Encryption today is typically a game of very large numbers. Some of today’s cryptographic systems, like RSA or elliptic-curve cryptography, utilize as keys integers that are hundreds or thousands of bits long. Cracking a key requires breaking down one of these integers into its prime-number factors. Even the mightiest non-quantum computers struggle to perform this calculation in any reasonable timeframe.
That is why quantum hardware can completely rewrite the rules of encryption. Quantum computers have a potential weapon called Shor’s algorithm that can factorize colossal integers in a dramatically accelerated time.
Fortunately for some, quantum computers aren’t yet powerful enough to wield Shor’s algorithm on demand. There is still time to introduce alternative security methods like lattice cryptography that are invulnerable to this kind of quantum cracking. For example, the U.S. National Security Agency (NSA) has laid out a plan to switch the country’s cloud services, network infrastructure, and more to lattice cryptography algorithms developed by the National Institute for Standards and Technology (NIST).
IEEE Spectrumspoke to Scott Best, a senior engineer at chip design company Rambus, on what needs to happen to transition cryptographic protocols to a world where quantum computers are now longer in the future.
Quantum computers aren’t powerful enough just yet. How urgent, then, is it to switch everything to a quantum-resistant protocol like lattice cryptography?
Scott Best
Scott Best: Commercially, it’s not essential right now. That is only because [smartphones and other cloud-touching consumer electronics] don’t have a terrifically long lifetime in the field. They have a lifetime around two to five years, and it’s not expected that any sort of cryptographically relevant quantum computer is going to be available until 2030 or 2033.
Something with 400 logical qubits that can actually complete Shor’s algorithm, which can be used to factor RSA or elliptic curve— that kind of computer is not going to exist for another eight years, let’s say. So, any sort of commercial system that’s being deployed now can be upgraded in that timeframe.
What sort of applications will transition first or are already transitioning?
Best: There’s a lot of interest in saying networking infrastructure absolutely needs to be upgraded as soon as possible.
Defense-facing systems, the stuff that I work on—those don’t have a two-to-five-year timeframe in the field, they have a ten-year timeframe in the field. Those absolutely need to be upgraded now, because they are going to still be in service and in operation in that future where cryptographically relevant quantum computers exist.
Automotive is another leading edge, because cars last long enough that they’re going to cross into that horizon.
And everyone else follows?
Best: It is a very heavy lift. You really do have to update everything that touches the public cloud and update the protocols. Anything that consumes firmware is going to have to be updated in the future.
That sounds like quite a lot of devices.
Best: I describe it as a very heavy lift, and that’s really an understatement. There are billions of devices that connect to the cloud. I think my toaster has firmware upgrades occasionally. It’s everywhere, and every single one of those devices could be potentially compromised in a future where RSA and elliptic-curve can be factored.
The NSA wants this transition done by 2033. How fixed is that date?
Best: They want critical networking infrastructure, I think, to be fully on the way to transitioning by 2025. So, all the major cloud vendors…the NSA is pressing them to get things done right now.
And will people and companies listen?
Best: Domestically [in the US], it is the standard. It is considered, at least in the community of people that I speak with, as the equivalent of when an executive order is published out of the White House. This is critically important to domestic internet infrastructure, municipal fire and safety, and security.
It seems like there’s a plan, then.
Best: We know currently what the solution is, but the upgrading of all of that is what is going to take us an entire generation. It’s going to take a decade to get all of that infrastructure updated to use the new protocol.
What you’re racing against is physics. You’re trying to solve the problem of the decoherence of logical qubits—[today] they’ve got 100 or 120 or 140 functional, logical qubits that could be used. Once that number scales up into the 400s, that’s when a national lab, a state-funded actor could absolutely just start maliciously breaking digital signature and secure socket technology.
So you’re sort of in a race: on one side, just grindstone work of upgrading the entire world’s cloud-based infrastructure; on the other hand, it’s a race against physics.
Ten years is a long time—could quantum-resistant protocols get cracked before then?
Best: Nobody looks at lattice and says, “you know, there’s a gap in the math there.” If there is a shortcut, it’s a math we haven’t invented yet. And that gives a lot of people a lot of confidence that the type of asymmetric cryptography problems that you’re trying to solve with this new cryptography have no obvious shortcuts to them.
