Josue_PostQuantum_2-1

Upgrading Cryptography to a Post-Quantum Secure State

Reading time: 11 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Cybersecurity and privacy is a lofty task when taking into consideration the attack surface of the entire internet. Not only do organizations need to keep their own assets and data safe, they also need to ensure the most common internet behavior, such as web browsing, communications, and file exchanging, doesn't completely expose companies or employees.

In order to keep these actions and behavior secure, cryptography is used as a significant part of the data privacy infrastructure that’s in place within organizations and world wide web as a whole. As it applies to this discussion, cryptography is the use of mathematical application and mathematically derived algorithms and problems leveraged to secure digital communications.

In plain speak, cryptography is what powers the tools and technology that, for example, has led to the development of HTTPS for web browsing, end to end encryption for messaging and communication, and encrypting passwords even when a hacker successfully exfiltrates company data.

Unfortunately, new developments in quantum computing are forecasting a major disruption in our use of cryptography. To ensure we can rely on cryptography to keep our data secure and out of malicious hackers’ hands, we need to upgrade our cryptography to a post-quantum state.

Here’s what you need to know about cryptography and the efforts to upgrade our current algorithms.

How cryptography is being used today

Cryptography powers a lot of the security across our devices, web traffic, and files — so much so, that it’s hard to recognize that it’s being used on a day to day basis. Here are just some of the use cases.

How cryptography is used today

Web traffic

Over two decades ago, nearly all browsing occurred on HTTP websites which were susceptible to Man in the Middle (MitM) attacks as they didn’t prevent browsing activity from being intercepted by a third-party. This meant a malicious actor could snoop on your browsing activity, potentially revealing organizations’ data and important information.

To combat this and improve security, HTTPS was developed using TLS cryptographic methods, essentially hiding the activity and communication from third-parties. As of August 2022, nearly 80% of websites use HTTPS and in early 2021, Google Chrome started navigating all websites to HTTPS when possible.

Device encryption

If an employees’ work device is stolen, whether it’s a phone or laptop, the organization can, for the most part, rest knowing that the device is locked behind some kind of password or organization.

This is because when a device is locked, it’s encrypted. Even if a malicious hacker has the device, the files are hidden via an encryption protocol. While it may be possible to crack the encryption, it’s often extremely difficult. This is why the FBI needed to resort to a third-party in order to access the files of a locked iPhone. The encryption was too difficult even for the government agency.

Password hashing

Cryptography is also used to encrypt sensitive files and assets so they aren’t easily accessible even if they’re stolen. It’s best practice for organizations to salt and hash data such as passwords, financial information, and social security numbers in order to keep them secure.

This is a cryptographic tool that obfuscates the data via a “hash”, which needs to be solved before the data can be properly accessed. These methods are highly effective and protect the data even when a malicious hacker infiltrates and steals this data. Without this cryptographic tool, any random data leak or accidental exposure could result in even more disastrous consequences.

How quantum computing disrupts today’s cryptography

Quantum computers, which derive their computing power from hardware powered by quantum mechanics, have the potential to transform industries and give us the kind of computing power we’ve never had access to before.

Unfortunately, this same computing power has the problem of completely upending the current cryptographic elements that are in place. If malicious hackers get their hands on quantum computers, they’ll be able to break much of the encryption methods and digital signatures we’re relying on but also lend out their services to other malicious actors, as we’ve seen with the rise of Ransomware as a Service (RaaS).

The security of our current public key encryption and digital signatures methods largely relies on the difficulty of solving mathematical problems such as factorization or finding discrete logarithms. For example, the current parameters that are used in cryptography can be solved using Shor’s algorithm. However, it’s essentially impossible to solve these problems efficiently with classical hardware. Quantum computing changes that, making the impossible to solve, very possible, completely disrupting the cryptography we rely on today.

However, given certain parameters, quantum computers are able to solve these problems in the fraction of the time it takes classical computers. This means hackers will once again be able to intercept our web traffic communications, unlock our phones with minimal effort, and easily discover our passwords and other sensitive files.

We need better encryption methods that are protected against quantum computing.

New research and cryptographic methods are currently being explored

While quantum computing is still 10-20 years away, we need to find new robust cryptographic methods soon in order to set standards and implement them in a way we have them now. In order to develop new cryptographic methods and encryption algorithms, security, mathematical, and encryption researchers need to overcome several challenges. The new cryptographic methods:

  • need to be secured against quantum computing - this presents a new problem compared to classical computing
  • need to be researched and developed via classical computing - this is for both practical and implementation purposes. If a method is developed and derived via quantum computing, it would severely limit the implementation of the new methods.

Fortunately, researchers at Bitdefender have been hard at work trying to develop new post-quantum security foundations of encryption and propose post-quantum cryptographic schemes. They’ve worked in what seems to be the most promising post-quantum solution: lattice-based cryptography. Lattices, which are sets of points with a special structure in space, have always been a tricky area in mathematics and many mathematicians have struggled to develop and find efficient algorithms that will find the shortest nonzero vector in a lattice or the closest lattice vector to a specific point in the space.

Visual representations of a lattice

The hardness of solving these kinds of problems has been part of the foundation behind lattice-based cryptography. Currently, there are no known quantum algorithms available to solve some of these lattice-based problems. This is largely why the cryptography community considers lattices as an ideal candidate for our coming post-quantum world.

Conclusion

This lattice-based cryptography can serve as the system and foundation to build new cryptographic methods and standards and the new research on this kind of cryptography has already made an impact. 

NIST has recently selected four algorithms that will be part of the new post-quantum secure cryptographic standard that will serve as the new infrastructure in a post-quantum computer world. Out of the four selected algorithms, three are built on lattice-based cryptography and the remaining one is based on hash functions. We’re extremely proud of the foundational work and post-quantum schemes recently published by our researchers at Bitdefenders.

Given the developments we all have made so far, we may be able to get ahead of the risk posed by quantum computing and ensure that organizations and their data are kept secure.

Learn more about how quantum computing will change encryption forever.

 

CONTACT AN EXPERT