Encryption Security for a Post Quantum World

In early May, the White House released its National Security Memorandum (NSM) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. Regardless of the challenge of understanding quantum computing, or visualizing its deployment, the NSM is sufficiently straightforward. The title itself offers a guide: the United States wishes to maintain leadership in the field—as of 2021, the United States has filed 1,096 quantum computing patents; China 384—but recognizes and seeks to prevent the risk it can pose to encryption security. As noted in the NSM, a sufficiently advanced quantum computer will present a risk to much of the public-key cryptography used in the United States and elsewhere.

To mitigate this risk, in 2016 the National Institute of Standards and Technology (NIST) initiated a process to solicit and standardize one or more quantum-resistant public-key cryptographic algorithms, set to be finalized by 2024. The NIST standard would be followed by the transition to encryption based on this post-quantum cryptography. This process of transitioning from an outdated encryption standard, however, is not new. This post explores the previous transition from one encryption standard to another, and draws lessons for this next step, critical for ensuring encryption security in a post quantum world. First, it is important to understand the foundations of encryption and how quantum computers can potentially pose a risk to its security.

Is all encryption at risk in a post quantum world?
Encryption prevents unauthorized users from reading a message. There are various types of encryption, with two primary ones being the Advanced Encryption Standard (AES) which relies on private-key cryptography (also known as symmetric), and Rivest-Shamir-Adleman (RSA) encryption which relies on public-key cryptography (or asymmetric). The latter uses two different keys to encrypt and decrypt a message, one being public and one kept private. In symmetric cryptography, on the other hand, the same private key is used for encryption and decryption. These encryption methods have never been unbreakable. Instead, secure communications rely on the significant amount of time it takes to solve the advanced mathematical equation cryptography uses to create the keys—traditional computers would need around 300 trillion years to break RSA encryption.

The impact of quantum computing on encryption comes from its projected ability to solve complex math equations—like the ones used in creating the keys for cryptography—at much faster rates than traditional computers. Once these equations are solved, the encryption can be “broken”, and the computer would be able to translate encrypted information into “plaintext,” or decrypted information. Any system using public-key encryption will be vulnerable to an attack by a quantum computer and systems using certain types of AES, such as AES-128, must double their current key length to be remain secure. This would drive the time required to break AES encryption up to 2.29*10^32 years.

Where are we today on quantum computing?
The U.S. government has been funding quantum computing for decades. In 2001, the National Nanotechnology Initiative (NNI)—with a budget of $495 million—already sought to explore applications of quantum computing. In 2018, Congress passed the Quantum Initiative Act, providing $1.2 billion in funding for quantum R&D and establishing the National Quantum Coordination Office in the White House. Innovation is not limited to the United States; Israel, Germany, Japan, Canada, and China all have quantum computing capabilities.

In 2019, Google’s 54-qubit quantum computer gave way to claims of  quantum supremacy—the ability of a quantum computer to complete tasks a traditional computer cannot do in a feasible amount of time. Since this announcement, companies have continued to advance their quantum computing capabilities. It is estimated that a powerful quantum computer, for example a 4,099-qubit one, would only need 10 seconds to break the same RSA encryption that would require 300 trillion years from traditional computers. No quantum computer has reached this level yet. Currently, the largest quantum computer in the world is IBM's 127-bit "Eagle", created in 2021. However, IBM plans to unveil a 433-qubit computer in 2022, marking a significant progress in advancing capabilities.

While technology is still short of the required qubits to swiftly break encryption, quantum computers still pose threats that need to be addressed today. According to the NSM, a quantum computer of sufficient size and sophistication “could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.” This advance would not only present a security challenge for the sensitive information of tomorrow, but to classified documents of today. Certain information, especially from government agencies, remains sensitive for decades—if actors can record the encrypted version of the data today to be decrypted later by a quantum computer, that poses security risks that need to be prioritized now.

The experience of a previous encryption transition
In 1977, the National Bureau of Standards (NBS) adopted the Data Encryption Standard (DES)—a symmetric algorithm of with a key length of 56 bits. By 1997, researchers were able to crack DES encryption in a little over 22 hours using a machine built by the Electronic Frontier Foundation (EFF). This prompted NIST to make AES the new standard in 2001, with the capability to use keys of length 128, 192, and 256 bits. To support the transition to AES, NIST also allowed triple DES (TDEA), which is using DES encryption three times, to coexist as an approved algorithm. Although originally this coexistence was foreseen to last until 2030, NIST has since updated that guidance to disallow its use past 2023 due to a recently discovered vulnerability.

Moving from encryption standards is a lengthy process, and as seen with TDEA, predicting the lifetime of a secure encryption standard is difficult. The current goal of the U.S. government is to mitigate much of the risk posed to encryption from quantum computers by 2035, a much shorter timeline than the more than 20 years allowed to transition from TDEA to AES. The NSM is a step in the right direction, prompting the heads of all Federal Civilian Executive Branch (FCEB) Agencies to complete an inventory of their systems to discover where specifically they are vulnerable to a quantum computer. Actions to better understand where vulnerabilities lie in these systems will allow the United States to prioritize encryption security now and to mitigate risk in post-quantum world.

Georgia Wood is a program coordinator and research assistant with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, DC.
The Strategic Technologies Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
Georgia Wood
Program Manager and Research Associate, Strategic Technologies Program