Cybersecurity and cryptography in the post-quantum world

Bloomberg Government regularly publishes insights, opinions and best practices from our community of senior leaders and decision makers. This column is written by Marc Van Allen and Umer Chaudhry, who both work in Jenner & Block’s DC Office. 

A quantum computer can solve certain computational problems in fewer steps than a classical computer.  While this efficiency presents opportunities in areas such as machine learning and data analytics, it also poses certain risks in cryptography and cybersecurity.  As Dr. Daniel Amihud Lidar of the University of Southern California notes: “[t]he irony of quantum computing is that if you can imagine someone building a quantum computer that can break encryption in a few decades into the future, then you need to be worried right now.”

The U.S. government is currently researching solutions to potential challenges posed by quantum computers.  For organizations that operate classified or unclassified national security systems (NSS), and companies that build products used in NSS, the National Security Agency (NSA) recommends moving to a more quantum-resistant Commercial National Security Algorithm Suite. As quantum computers approach market-readiness, cryptography and cybersecurity professionals in all industries should be assessing their security frameworks and the potential of post quantum-resistant encryption techniques to protect their digital communications.

Impact of Quantum Computers on Encryption

Much of today’s digital world relies on public key cryptography to ensure secure communication and transactions between parties.  While hackers can steal private information by impersonating authorized users, “phishing,” or installing malicious software on computer networks, traditional computers are unable to crack standard forms of encryption.  Anticipating the power of quantum computers, the American Innovation and Competitiveness Act of 2017  requires the Director of the National Institute of Standards and Technology (NIST) to “develop cryptography standards and guidelines for future cybersecurity needs, including quantum-resistant cryptography.”

A recent NIST report confirms the risk to public key cryptography posed by quantum computing.  NIST found that current encryption methods such as the Diffie-Hellman key exchange, Rivest-Shamir-Adleman (RSA) cryptosystem, and the elliptic curve cryptosystem, are vulnerable to quantum computers.  Current encryption methods depend on classical computers’ inability to factor large numbers in a reasonable time.  However, decades ago, Peter Shor of Bell Labs demonstrated that theoretically a quantum computer could find the prime factors of an integer much faster than a classical computer.  As quantum computers mature and increase in the size of “qubits,” the threat to current encryption protocols becomes more imminent.

Export Control

For national security, it is important for the U.S. government to regulate the export of high performance computers, encryption technology, and quantum cryptography.  U.S. companies working in this area must ensure compliance with the government’s Export Administration Regulations (EAR).  Necessary licenses must be obtained to export and even transfer encryption and cryptography technology between a U.S. company and its foreign subsidiary.

Post-Quantum Cryptography and Public-Private Collaboration

Research in post-quantum cryptography is underway in the international community.  Substantial progress is being made in Europe through the European Union (EU) projects PQCrypto and SAFEcrypto, and in Japan via the CREST Crypto-Match project.  In the U.S., NIST has established the Post-Quantum Crypto Project and is gathering comments from experts to standardize “one or more quantum-resistant public-key cryptographic algorithms.”  More recently, President Trump’s executive order on cybersecurity directs the Secretaries of Homeland Security and Commerce to “jointly lead an open and transparent process [] to improve the resilience of the internet and communication ecosystem.”  As a result, NIST has reissued its draft Cybersecurity Framework, seeking comments from industry by June 30, 2017.

The U.S. government will likely be amongst the largest buyers of quantum computers.  Therefore, companies with substantial investments in quantum computing such as GoogleIBM, and Microsoft should consider working with the U.S. government to develop standards and guidance regarding risks and challenges presented by quantum computers.  Such interaction may also help educate government stakeholders on the benefits of leveraging quantum computers to solve important problems through data analytics, machine learning, and artificial intelligence.

VA kills RFPs for digital centers