The Quantum Threat: Understanding the Risk to Your Organization

Whitepaper Published: June 2023

Executive Summary

This whitepaper explores the fundamental risks that quantum computing poses to current encryption standards and outlines what organizations should be doing now to prepare for the post-quantum era. As quantum computers continue to advance, the threat to our current cryptographic infrastructure grows more imminent, making quantum readiness a critical priority for organizations of all sizes.

Table of Contents

  1. Introduction to Quantum Computing
  2. The Cryptographic Threat Landscape
  3. Timeline for Quantum Threats
  4. Vulnerable Systems and Data
  5. Post-Quantum Cryptography Solutions
  6. Creating a Quantum Readiness Roadmap
  7. Recommendations and Next Steps

1. Introduction to Quantum Computing

Quantum computing represents a paradigm shift in computational power. Unlike classical computers that use bits (0s and 1s), quantum computers use quantum bits or “qubits” that can exist in multiple states simultaneously through a property called superposition. This, combined with quantum entanglement, allows quantum computers to solve certain problems exponentially faster than classical computers.

While general-purpose quantum computers are still in development, specialized quantum algorithms already exist that can break many of the cryptographic systems we rely on today. Most notably, Shor’s algorithm can efficiently factor large numbers and compute discrete logarithms, undermining the security of RSA, DSA, ECC, and other public-key cryptosystems that form the backbone of our digital security infrastructure.

Key Insight: The security of our digital infrastructure is not threatened by quantum computers that exist today, but by the inevitability of more powerful quantum computers in the near future.

2. The Cryptographic Threat Landscape

The quantum threat primarily impacts public-key cryptography, which is used for key exchange and digital signatures. The following cryptographic systems are particularly vulnerable:

Cryptographic System Primary Use Quantum Vulnerability
RSA Digital signatures, key exchange Highly vulnerable to Shor's algorithm
ECC (Elliptic Curve Cryptography) Digital signatures, key exchange Highly vulnerable to Shor's algorithm
DSA (Digital Signature Algorithm) Digital signatures Highly vulnerable to Shor's algorithm
Diffie-Hellman Key exchange Highly vulnerable to Shor's algorithm
AES-128 Symmetric encryption Moderately vulnerable to Grover's algorithm
AES-256 Symmetric encryption Minimally vulnerable to Grover's algorithm

Symmetric encryption algorithms like AES are less vulnerable but not entirely immune. Grover’s algorithm could potentially reduce the security of AES-128 to that of AES-64, making AES-256 the recommended minimum for long-term security.

3. Timeline for Quantum Threats

Predicting exactly when quantum computers will become powerful enough to break current cryptography is challenging, but most experts agree on the following timeline:

Short-term (1-3 years)

Continued advancement in quantum hardware, with 100+ qubit systems becoming more stable. Initial "harvest now, decrypt later" attacks targeting high-value data.

Medium-term (3-7 years)

Quantum computers capable of breaking 1024-bit RSA and 160-bit ECC. Organizations without quantum-resistant cryptography will face significant risks.

Long-term (7-10 years)

Widespread quantum computing capabilities able to break most current public-key cryptography. Post-quantum cryptography becomes the standard.

Critical Warning: "Harvest now, decrypt later" attacks are already a concern. Adversaries can collect encrypted data today with the intention of decrypting it once quantum computers become powerful enough.

4. Vulnerable Systems and Data

Organizations should identify systems and data that are particularly vulnerable to quantum threats:

  • Long-lived data: Information that must remain confidential for many years (e.g., healthcare records, intellectual property, national security information)
  • Infrastructure with long deployment cycles: Systems that are difficult to update and may remain in use for decades (e.g., industrial control systems, satellites)
  • Identity and authentication systems: PKI infrastructure, digital certificates, and identity management systems
  • Secure communications: VPNs, TLS, and other encrypted communication channels
  • Blockchain and cryptocurrency: Systems relying on ECC for transaction signatures

5. Post-Quantum Cryptography Solutions

NIST is currently standardizing several post-quantum cryptographic algorithms designed to resist quantum attacks. These include:

  • Lattice-based cryptography: CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures)
  • Hash-based signatures: SPHINCS+
  • Code-based cryptography: Classic McEliece
  • Multivariate cryptography: Rainbow (for specific applications)

Organizations should begin planning for the integration of these algorithms into their security infrastructure.

6. Creating a Quantum Readiness Roadmap

A comprehensive quantum readiness roadmap should include the following steps:

  1. Inventory cryptographic assets: Identify all systems using cryptography and catalog the algorithms in use
  2. Assess data lifespan requirements: Determine how long your data needs to remain secure
  3. Prioritize systems for migration: Focus first on systems with long-lived data and difficult update cycles
  4. Implement crypto-agility: Design systems to easily transition between cryptographic algorithms
  5. Test post-quantum algorithms: Begin testing NIST-approved algorithms in non-production environments
  6. Develop a migration strategy: Create a phased approach for transitioning to quantum-resistant cryptography
  7. Train staff: Ensure your team understands quantum threats and post-quantum solutions

7. Recommendations and Next Steps

Based on our analysis, we recommend the following immediate actions:

Immediate Actions (Next 12 Months)
  • Complete a cryptographic inventory assessment
  • Identify high-risk systems and data
  • Implement crypto-agility in new systems
  • Begin education and awareness programs
  • Establish a quantum readiness team
Medium-term Actions (1-3 Years)
  • Test hybrid cryptographic implementations
  • Begin migrating high-priority systems
  • Update security policies and standards
  • Engage with vendors about their quantum readiness plans
Long-term Actions (3+ Years)
  • Complete migration to post-quantum algorithms
  • Decommission quantum-vulnerable systems
  • Continuously monitor for new quantum threats

Conclusion

The quantum threat to cryptography is real and approaching rapidly. Organizations that begin preparing now will be well-positioned to maintain security in the post-quantum era. Those that delay may find themselves scrambling to update critical systems under pressure, potentially exposing sensitive data to quantum-enabled adversaries.

Contact Our Quantum Security Experts

Some helpful links