Protecting and Securing Data from the Quantum Threat

Download TCIL Technical Note

Over the next decade, quantum computing will unlock new technological advances and upend the current security landscape. Quantum computers of sufficient size and sophistication could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions,” the White House cautioned in May.¹ “In short,” warned a separate report from the National Counterintelligence and Security Center, “whoever wins the race for quantum computing supremacy could potentially compromise the communications of others.”²

Once a quantum computer becomes sophisticated and large enough to be considered a threat to modern-day encryption, it is called a cryptanalytically relevant quantum computer, or CRQC.³ Some experts expect quantum computing will become a risk to modern-day encryption within three years, although others put the number in the high twenties.⁴

There are two ways to provide security against the quantum threat. The National Institute of Standards and Technology (NIST) has been taking a “computational infeasibility” approach, which aims to develop encryption of such great complexity that no amount of computing power is realistically sufficient to breach it. To that end, NIST has been researching and testing new algorithms and developing post-quantum encryption standards that should be available by 2024.⁵ Once they are available, NIST expects it will take another five to fifteen years for organizations to migrate to the new standards.⁶ Yet if the migration takes that long, many users will become vulnerable to cyber breaches if CRQCs emerge in the next several years.

To help prepare for this risk of ineffective encryption, FDD’s Transformative Cyber Innovation Lab (TCIL) explored an alternative approach that government agencies and private companies can implement more quickly so they are prepared to face the quantum threat.

The alternative TCIL tested is based on the principle of information-theoretic security, which remains effective even when unlimited time and computing power are available to the adversary.⁷ Working with the data security experts at Cyber Reliant — a company specializing in data security⁸ — TCIL walked through onboarding an enterprise-wide security strategy we have dubbed augmented improbability of access (AIA), which applies the principles of information-theoretic security to defend against CRQCs.

AIA strategies also mitigate the risk that adversaries will steal encrypted data today and wait to decrypt it until CRQCs are available. AIA strategies prevent the adversary from collecting sufficient components to decrypt stolen data, even if victims are not using post-quantum encryption.

This pilot project’s goal is to better inform organizations how to enhance security and mitigate the diminishing lifespan of current encryption algorithms without having to wait for NIST’s new encryption standards. TCIL’s research findings conclude that the U.S. government and private entities should pursue AIA solutions.