While industry analysts predict quantum computing will be enterprise-ready at-scale in 10 to 15 years, Accenture believes the tipping point will happen much sooner—by 2025. That’s why Accenture Labs and the Cybersecurity R&D team are working today to explore its impacts, including the impact on our current cryptographic models.
Our new research report, “Cryptography in a Post-Quantum World,” outlines how quantum will provide the processing power to break the existing public key cryptographic paradigm, and what companies can do today to prepare for the post-quantum world.
The public key cryptographic method has protected data for decades, as conventional computers can’t efficiently perform the calculations needed to break it. But quantum computers will solve the underlying algorithms currently protecting data extremely efficiently. This has deep security implications for companies in every industry, potentially exposing data to threat actors globally—and all at once.
This aspect of quantum computing threatens companies’ ability to ensure the confidentiality, integrity and authentication of all business transaction systems, business-to-business (B2B) and business-to-consumer (B2C) processes and digital services delivered via the Internet or cloud, or as-a-service on hosted platforms.
In light of this, NIST and other organizations have been working to improve current cryptography standards by identifying new quantum-safe algorithms, defining implementation strategies and gaining broad consensus on the approach. The organization expects to announce a viable proven algorithm between 2022-2024. But businesses also need to take matters into their own hands.
It will be a massive effort to review, de-risk and upgrade all existing cryptographic schemes across all infrastructure, systems, applications and third parties/vendors. Plus, it will take at least two to four years to implement the new NIST algorithm once released.
Given the rapid approach of enterprise-ready quantum computers, Accenture urges the C-suite and security executives to act now:
- Assess the scope of the issue and understand the organization’s cryptography requirements by mid-2019
- Develop mitigation strategies—evaluate new quantum-resistant methods by the end of 2020
- Plan and implement migration and evolve to quantum-proof methods by the end of 2025.
Our report lays out a two-phase transition process. It explores current- and next-generation technologies to prepare for this disruption and mitigate quantum computing attacks.
Phase one, in the near term, covers the pros and cons of transitioning to lattice-based cryptography and hash-based cryptography—both of which provide a measure of quantum cryptanalysis resistance.
- Lattice-based cryptography can be used for most current cryptographic services, like encryption, message signing and hashing. Research has shown it resists one of the key techniques used in the relevant quantum algorithm for breaking public key encryption. Until proven otherwise, lattice-based cryptography remains a safe alternative to current methods. However, some lattice-based encryption implementations do not scale as effectively as systems currently in place.
- Hash-based cryptography is primarily focused on digital signatures. These signatures verify that a particular document or message originated from the supposed sender. However, additional cryptographic methods would be necessary in order to encrypt or decrypt the contents of messages.
Phase two, in the longer term, covers using quantum mechanics to transform the quality of cryptography at large, including through quantum key distribution and quantum random number generation.
- Quantum key distribution (QKD) is a new advanced method for secure key exchange. Through QKD, parties will be able to distribute shared secret keys directly, without the possibility of undetected eavesdropping or tampering. Based on the properties of quantum mechanics, any attempts to disrupt or observe the communication will leave physical traces—fingerprints of the tampering attempt.
- Quantum random number generation (QRNG) provides not only a high bit rate, but also a physically and provably secure source of randomness due to the physics and mechanics of quantum. This also makes QRNG very attractive for the actual generation of keys and seed numbers at large.
Quantum computing presents substantial security challenges to companies in every industry, but also offers powerful new cryptographic solutions. To be ready for both, businesses must take action today.