With advances in quantum computing in the news seemingly every day, I’m frequently asked, “What is Cohesity’s strategy for dealing with quantum computing?” Governments worldwide are actively preparing and breakthroughs seemingly every day, so it’s no wonder this is top of mind for many people.
Our strategy has four steps, summed up in four words: monitor, extend, adopt, and wait.
- Monitor quantum computing advances.
- Extend existing cryptography lifetime.
- Adopt post-quantum cryptography.
- Wait for quantum cryptography.
Perhaps the biggest question in quantum computing is, “When will quantum computers be able to break the cryptography we use today?” This event is called the “quantum apocalypse”, and it’s difficult to predict. If quantum computers advance at the same rate they have since 2016, we may have roughly 15-20 years. However, any breakthrough could cause this timeline to accelerate massively, putting us closer to 5 years.
In either case, it’s very tempting to think of this as a problem for our future selves and move on. This time, however, that’s not a wise approach. Malicious actors, particularly nation-states, are engaged in a concerted effort known as “harvest now, decrypt later” (HNDL), and their time horizon extends for decades.
In response to these trends, National Security Memorandum 10 called for transitioning away from as much quantum-vulnerable cryptography as possible by 2035. NIST has requested comment on plans to deprecate quantum-vulnerable cryptography after 2030—allowing these algorithms to be used only for decrypting data that was previously encrypted with them—and to disallow it entirely after 2035.
To defeat your enemies, first know yourself
To defend against attackers, you first need to understand your data. While it may be obvious that national security data is valuable for 20 years, it might be less obvious that social media data and encrypted texts deserve equal security. Still, one need only look at embarrassed politicians whose previous emails or posts have landed them in trouble years or even decades later to understand their value. A little more obvious are financial and health records. Most people live far over 20 years, sometimes over a century. Meanwhile, companies can last for hundreds of years. While much of this data is only valuable for a short period, some of it may become more valuable over time.
Thus, any strategy to prepare for the quantum apocalypse must begin by understanding the data you’re protecting and how far into the future that data will have value to an attacker.
The Cohesity quantum strategy—in detail
Once you’ve thought about the data you’re trying to protect and how long it needs to stay secure, you’re ready to understand Cohesity’s strategy in detail.
#1: Monitor quantum computing advances.
Quantum computers rely on qubits rather than traditional memory and processors. Generally, the larger the encryption key, the more qubits are needed to break it. The current state of the art for quantum computers is ~1200 qubits, and while there are plans for computers with orders of magnitude qubits, that will take time.
The first question is, “How many qubits does it take to break an encryption key of a given size?” We measure key sizes in the number of bits needed to represent them. Industry-standard RSA and Diffie-Hellman keys are 2048-bit. Cryptographers estimate that roughly 1 million qubits would be needed to break this. The industry is generally migrating to 4096-bit keys, which will take ~1.3 billion qubits.
Since 2016, the largest quantum computers have doubled their qubit count about every 14 months, a quantum equivalent to Moore’s Law. However, this trend has recently slowed as companies developing quantum computers shift their focus to reducing the “noise” in today’s qubits that come from qubits unexpectedly flipping from 0 to 1 or vice versa due to cosmic rays, leaking heat, or any number of other quantum effects. Compensating for this noise requires using many qubits for error correction, which is inefficient. If the noise can be reduced, far fewer qubits will be needed to break an encryption key of a given size. Rapid advances in reducing noise could bring the quantum apocalypse closer. Indeed, a quantum computer that needed no error correction would need only one qubit for each bit in the key, so 2048-bit keys could be broken with 2048 qubits, which is only one generational increase in qubits from today’s largest quantum computers. Thus, there is a risk of the quantum apocalypse occurring by 2030, which merits continuous monitoring.
#2: Extend existing cryptography lifetime.
When it comes to quantum computers, not all cryptography is created equal. Therefore, it’s possible to extend the useful life of existing encryption, which is desirable because today’s encryption is widely deployed, standardized, and well-studied. For example, some of the math used in RSA and Diffie-Hellman was studied by ancient Greeks and Chinese.
As we’ve noted, quantum computers will break smaller keys before they break larger keys. Thus, Cohesity’s migration to 4096-bit keys is a step to extend the useful lifetime of RSA and Diffie-Hellman.
RSA and Diffie-Hellman, which we’ve discussed, are known as “asymmetric algorithms,” meaning they use different keys for encryption and decryption. AES is an example of a symmetric algorithm that uses the same key for encryption and decryption. Because the mathematics of symmetric algorithms differ from those used for asymmetric algorithms, they are less impacted by quantum computing. Quantum computers are potentially devastating against traditional asymmetric cryptography, hence the moniker quantum-vulnerable cryptography. However, against symmetric algorithms, they can only reduce the effective key strength by half. So, a 256-bit key will have a strength equivalent to 128 bits. While that’s a significant attack, a 128-bit effective strength is still enough to protect against attackers.
Cohesity uses AES 256 in our products to encrypt data at rest and is a default for data in motion. This offers the best protection available today.
It is important to note that because of the differences in how they work, symmetric algorithms can generally use shorter keys but have an equivalent strength of much longer asymmetric keys. NIST, for instance, says that a 128-bit AES key is comparable to a 3072 RSA key, while fully matching AES 256’s strength requires a 15,360-bit RSA key. In practice, due to the complexity of the computations involved, 4096 bits is the largest commonly used RSA key size.
#3: Adopt post-quantum cryptography.
While we can buy time using today’s cryptography, it’s evident that’s not a permanent solution. Thus, several years ago, NIST set out to standardize algorithms that resist quantum computers. The first of these was standardized this summer. While they work in ways analogous to RSA and Diffie-Hellman, the underlying math is based on problems that are hard for quantum computers.
Now that these are standardized, they will be implemented in cryptographic libraries and certified via programs like FIPS 140-3. This process will allow Cohesity to move to these new algorithms while maintaining compliance with FIPS.
In the world of cryptography, “new” things often get broken by clever PhD candidates in ways that make exciting (at least to cryptographers) dissertations. So, while we want to adopt these algorithms, a hint of caution is advisable for three reasons. First, the math involved is much less well-studied. Indeed, many candidate algorithms failed in NIST’s testing because someone found a way to use a classical computer to break them. Second, we also don’t have quantum computers that can fully test these algorithms. Third, implementing new cryptographic algorithms without introducing vulnerabilities is very hard. It will take time for libraries to implement these algorithms and to be battle hardened.
Nonetheless, it’s evident that the industry needs to begin adopting post-quantum cryptography now to limit the damage of Harvest Now Decrypt Later (HNDL) attacks and complete the transition by 2035. Such transitions can often take organizations more than a decade to update entire technology stacks.
#4: Wait for quantum cryptography.
While post-quantum cryptography is certainly a logical next step, the final part of our strategy is to await quantum cryptography. This is cryptographic nirvana because physics says quantum cryptography is fundamentally unbreakable. The Heisenberg Uncertainty Principle in quantum mechanics says that measuring a thing changes it. This can be exploited such that an attacker who tries to intercept messages protected by quantum cryptography will be unable to read or decrypt the messages. Any attempt to do so will destroy the message and expose the attacker’s presence.
Ultimately, we may find that quantum computing brings both the destruction of many current cryptographic systems and their ultimate replacement.
The quantum apocalypse is coming—the time to prepare is now
The quantum apocalypse will change the face of modern cryptography and data security. Attackers are preparing now, in anticipation of being able to use these remarkable capabilities in the future. It is, therefore, critical that organizations deploy their defensive strategies now. Cohesity’s strategy to monitor, extend, adopt, and wait can be a framework for any organization seeking to weather the coming storm.
Whether you choose to use our framework or another, you should immediately identify a strategy to prepare for quantum computing. You’ll want to ensure it aligns with your time horizons for keeping data secret from HNDL attacks. Unless you have a good reason to do something different, following NIST’s guidelines of fully supporting post-quantum cryptography by 2030 and completing the transition by 2035 is a reasonable timeline. To support this migration, reach out to your vendors and discuss how their post-quantum strategies align with your needs. The quantum apocalypse is coming, and the time to prepare is now.
