Preparing for the day quantum computing cracks public-key cryptography: What to do now

Quantum computers could crack public-key encryption in as little as five years. Here's how to prepare for the post-quantum world.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

We don’t know when, but it will happen: Quantum computers will become so powerful that all existing public-key cryptography protections will be quickly crackable. According to Dr. Mark Jackson of Cambridge Quantum Computing, it could be as soon as five years from now.

The question is: Will we be prepared for that cryptographic day of reckoning?

When will quantum computing break cryptography?

Lawrence Gasman, president of IQT Research/Inside Quantum Technology, wrote this: “The timing of the quantum threat is not just uncertain because we don't know how fast the technology will develop, but because we don't even know how fast it has developed already. For all we know, there may be 100 Qubit quantum computers in Virginia, Beijing, Moscow or GCHQ that no one talks about and that can break common encryption schemes right now.”

A few scenarios are likely.

A long, orderly transition to a quantum break

The first is a slow, gradual, well publicized and documented plod toward the quantum crypto break. We have a good idea how this would go from the recent proactive move from SHA-1 hashes to SHA-2.

Although Google revealed the first publicly known SHA-1 collision in February 2017, SHA-2 had been recommended to replace the weaker SHA-1 hash algorithm since at least 2011. Successful attacks weakening SHA-1 had been appearing since 2005. Nearly all cryptographic vendors had been trying to move their customers since at least 2015.

This is the way we like our crypto transitions to play out— a decade or more of notice and gradual, public weakenings along the way. That gives vendors and customers years to prepare and change. Even with more than a decade to prepare, there was a last-minute rush for many vendors and customers to get moved over in time. SHA-1 to SHA-2 migrations was a vast majority of work I did for Microsoft and its customers between 2014 and 2017.

In aggregate, it was mostly a smooth transition. To my knowledge, no one’s critical secrets were revealed. No malware was signed by a valid SHA-1 signed certificate due to a SHA-1 flaw. The world moved from SHA-1 to SHA-2 with enough forethought that our cryptographic protections held.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.