In previous articles in this series, we have discussed the threat quantum computing poses to classical cryptography and the difficulty of predicting when a cryptographically relevant quantum computer will arrive. In this article, we will discuss how to determine when it is necessary to start transitioning to quantum-safe algorithms. The answer will be different for every organization, and indeed for every system that uses encryption, so we will discuss how to come up with an appropriate transition plan for your organization. For many organizations, the time to start working on transitioning to quantum-safe algorithms is now, for the reasons outlined below.
The best-known equation for helping determine when to start transitioning to quantum-safe algorithms is the Mosca equation. Introduced by Michele Mosca, it describes how long before a cryptographically relevant quantum computer arrives the transition must start in order for data to remain protected. The Mosca equation is:
D + T ≥ Qc
The variables are as follows:
When the inequality is true, the data is vulnerable to being decrypted by a quantum computer before its protection lifetime expires.
Determining the values of these variables for a particular organization or system can be tricky. As discussed in the second article in this series, it is very difficult right now predict when a cryptographically relevant quantum computer will arrive. Over the next few years, more information will become available, leading to more accurate forecasts, but for now, it is necessary to make an informed guess. Also, to guarantee that information remains safe, it is necessary for the guess to be conservative; otherwise, information will be at risk if the guess proves to be too optimistic. Right now, the consensus is that it is possible that such a computer may be around in as little as seven to 10 years, if progress continues to be made at a steady rate.
If we use this value for Qc, there is an obvious problem: the data protection lifetime (D) for many critical systems already exceeds that value. For those systems, the data that is being encrypted today is already at risk of being decrypted in the future. It is important to identify and prioritize these systems to address the potential threat. In the next article, we will discuss techniques that are available today to protect these systems.
To determine the appropriate data protection lifetime, it is important to understand where all the data your organization relies upon resides, how it is being protected, and the consequences of unauthorized disclosure. Such a data inventory is an important part of data protection practices even in the absence of a threat from quantum computing, so it is a useful exercise to undergo. Some data is relatively transient and unimportant and may only need to remain secret for a year or two. Other data may have a desired protection lifetime that exceeds a century. For example, if a child is born with a sensitive health condition, it is desirable for HIPAA and other privacy reasons that that information be kept secret by healthcare providers for the child’s entire lifetime. Determining the sensitivity of all the information your organization handles helps security teams make intelligent decisions about the protection profile for the data, including the timeline for protecting it from the threat from quantum computing.
The amount of time required to transition systems to post-quantum cryptography (T) is also often longer than people expect. For example, SHA-1 has been obsolete for 15 years but is still used today. The original Data Encryption Standard (DES) was published in 1975 and only uses 56-bit keys but is still being used in a few locations within financial systems. Large, complex systems with high availability requirements are simply very hard to upgrade, especially when the software being upgraded is buried deep in essential systems, or hard-wired into hardware, as cryptographic functions generally are.
Remember that the time T includes all activities related to the transition. This includes any time spent planning and organizing the transition, getting the necessary approvals and budget, testing the transition plan to determine whether it will work, conducting pilot projects and deploying all the updates globally. And this has to be repeated for each usage of cryptography within the organization. Getting started with the planning and discovery phase now is essential to determine the overall impact of the coming transition.
Another key point is the importance of cryptographic agility, or reducing the time necessary to replace cryptographic algorithms within critical systems. Cryptographic agility reduces the value of T, providing additional breathing room to plan and execute the transition. Systems that cannot easily be upgraded need to be enhanced to allow for cryptographic transitions. It is especially important to pay close attention to the transition phase, where systems that have already been upgraded will need to interoperate with systems that haven’t.
Plugging reasonable values into the Mosca equation shows that for many organizations and systems, the time to begin working on the transition to quantum-safe algorithms is now. Recommended first steps are:
Waiting until the last minute to start planning the transition to quantum-safe algorithms unnecessarily puts your organization’s data at risk. Taking these steps will help get your organization ready for the coming transition. In the next article, we will discuss technical measures organizations can take today to protect their data from quantum computers, and the tools DigiCert will be making available to allow organizations to experiment with and test post-quantum cryptography, including incorporating it into their software systems.