigation to the quantum threat? Two types of organizations are at high risk, namely, those who:
- need to keep secrets for a very long time, and/or
- lack the ability to change cryptographic infrastructure quickly.
An organization that has sensitive data should be concerned if an adversary could potentially collect that data now in encrypted form and decrypt it later whenever quantum computing capabilities become available. This is a threat facing governments, law firms, pharmaceutical companies, and many others. Also, organizations that rely on firmware or hardware will need significant development time to update and replace dependencies on firmware or hardware. These would include industries working in aerospace, automotive connectivity, data processing, telecommunications, and organizations that use hardware security modules.
The migration to quantum resistance is going to be a challenge. It is vital that corporate leaders plan for this now. Organizations need to start asking the following questions:
- How is your organization dependent on cryptography?
- How long does your data need to be secure?
- How long will it take you to migrate?
- Have you ensured you fully understand the ramifications of migration?
Well-informed planning will be key for a smooth transition to quantum-resistant security. Organizations need to start to conduct experiments now to determine unforeseen impacts. Importantly, organizations are advised to seek expert advice so that their migration doesn’t introduce new vulnerabilities.
As you prepare your organization to secure against future threats from quantum computers, make sure to do the following:
- Identify reliance on cryptography
- Determine risks
- Understand options
- Perform a proof of concept
- Make a plan
Mitigating the Quantum Threat with Hybrid Cryptography offers more insights into how hybrids will help address the threat of quantum computers. Download the full paper today.