Quantum Computing Will Make Your Current Encryption Worthless

Public key encryption that protects your web browsing, VPN traffic, hard disk data and data backups will become crackable as quantum computers improve.

Experts are uncertain how long that will take. It could be five years. It could be twenty. Five would be catastrophic. The world isn't ready for the algorithms underpinning secure communication and hard disk encryption to become worthless.

Several years ago, the US National Institute of Standards and Technology (NIST) launched a competition to find quantum-resistant replacements. In 2022, CRYSTALS-Kyber was picked as the winner, alongside several other algorithms relating to digital signatures/verification (CRYSTALS-Dilithium, Falcon and Sphincs+). NIST started work selecting alternative candidates in case problems later arise with any of the winners.

In 2024, NIST is expected to finish its work creating standards for the implementation of these quantum-resistant algorithms and global standards bodies are likely to give that work their stamp of approval. Technology vendors will then begin updating their default encryption algorithms - kicking off the retirement of AES, an earlier NIST competition winner.

We got a sign of why this matters when the heads of the FBI and MI5 gave an unusual joint speech about attempted intellectual property theft by the Chinese government.

China is willing to take "asymmetrical steps" to overtake the west - including stealing intellectual property through hacking, reverse engineering, bribery and forced technology transfers, among other methods.

But it won't just be nation states abusing quantum computing for hacking. Quantum-Computing-as-a-Service already exists (see AWS Braket). Similar services could in time make it feasible for ransomware gangs to decrypt AES-encrypted backups and hard drives.

Why go to such trouble? Because there's a lot of valuable information currently encrypted with non-quantum-resistant algorithms. For example, in 2022, cloud-based password manager LastPass had a copy of its user password vaults stolen. Anyone cracking those AES-encrypted vaults with quantum-computers would have access to every password of millions of users, providing front-door keys to thousands of organisation's IT systems. Bear in mind this is a hack we know about. There will be other hacks we don't know about, where the stolen data is being kept ready for the day when quantum computers can unencrypt it.

What can do you do protect your organisation? Use strong encryption for now, then switch to quantum-resistant algorithms when they become available for general use. Talk to us about encrypting your backups and encrypting the disks used for your cloud hosting. 

Another thing you can do is make use of Zero Trust Network Access. That makes your network security more granular, so abusing stolen user credentials becomes more difficult.

Quantum computing will be wonderful - supercharging drug discovery, weather forecasting and AI. But it's going to have a major negative impact on security - forcing the early retirement of trusted AES.

We know our partners Fortinet and Veeam will be keen to retain their industry leadership. Part of the way they'll do that will be implementing quantum-resistant algorithms, once they've been properly standardised. So, if you use our corporate VPN service or our data backup service, chances are you won't have to do anything to upgrade to quantum-resistant encryption.