US government agency on Tuesday named four technologies it expects will keep computer data secret when . It's a key step in securing computers against the potentially revolutionary new technology.
Scientists showed all the way back in 1994 that quantum computers could break mainstream encryption technology if the progress in quantum computers could be sustained long enough. Since 2016, the US Commerce Department's National Institute of Standards and Technology has overseen a hunt to design and test post-quantum cryptography tech to protect that data.
Of the four technologies that the national institute picked, two are expected to be more widely used.
One, called Crystals-Kyber, is for establishing digital keys that two computers need to share encrypted data. The other, Crystals-Dilithium, is for signing encrypted data to establish who sent the data. It'll likely take two years for the approaches to be standardized enough for incorporation into today's software and hardware.
Quantum computers have been steadily progressing, but it will likely still take years of work to create machines that are reliable and powerful enough to crack encryption. Regardless, shoring up encryption now is an urgent issue. It takes years to find new encryption methods, ensure they're safe and install them widely. And government agencies and hackers can harvest today's sensitive information with the expectation they'll be able to crack it later when the data will still be valuable.
"We believe 10 to 15 years is a commonly held viewpoint on the time scales for attack," said Duncan Jones, head of cybersecurity for quantum computer hardware and software maker Quantinuum. "But with the possibility of 'hack now, decrypt later,' the attacks may have already begun."
Although quantum computers remain immature today, a host of startups and tech giants like Google, IBM, Microsoft, Amazon and Intel are pouring research dollars into development and making steady if incremental progress. Experts expect quantum computers to augment the ability of classical machines with new specialist abilities in tasks like finding new materials and medicines from the molecular level and optimizing manufacturing.
Ordinary folks probably need not worry too much right now about the threat of quantum computers later decrypting their data, said 451 Group analyst James Sanders.
"What's the value of your sensitive information 1, 5, 10, 20, or more years down the road? For companies or government, this is more of a pressing concern, but for everyday people, things like credit card numbers are rotated frequently enough that this risk isn't severe enough to care," he said.
Quantum computers also could undermine cryptocurrencies, which also use today's cryptography technology.
The National Institute of Standards and Technology picked four technologies for standardization in part because it wants a diverse set for different situations and because a wider variety helps protect against any future weaknesses that are discovered. To protect against some of those possible weaknesses, many experts recommend hybrid encryption that uses both conventional and post-quantum methods.
"Ideally, several algorithms will emerge as good choices," NIST post-quantum encryption leader Dustin Moody said in a March presentation. It's evaluating some other candidates right now.
NIST has been gradually narrowing the list of post-quantum candidates for years, consolidating some with similar approaches and rejecting others with problems. One technology for digital signatures called Rainbow made it to the third round before an IBM researcher figured out this year it could be cracked in a "weekend on a laptop."
Slower performance of post-quantum cryptography
One hurdle for post-quantum cryptography is that it's not as fast in some situations.
"Quantum-safe digital signatures will incur a slightly higher cost," adds IBM cryptography researcher Vadim Lyubashevsky.
Google sees a slowdown in the range of 1% to 3%, said Nelly Porter, a quantum technology expert at the company. That may not sound like a lot, but it is for a company with as much network traffic as Google, which is why it'll require hardware acceleration to use post-quantum encryption. Google has extensively tested different post-quantum technology to try to spotlight problems like worse communication latency.
"At our scale you would not be able to turn it on by default for everything," Porter said.
NXP is developing an accelerator chip to speed things up using the technologies that NIST has begun standardizing and expects to ship them when the standards themselves are finished by 2024. Hardware acceleration will be required in particular for devices with limited processing power and memory, said Joppe Bos, NXP's senior principal cryptographer.
Embracing post-quantum encryption
Although NIST is only now naming its first standards, several companies already have begun developing, using and offering post-quantum encryption in products:
IBM's latest z16 mainframes support both Crystals-Kyber and Crystals-Dilithium, technologies IBM itself helped develop.
Google has tested several post-quantum encryption technologies and expects to adopt them to protect internal and external network traffic. Its tests revealed some incompatibilities that business partners have addressed, it said Wednesday.
The NATO Cyber Security Centre has begun testing post-quantum encryption technology from a British company called, fittingly, Post-Quantum.
Amazon Web Services, an enormously widely used foundation for many other companies' computing needs, offers Kyber encryption technology support.
Infineon offers a chip used to protect devices from firmware updates otherwise vulnerable to quantum computers that could sneak malware onto devices.