Quantum computers aren't here yet. But the data threat is

Quantum computers might be a way away, but the mathematics that makes quantum computing possible already exists. That's the basic premise behind Certes' assertion that right now is the time to prepare for a post-quantum future where existing cryptographic techniques will be brute forced into irrelevance.

That was the key thrust of a discussion with Paul German, Certes CEO, and Deane Jessep Spectrum Consulting CISO. When German started out by describing the present day as 'post-quantum', the first question was a request for clarification; post-quantum? Are we even near pre-quantum? After all, while well-known names like Google and IBM (and lesser known ones like Rigetti Computing and D-Wave Quantum) have these computers on the drawing board, they aren't in production yet.

"What we're doing is post-quantum, because we're anticipating what quantum computing will bring in the near future. So, you're quite right about the complications today with delivering robust quantum computers; however, we know that eventually quantum computers will become available and they will break the current encryption standards, because mathematics tells us that that's what will happen," said German.

Hackers ready for the future

He explained that hackers are preparing for a quantum future by stealing encrypted data now and saving it for a day when quantum computing is available to smash the encryption. He said businesses relying on RSA (Rivest-Shamir-Adleman), TLS (Transport Layer Security), ECC (Elliptic Curve Cryptography) or standard Public Key Infrastructure, are already exposing their data, they just think it's safe and secure

Spectrum Consulting CISO Deane Jessep added that the imminent arrival of quantum computers is recognised by local businesses. "Customers have started the cryptographic inventory process. They're actively thinking about impacts to intellectual property and customer data, academic records, passports and licenses. And, as a platform provider and data processor, we are doing precisely the same thing."

Right now, 'classical' supercomputers can be expected to take millions of years to break an RSA-2048 or ECC-256 key. Expectations are that a quantum computer could do it in hours or even minutes.

Q-day is coming

Echoing a certain event in Normandy, the point at which that happens is widely referred to as 'Q-Day', and when it arrives the foundations of current digital security including RSA, ECC and TCC will be compromised.

While general consensus is that Q-Day will arrive by the early-to-mid 2030s, some analysts anticipate sooner rather than later. German noted the pace of development in AI, which for a considerable time was an unobtainable prize in computing, until it wasn't.

In a very short space of time, AI went from the drawing board to ubiquity, and even further to commodity status, and German and Jessep's point is that there's every likelihood that a key breakthrough will change the trajectory of what's possible overnight, with Q-Day rapidly going from hypothesis to a very brutal reality.

When and not if that happens, said German , "Quantum computers could simply crush these well-known public key encryption standards."

All about the data

Certes' post-quantum solution, explained German, uses new algorithms that he said are NIST-certified as quantum safe (they're even called Post Quantum Cryptography, or PQC), and as a result, "We're protecting our customers against the post-quantum threat, today."

Moreover, he said the method matters, with Certes encryption travelling wherever the data goes (including to the private stashes of bad actors). 

"We abstract data security away from infrastructure and applications. When you look at the threat vectors today, one of the biggest challenges is data exfiltration - your data in somebody else's hands. Traditional encryption methods are tied to the infrastructure. We wrap the data so security goes with the data everywhere. If it's on someone else's computer, the cloud, between clouds, it really doesn't matter."

Jessep said Spectrum Consulting is leveraging Certes for this very reason. "As a data processor, technology that allows me to host applications without actually ever seeing any of the data inside them…that's a big advantage."

He added that there is utility in multiple areas, because if the data is protected, everything is protected. For example, "Everyone is struggling at the moment with the increase in patching, with the increase in vulnerabilities discovered by AI. When the data is impenetrable, that's no longer as crucial."

The uncertainty principle

The overall upshot is that in the event of exfiltration whether today or sometime in the near future, those who have invested in Post-Quantum Cryptography (PQC) developed by the likes of Certes will have nothing to worry about.

Well, not quite nothing, as German readily affirmed.

After all, until a production quantum computer emerges and is put to work on PKI, TCC or even PQC encryption, the full capabilities can't be known.

But in much the same way that quantum physics described the working of a fluorescent tube long before it could be manufactured, the mathematical underpinnings for PQC are likely to hold strong. 

"We know what we're working towards," said German. "And it is likely to come towards us very quickly, if we're not in a state of where we're prepared, then we're absorbing a large and frankly unnecessary amount of risk."

Certes recently commissioned research paper 'The risk mitigation imperative'. The paper looks beyond traditional data protection and tackles the issue of limiting exposure and reducing executive liability.

Download the paper and get more information on Certes: The Risk Mitigation Imperative.