December 16, 2022 | TCIL Technical Note

Protecting and Securing Data from the Quantum Threat

December 16, 2022 | TCIL Technical Note

Protecting and Securing Data from the Quantum Threat

Executive Summary

Over the next decade, quantum computing will unlock new technological advances and upend the current security landscape. Quantum computers of sufficient size and sophistication could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions,” the White House cautioned in May.1 “In short,” warned a separate report from the National Counterintelligence and Security Center, “whoever wins the race for quantum computing supremacy could potentially compromise the communications of others.”2

Once a quantum computer becomes sophisticated and large enough to be considered a threat to modern-day encryption, it is called a cryptanalytically relevant quantum computer, or CRQC.3 Some experts expect quantum computing will become a risk to modern-day encryption within three years, although others put the number in the high twenties.4

There are two ways to provide security against the quantum threat. The National Institute of Standards and Technology (NIST) has been taking a “computational infeasibility” approach, which aims to develop encryption of such great complexity that no amount of computing power is realistically sufficient to breach it. To that end, NIST has been researching and testing new algorithms and developing post-quantum encryption standards that should be available by 2024.5 Once they are available, NIST expects it will take another five to fifteen years for organizations to migrate to the new standards.6 Yet if the migration takes that long, many users will become vulnerable to cyber breaches if CRQCs emerge in the next several years.

To help prepare for this risk of ineffective encryption, FDD’s Transformative Cyber Innovation Lab (TCIL) explored an alternative approach that government agencies and private companies can implement more quickly so they are prepared to face the quantum threat.

The alternative TCIL tested is based on the principle of information-theoretic security, which remains effective even when unlimited time and computing power are available to the adversary.7 Working with the data security experts at Cyber Reliant — a company specializing in data security8 — TCIL walked through onboarding an enterprise-wide security strategy we have dubbed augmented improbability of access (AIA), which applies the principles of information-theoretic security to defend against CRQCs.

AIA strategies also mitigate the risk that adversaries will steal encrypted data today and wait to decrypt it until CRQCs are available. AIA strategies prevent the adversary from collecting sufficient components to decrypt stolen data, even if victims are not using post-quantum encryption.

This pilot project’s goal is to better inform organizations how to enhance security and mitigate the diminishing lifespan of current encryption algorithms without having to wait for NIST’s new encryption standards. TCIL’s research findings conclude that the U.S. government and private entities should pursue AIA solutions.

Download Technical Note

Download
Protecting and Securing Data from the Quantum Threat
  1. The White House, Briefing Room, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” May 4, 2022. (https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/)
  2. National Counterintelligence and Security Center, Office of the Director of National Intelligence, “Protecting Critical and Emerging U.S. Technologies from Foreign Threats,” October 2021, page 5. (https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_NCSC_Emerging%20Technologies_Factsheet_10_22_2021.pdf)
  3. The White House, Briefing Room, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” May 4, 2022. (https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/)
  4. Michele Mosca and Marco Piani, “Quantum Threat Timeline Report 2020,” Global Risk Institute, January 2021, page 30. (https://globalriskinstitute.org/publications/quantum-threat-timeline-report-2020/)
  5. “Computer Security Resource Center: Post-Quantum Cryptography PQC,” National Institute of Standards and Technology, accessed November 28, 2022. (https://csrc.nist.gov/Projects/post-quantum-cryptography/workshops-and-timeline)
  6. William Barker, William Polk, and Murugiah Souppaya, “Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms,” National Institute of Standards and Technology, Computer Security Resource Center, April 28, 2021, page 2. (https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932330)
  7. Ueli Maurer, “Information-Theoretic Cryptography,” Department of Computer Science, Swiss Federal Institute of Technology, August 1999. (https://crypto.ethz.ch/publications/files/Maurer99.pdf); For additional research on information-theoretic security, visit https://crypto.ethz.ch/~maurer/publications.html
  8. “Cyber Reliant,” Cyber Reliant, accessed November 28, 2022. (https://www.cyberreliant.com)

Issues:

Cyber