The promise of quantum computing comes with a major downside: “Cryptographically useful” quantum machines will threaten public key encryption used to secure data in the cloud, a new report warns.
The Cloud Security Alliance also found in a report released last week that companies are aware of the growing security risk associated with quantum computing but have so far done little to prepare. Among the reasons are the usual lack of resources and the perception that few if any security solutions exist.
Only 30 percent of those surveyed by the alliance said they were confident that current security approaches would protect encrypted data while another one-third were unaware of defenses. Forty percent of those polled said they are working to “future-proof” data against the quantum computing threat.
The Seattle-based group expects commercial quantum computers to arrive over the next decade. “With this considerable breakthrough will come a significant threat to the security of public key cryptography and the associated challenges of securing the global digital communications infrastructure,” said Bruno Huttner, co-chair of the alliance’s quantum security working group and product manager for a Swiss-based security firm.
Of particular concern is how cloud and infrastructure vendors will secure personal and financial data over time as quantum technologies hit the market. Some “quantum-safe cryptography” approaches have been proposed.
For example, the National Security Agency has announced plans to revamp its suite of crypto algorithms to include quantum safeguards. Similarly, the National Institute of Standards and Technology is sorting through proposals for quantum-resistant, public-key encryption algorithms.
Meanwhile, security specialists said they were familiar with at least some “quantum-safe” technologies, including longer symmetric keys and expanded cryptographic hash functions. The latter is an algorithm used to produce a checksum for verifying data integrity.
“If we want more protection, we need bigger numbers,” said Duncan Steel, a University of Michigan engineering and computer science professor developing quantum-safe technologies.
“While there is still a tremendous amount of work to be done in convincing the industry of the importance of including the threat of quantum computing in enterprise security strategies, the good news is that there is a great deal of interest in learning more about the threat quantum presents and how it can be mitigated,” added Jane Melia, a quantum working group co-chair and vice president of another security vendor.
Still, the alliance found that many of those surveyed have done little to address security concerns raised by quantum computing. Most said they would not have a plan in place for at least three years, and few are including quantum-safe encryption as a requirement from their suppliers.
“This makes their data vulnerable to harvesting attacks, in which data is downloaded and then stored for later decryption by quantum computers,” the report warned.