Quantum Preparedness and Crypto-Agility

How Organizations and Security Professionals Can Prepare Now for the Quantum Threat

“When?”

When discussing the quantum threat, there’s always the argument about when quantum computing is going to be powerful enough to crack a RSA[28] or larger cryptographic key.

“It’s almost not material to the argument,” says John Prisco.

John is the former President and CEO of Quantum Xchange, headquartered in Bethesda, MD.

Quantum Xchange was founded in 2018 to commercialize quantum-safe cryptography and quantum key distribution (QKD). Their goal is to address the oncoming quantum computer onslaught of cryptography.

We spoke with John to ask:

Why do companies need to prepare for the quantum threat now?
What is currently being done to address the upcoming quantum threat?
What is crypo-agility, and why is it so important?

This conversation has been edited for length and clarity.

How did you get started in the quantum space?

When I was in graduate school, I studied optical physics and nonlinear quantum physicals. I got an early exposure to a lot of the basics of what we are doing now from grad school. The company I ran before Quantum Xchange was a cybersecurity company that I ran for 11 years. I got a very general, but thorough, exposure to the nefarious actors we’re dealing with. We learned how good they are and how hard it is to prevent them from hacking you.

We’ve always known that we’ve needed a defense-in-depth strategy. I’m bringing those same principles to the quantum space. My technical experience, background in quantum optics, and decade of cybersecurity experience has helped me understand how to proceed.

Why do organizations and security professionals need to prepare now for the quantum threat?

Quantum preparedness is something many companies would like to prioritize. A powerful enough computer is going to be able to break all the cryptographic keys that are currently in use.However, the threat is not perceived to be immediate. People postulate that it will be 3-5 years. Some say longer.But it doesn’t matter when they’ll be powerful enough because harvesting attacks are being done today by nefarious actors. Harvesting attacks are when data, that is encrypted, is stolen in transit along with the cryptographic key.While there might not be a quantum computer that can break a very large key today, the nefarious actors are storing this information knowing that someday they will have a quantum computer that can break the key and basically display the data in plain text. Starting on a quantum-safe journey for most corporations should begin now. If you’re using an optical quantum key (QKD) or an electrical random number generated (ORNG) key, you can future-proof any of your data. For example, if I had files that were related to intellectual property I wanted to secure, I could encode them with either electrical or optical quantum keys. Then if someone were to harvest that data along with the keys, the keys would not be useful to them because the mere act of observing a quantum key will change its quantum state and make the key no longer able to unlock the data. That is the prep work companies can do today; to conduct a data inventory and determine what level of security is needed for different types of data. For highly sensitive, mission-critical data, ultra-secure optical keys or quantum random number generator electrical keys may be desired. <h2>Why is being Crypto-Agile so important?</h2> <iframe src="https://www.youtube.com/embed/rWjoWgjdgA0" width="956" height="538" frameborder="0" allowfullscreen="allowfullscreen">

First, we need to understand what’s going on in the world today regarding being quantum safe and quantum ready.

China has a three-pronged approach. They’re building quantum computers, they’re experimenting with post-quantum cryptographic algorithms (PQC), or a mathematics approach to protecting future transmissions of secure data, and deploying QKD.

They’ve built out a several-thousand-kilometer network that can be used to transmit quantum keys. They’ve even bounced quantum keys off satellites so they can go intercontinental.

In the United States, we’re doing only two of those things.

NSA and NIST are working on post-quantum cryptographic algorithms, and many companies are working on quantum computers. Many of them are reaching the point of quantum supremacy where they can solve problems that the world’s fastest conventional computers cannot solve yet. But there hasn’t been investment in quantum keys.

We believe that’s a mistake.

Generally speaking, in the broader area of cybersecurity, you know there’s never one solution that’s going to be a magic bullet that fixes all problems. You ideally want to have several technologies working simultaneously. We’ve done that in the world of cybersecurity: it’s called defense-in-depth.

We’re a proponent of being crypto-agile.

By that we mean there’s currently no standard. NIST is still working on standards. They had 82 algorithms that they’ve whittled down to 26 algorithms that are still viable. They think it’ll be 3-4 years before they come out with a standard.

If you’re a Fortune 500 company, you ask “What should I do? There’s no standard yet. Should I do quantum keys? Should I wait for PQC algorithms?”

Being crypto-agile makes it easy for any company to make a decision.

What we’ve done is make an appliance that contains all the remaining viable PQC algorithms that NIST is evaluating. It’s called Phio Trusted Xchange (Phio TX). Phio TX is also uniquely capable of making traditional keys quantum-safe now and can act as an easy onramp to QKD, when and if needed. So, in essence, Phio TX is a complete key exchange for crypto-agility and quantum readiness because it can support quantum keys in any format — math-based PQC, physics-based QKD or a combination.

We’re able to generate quantum random number generated keys, but we transmit those keys out of band from the data and obscure the relationship between the data and the key.

We’re using any transmission media possible. For example, fiber, wireless, internet, etc.

You name it and we can transfer an electrical quantum key over that medium.

When you start to include these appliances in many locations, it becomes a near mathematical impossibility to actually know which key unlocks which data stream.

Being crypto-agile means you don’t have to make a decision. If you use an appliance like this, you’ve got the physics approach with the optical and electrical quantum keys, and you have the mathematics approach with the quantum algorithms.

Being able to do that makes the decision much easier for an organization that’s wondering how to be quantum-safe now and quantum-ready for the future.

A lot of QKD development has been laboratory focused and is not ready to be commercialized. That’s what we’ve done. We’ve commercialized the hardware by overcoming its previous distance and delivery limitations. You won’t see trying to cool things down to 4 degrees Kelvin. We’ve made the systems operate so they can traverse the Hudson River through the Holland Tunnel — enabling quantum keys to travel unlimited distances.

There are tens of thousands of cars going through that tunnel every day. There are tremendous temperature changes over time and lots of vibrations, but the equipment is operating every day and works perfectly. We believe it’s been battle-tested.

What industries will see the greatest benefits in the near-term?

I think the market is forming now across industries.

In addition to finance and government, we’re also heavily involved with telecommunications providers that are deploying 5G networks for the first time.

Being able to secure that higher bandwidth traffic is very important to those providers.

We’re seeing investments being made from these operations. Not only in buying solutions like the Phio family of products and doing proof of concepts, but also hiring quantum experts. That’s a good sign that companies are taking this seriously and preparing to build a quantum-safe environment.