Jul 05 2023
Security

Quantum Cryptography Challenges and Opportunities for Federal Agencies

The White House wants the federal government to be ready to use the technology by 2035.

In 2016, the National Institute of Standards and Technology asked experts to develop quantum-resistant public-key cryptographic algorithms algorithms that could be standardized for use in protecting sensitive government information. Five years later, in July 2022, the top four candidates were announced.

Less than a month after that, however, researchers using only a single-core classical computer were able to break one of NIST’s runners-up (named, ironically, SIKE) in just about an hour.

Transitioning critical infrastructure toward federally approved post-quantum cryptography (PQC) standards remains a challenge for private and public sectors, but proper implementation of these standards will protect data, the government and the country itself from adversaries in a way not seen before, NIST experts say.

“NIST constantly looks to the future to anticipate the needs of U.S. industry and society as a whole, and when they are built, quantum computers powerful enough to break present-day encryption will pose a serious threat to our information systems,” said NIST Director Laurie E. Locascio in a news release.

The federal government is in the process of assessing the potential impact of quantum computing on its operations and infrastructure to prepare for the future of post-quantum cryptography.

Click the banner below to learn about the benefits of hybrid cloud environments.

What Is Quantum Cryptography?

Quantum cryptography leverages the principles of quantum mechanics to create secure communication channels. It encodes information into a quantum system created from collections of tiny particles such as protons and transmits them to create a key that can decrypt the data.

Natasha Eastman, chief of operations for threat hunting at the Cybersecurity Infrastructure and Security Agency (CISA), explains that quantum computers themselves are inherently different than classical computers.

“Classical computers run a series of one and zeros, while quantum computers run zeros and ones all at the same time and ultimately allow the creation of algorithms that process information much, much faster than classical computers,” she says.

Instead of occurring one at a time, calculations can occur at an astronomically higher speed. Quantum computing also provides the means for more complex encryption that is more difficult to decode, because the possible numbers of encryption combinations is nearly infinite.

The mathematical strength of asymmetric cryptography — another name for public-key cryptography, which uses one public key and one private key to encrypt and decrypt data — lies in two areas, Eastman says:

  • There is no one method to solve discrete logarithmic problems
  • There is not one method to factoring large integers to break them down into smaller, prime numbers

Both calculations are necessary to develop an encryption key. But as methods are developed to better process data inherent to quantum computing, some could threaten the current implementations of asymmetric cryptography, as well as some implementations of symmetric cryptography (based on single keys to decode information).

“That threat to the security of modern cryptographic algorithms is really where we’re concerned, how that will change the nature of how we protect information,” Eastman notes. “Obviously, quantum computing also can be a benefit to how we protect information in cybersecurity.”

CISA and other security agencies and experts are concerned about the next 10 to 15 years in the quantum transition, when they expect the development of a cryptographically relevant quantum computer that could threaten even the most modern cryptographic algorithms protected from classic computers.

READ MORE: Learn about the federal government’s programs designed to bolster data encryption.

How Is Post-Quantum Cryptography Different?

Post-quantum cryptography does not require quantum technologies; instead, it is designed to protect against them.

Quantum cryptography harnesses the properties of quantum mechanics to secure and transmit data in a way that cannot be hacked. Quantum cryptography uses photons — individual particles of light — to transmit data over fiber-optic wires.

Photons are an integral part of providing a secure method for key encryption: quantum key distribution (QKD), which uses a shared private key between two connected parties. Data and the key are both transmitted via photons over optical fiber cable.

The key exchange is based on the Heisenberg uncertainty principle, which states that a person can’t calculate both the position and speed of a particle accurately; the more accurate you get on one, the less accurate you get on the other.

In the case of QKD, photons are generated randomly in one of two polarized quantum states, making the measurement of the quantum property of a photon impossible without altering the quantum information itself.

In such a path, the two endpoints of communication can verify the shared private key; it is safe to use if the photons are unchanged. If a malicious actor intercepts or accesses the message to learn the key, the quantum properties of the photons are altered.

If even a single photon change is detected, both legitimate parties understand the message has been compromised and is not safe to be trusted. 

DIVE DEEPER: Find out what the federal government is working on in the field of quantum technology.

How Does Post-Quantum Cryptography Work?

Post-quantum cryptography, also known as quantum-resistant cryptography, goes a step further than quantum cryptography, says Priti Patel, a security consultant at Coalfire.

“The goal is to develop cryptographic systems that are secure against both quantum and classical computers and that have the ability to interoperate with existing communications protocols and networks,” she says.

NIST’s post-quantum cryptographic standard is expected to be finalized in the next year, but the agency already has resources available, including a white paper titled “Getting Ready for Post-Quantum Cryptography” and a draft version of NIST SP 1800-38A, “Migration to Post-Quantum Cryptography.”

“It is imperative to perform risk assessments specific to each agency, department and critical infrastructure operation,” says Jeffrey Wells, partner at Sigma7. “These assessments will involve meticulously evaluating vulnerabilities, potential attacks and risks associated with quantum computing.”

By conducting such assessments, organizations can proactively identify areas of concern and develop targeted mitigation strategies. These should include deploying quantum-resistant algorithms and encryption methods and diversifying cryptographic systems.

“Taking these proactive measures will help safeguard sensitive data, protect communication channels and ensure the continued resilience of operations in the face of potential quantum threats,” Wells says.

Priti Patel, security consultant, Coalfire
The goal is to develop cryptographic systems that are secure against both quantum and classical computers and that have the ability to interoperate with existing communications protocols and networks.

Priti Patel Security Consultant, Coalfire

Should Feds Consider Using Quantum Cryptography?

The next step for federal agencies and the entire government is to figure out the challenges that come with post-quantum cryptography, Patel says.

For instance, replacing an algorithm normally requires changing or replacing cryptographic libraries; implementing various new tools and hardware, dependent operating systems and code; and adhering to certain protocols and procedures, among other issues.

“An important step to begin migrating from the current set of public-key algorithms to post-quantum algorithms includes identifying where and for what purpose public-key algorithms are being used,” Patel says.

The federal government is working to begin implementing post-quantum cryptography, she says. “Is it still a long journey ahead? Yes. However, these publications, roadmaps and guidance, if harnessed properly, will create a stronger future as well as stronger government alignment and implementation of these practices into our daily processes.”

A November 2022 memo from the Office of Management and Budget, “Migrating to Post-Quantum Cryptography,” states that building an inventory is a critical first step. This inventory will include systems that agencies use or that are operated on behalf of that agency, including high-impact information systems and high-value assets.

Next steps include preparing funding assessments that estimate how much migration to post-quantum cryptography could cost. The White House wants federal agencies to transfer to PQC systems by 2035.

“It’s important we start on this migration to post-quantum cryptography now since this is a lengthy process with many inherent challenges,” Patel says. “This must be treated as a priority.”

John D/Getty Images
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.