Building quantum into your cyber security strategy

Rebecca Lee Manager, Cyber Advisory, PwC United Kingdom 25 February, 2021

Any organisation that implements and protects its data and critical processes by using cryptographic controls should be aware of the quantum threat. The term quantum is starting to move into many organisations’ cyber security strategies as an emerging technology that needs consideration, but what really is the quantum threat? And how should it play into your strategy?

What is the quantum threat?

The quantum threat refers to a situation where many of the cryptographic primitives and controls used across organisations today become redundant. There have been two quantum algorithms discovered in the last 30 years that add weight to this theory: Shor’s and Grover’s.

If a powerful quantum computer was built to run these two algorithms, it would be able to run exhaustive key searches much quicker than the computers of today and brute force the private key of some public/private key pairs.

However, there are clearly caveats to this threat and its likelihood. Namely, society needs to actually build a Large Quantum Computer (LQC) big enough to run quantum algorithms like these. The quantum computers that have been built so far are currently too small to pose this threat. However, in 2016 NIST estimated that a LQC would be built by 2030 for the price of one billion dollars [1]. While this price tag may put this technology outside the reach of the average criminal, history suggests that it will become quickly commoditised. Either through a network of super nodes where criminals can outsource their key retrieval tasks or by continued innovation that puts quantum computers into the pockets of the average person.

Secondly, the LQCs built would need to be able to implement algorithms such as Shor’s or Grover’s to actually realise this threat. This can be assumed to be a firm objective for many of the organisations building these machines. However, no one can say with certainty when in the evolutionary cycle this will be achieved.

Finally, it needs to be assumed that an organisation’s business processes are reliant on cryptographic controls to function. Something that is relevant for many organisations but not critical in all.

The difference between symmetric and asymmetric cryptography

The quantum threat to both symmetric and asymmetric cryptography is that a secret key is brute forced by a quantum computer. However, how this is achieved by quantum computers is different.

The attack on a symmetric key pair is the same as that performed by the computers of today, in that the quantum computer will search and try every key option. However, Grover’s algorithm showed that quantum computers will do this much quicker. Therefore, one way to counter this threat is to increase the time a quantum computer needs to search, so that data can remain secure as long as necessary. For this, a quantum-safe solution already exists and has a standard (the AES block-cipher with 256-bit keys) that organisations can move to.

In terms of protection, AES-256 will likely provide the same protection against a quantum computer as AES-128 does against a traditional computer. This is because AES-256 has 2²⁵⁶ different key options and Grover’s algorithm gives a quantum computer a quadratic speedup [1]. Therefore, the quantum computer will try every key in the square root of the time it would take a classical computer to, showing that the protection offered is 2^256/2 = 2¹²⁸.

However, it is not yet clear if it will ever be possible to implement Grover’s algorithm [1]. Therefore, moving symmetric cryptography to the AES-256 standard should offer adequate protection against any feasible current or future attacks [2].

For an asymmetric key pair, it has been shown that a general-purpose quantum computer (known as a Cryptographically Relevant Quantum Computer or CRQC [3]) will be able to solve the mathematics that link the public and private key in current asymmetric schemes. As yet no quantum-safe mathematical replacement has been standardised, but this is a huge area of research, especially for NIST which started the process to standardise quantum-safe algorithms in 2016. It estimates the first round of quantum-safe candidates will be published by 2022 [4].

The reason it is believed that a CRQC will be able to solve the mathematics used to define the public/private key relationship is because of algorithms like Shor’s. It showed that two of the mathematical problems widely used in today’s public/private key relationships (the factoring of integers and discrete logarithm problems) can be easily solved. Therefore, the long-term goal of quantum-safe asymmetric cryptography research is to find a mathematical problem too hard for even a quantum computer to solve on which the public and private key’s relationship can be constructed. Many candidate quantum-safe algorithms based on new mathematical problems have been put forward in the last few years. However, so far it is believed that it is unlikely that one single ubiquitous quantum-safe public key algorithm will be found [3]. Therefore, once organisations like NIST provide updated standards, the National Cyber Security Centre (NCSC) has stated it will recommend specific algorithms for representative use cases [3].

What is my quantum risk?

To quantify the risk of the quantum threat, organisations should begin by looking at its likelihood and potential impact. This includes three important questions:

Which of my critical business processes are currently protected using cryptographic primitives that could be broken?
How long does my most critical data need to remain secret?
Do I know the full inventory of my current cryptographic estate?

The final question of the three should be the highest priority. This may seem like a trivial exercise, but experience shows that keeping inventories and process maps updated and accurate is something that many organisations struggle with.

However, understanding your exposure is fundamental to building the correct response. In particular, organisations should seek to discover:

Which standards and protocols are used across their estate and whether the symmetric standards in use are considered ‘quantum-safe’,
Who is accountable and responsible for the maintenance and upgrade of the hardware or software that implements them, and finally and most crucially
Which business-critical processes rely on them.

Equipped with these answers, an organisation will be well-placed to build out its response and create a more quantum-safe architecture.

It is worth noting the NCSC currently recommends that organisations wait for the development of standardised quantum-safe solutions and do not adopt early non-standardised products [3]. This could mean that many organisations will face a transitory period of migration to new standards and protocols. However, all organisations still need to perform the first step, which is to understand their current reliance on cryptographic controls and perform discovery work on their cryptographic estate.

What should I add to my cyber strategy?

Quantum computers (along with other emerging technologies) should be drivers within your cyber strategy. This will allow you to build a strategy that includes activities that assess and define your exposure to quantum threats and work towards treating the perceived risk.

This includes developing an inventory of your current cryptographic controls and their role in the processes of your business. Practically, across the three pillars of people, process and technology this means:

People

Your people, particularly anyone involved in IT system management or software development, should be aware of and educated on the quantum threat. They should know what the different threats are to symmetric and asymmetric cryptography, what you are doing as an organisation to review these threats and what their personal role is in identifying current controls.

Process

Understand where cryptographic controls weave into your business processes as well as who is accountable and responsible for them. This will allow you to move forward in building security into your cryptographic estate’s design but is also an important step in enabling your organisation if a crisis situation were to occur.

Technology

Get clarity over the cryptographic primitives, standards and protocols used in both your internal and external tooling and technology. For third parties, this also includes transparent assurance over their migration to new standards as and when they become available.

Taking this considered approach and engaging in discovery work across your cryptographic estate will help quantify your organisation's exposure to any future quantum threats. Cyber strategies should look to invest in discovery activities that build an effective response to the realisation of the quantum threat.

_{References:

[1] NISTIR 8105, Report on Post-Quantum Cryptography, April 2016, publication is available free of charge from: http://dx.doi.org/10.6028/NIST.IR.8105

[2] NCSC whitepaper, Quantum-safe Cryptography https://www.ncsc.gov.uk/whitepaper/quantum-safe-cryptography

[3] NCSC whitepaper, Preparing for Quantum-Safe Cryptography, November 2020, https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography

[4] https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round}