Security in a Post-Quantum World: How Can Leaders Prepare Their Organization?
Ana Tavares Lattibeaudiere, Executive Director, GlobalPlatform
Ana Tavares Lattibeaudiere discusses approaches for Post-Quantum Cryptography (PQC) in this article for The Mobile Century.
Every day as I read the news, I keep an eye open for stories about quantum computing. As the Executive Director of an organization dedicated to developing, deploying, and managing trusted digital services and devices, I take data security very seriously.
However, like many of my fellow executive leaders, I recognize how difficult it can be to prepare for vague and ill-defined threats that seem to exist on the far- off horizon. Around the world, governments and big corporations are spending billions of dollars to unlock the power of quantum computing, to accelerate advancements in science and industry and develop new cryptographic tools that can withstand quantum threats. Warnings about the dangers of Harvest Now, Decrypt Later (HNDL) attacks, where bad actors steal encrypted data with the intention of decrypting it down the road, pop up regularly, highlighting the need to take action. Since it’s only a matter of time before quantum computers can break today’s gold standard for cryptographic security, organizations must start moving toward Post Quantum Cryptography (PQC) now.
Yet without a clear-cut understanding of the threat and potentially limited resources to tackle the problem, how are leaders supposed to prepare their organizations?
What is quantum computing?
The first step in preparing for quantum computing is to understand what it is and how it can impact security at your organization.
Quantum computing is a type of computation that relies on the phenomena of quantum mechanics, such as superposition, interference, and entanglement. These phenomena allow quantum computers to perform computations that are exponentially faster and more powerful than super computers.
Chances are extremely high that the security tools used by your organization rely on public key cryptographic algorithms, such as RSA1 and Elliptic Curve, to encrypt your data and protect your digital assets. These mathematical formulas allow us to encrypt data easily because it would take computers commercially available today years to decode. Quantum computing, on the other hand, has the potential to crack current cryptography quickly, putting digital societies and economies at serious risk. No one knows exactly when quantum computers will be reliable enough to break current cryptographic systems, but some experts believe it could be as soon as 2030.2
The role of crypto agility in preparing for quantum computing
To prepare for quantum computers, cryptographic researchers have already begun searching for quantum resistant cryptographic algorithms upon which to base new encryption methods. This research, known as Post Quantum Cryptography (PQC) has yielded some promising results. For instance, the U.S. National Institute of Standards and Technology (NIST) announced the names of the candidate algorithms chosen to advance to the fourth round of the PQC standardization process. This process, which began in 2016, has identified possible alternatives to the current asymmetrical algorithms that form the basis for today’s public-key encryption.
Cryptologists will continue to test and refine these candidate algorithms for possible standardization. Once these algorithms have been approved for standardization, organizations can begin using them as the basis of their PQC security strategy. According to NIST, the full transition to quantum-resistant cryptography may take as long as 15 years.3
However, since these algorithms have not yet been standardized—and because cryptologists agree that it can take decades to identify vulnerabilities in an algorithm—it’s important for organizations to develop a phased approach to PQC and to develop a security strategy that enables crypto agility.4
Crypto agility enables organizations to switch the cryptography underlying their security framework quickly and with minimal disruption to their operations, much like replacing a lightbulb in your house without having to rewire the whole structure. They can do so because the cryptographic protocols they’ve put in place were developed at a sufficiently high level so that it’s possible to switch the underlying cryptography when a quantum threat becomes effective.
Crypto agility is absolutely essential for future- proofing the encryption models that protect our data and communication systems. But it is also absolutely essential for any organization that takes data security and protection seriously, since crypto agility enables organizations to deal with threats based on current classical computing.
Case study: the automotive industry
Developing a crypto agile strategy to support the migration to PQC should be a key priority for all connected industries. The automotive industry offers valuable lessons about how to think about quantum threats and how to take action.
Since vehicles in development today will almost certainly be impacted by quantum computing attacks, automotive industry leaders recognize that decisions to protect tomorrow’s consumers must be made now. Additionally, vehicles already on the road are at risk since they have a long lifecycle.
GlobalPlatform’s Automotive Task Force5 is working with key industry stakeholders to define use cases and requirements where GlobalPlatform technologies can help deliver cost effective, secure services across a vehicle’s lifetime. The group is bringing players from across the automotive industry together to collaborate on the development of a winning post-quantum crypto migration strategy for automotive. This includes PQC to protect the data from quantum threats that vehicles store and use to communicate.
Concrete actions to prepare for nebulous threats
As leaders in device security standardization, GlobalPlatform is at the forefront of anticipating the changing security requirements and enabling organizations to prepare for the post-quantum era. Our Security Task Force6 (STF) provides regular recommendations to cryptographic algorithms and key lengths, by maintaining a classification table that is based on the recommendations of several national agencies – including NIST and the SOG-IS – that is continuously updated as new threats are anticipated.
GlobalPlatform has also defined a number of specifications and certification schemes – using cryptographic algorithms – for different use cases related to the management of standardized Secure Elements and Trusted Execution Environments in digital devices. These specifications provide a specific, ‘secure channel’ that is proven to protect against quantum computer threats. This is achieved by creating a baseline for crypto agility in the form of clear security frameworks. These help device manufacturers protect their products and associated content across a range of use cases, from payments to smart homes/cities, government and enterprise ID.
Moving forward with confidence
As cryptography trends and technologies evolve, all organizational leaders in both the private and public sectors must seek sound guidance about which approach to take for each phase of their organization’s PQC migration. They must continue to develop cybersecurity protocols that ensure cryptographic agility and be aware of new developments in the field of quantum-resistant cryptographic research. Security certification is another key consideration. There is already much discussion around proper governance for quantum-computing, and as 2030 approaches we can expect requirements will emerge for products to demonstrate adequate protection against quantum- basedattacks.
This might seem like a tall order, especially for busy executives with limited knowledge of cybersecurity and with an organization to run. This is why GlobalPlatform is bringing together security experts from across industries in a global collaborative initiative to address the challenge which faces us all. We welcome the participation of all who wish to work with us on enhancing the security of their industry.
1 The RSA algorithm (Rivest-Shamir-Adleman) is a suite of cryptographic algorithms that is widely used to secure sensitive data, particularly when it is be- ing sent over an insecure network.
2 https://www.mckinsey.com/featured-insights/themes/how-quantum- computing-could-change-the-world
3 https://csrc.nist.gov/publications/detail/white-paper/2021/04/28/ getting-ready-for-post-quantum-cryptography/final
4 https://globalplatform.org/crypto-agility-the-cryptographic-key-to- data-security-in-a-digital-world/