When quantum computers arrive, the asymmetric cryptography like RSA that we rely on today will quickly be broken.

While the National Institute of Standards and Technology is considering standardization of cryptography algorithms too complex to be cracked with quantum computing, IBM said it will start offering “quantum-safe” cryptographic services on its public cloud in 2020, starting with SSL to protect data in motion. The company is also donating the algorithms behind the services to open source projects like OpenQuantumSafe for use in common technologies like OpenSSL and OpenSSH.

Additionally, IBM is prototyping quantum-safe encryption in tape drives – you may not be using the same hard drives when quantum computing becomes a reality, but tape may well be around for that long. The ongoing reading and writing of data as part of tape maintenance may also make the move to quantum-safe encryption relatively straightforward.

To help enterprises understand which data they need to prioritize protecting, IBM is applying its usual consulting business model, with “quantum risk assessments.”

“Right now, all the cryptography that's being used, on the internet and everywhere else, is based on some mathematical problems that will be broken – we just need a powerful enough computer,” Vadim Lyubashevsky, a cryptographer who’s been working on this problem at IBM Research for 15 years, explained to Data Center Knowledge.

A classical computer will never be powerful enough to crack AES, but quantum computers could break that kind of encryption in days or hours. “If we believe that such computers will be built in the next, say, ten to thirty years, it’s important to move away from the cryptography being used now.” And even though we don’t have quantum computers today, he warned, “somebody could be harvesting the data now and decrypt it later.”

For symmetric encryption algorithms like AES, where the same key is used to encrypt and decrypt data, you’ll need to at least double the key size to keep the same level of protection; hashing algorithms will also need to switch to larger output sizes. And for asymmetric encryption that uses public-private key pairs you’ll need to switch to quantum-safe cryptography – but that will be simplified by common tools and platforms adopting the post-quantum algorithms that NIST is standardizing.

## From Math Problems to Algorithms

Quantum-safe cryptography research has been going on for 20 years, but as the development of quantum computing has accelerated, NIST has begun a standardization process, which should be complete by 2022-2024. NIST is evaluating 26 of the nearly 70 proposals submitted. (Many of the submissions are variations of the same approaches.)

To create a quantum-safe cryptography algorithm, “we need some basic mathematical problems that we think a quantum computer can't break,” Lyubashevsky explained. The IBM team is using mathematical calculation involving high-order lattices. Others are based on problems like solving a system of quadratic equations with multiple variables or decoding linear codes. Lattices are smaller and faster than the other schemes – in fact, they’re faster and simpler than current encryption schemes – but NIST is planning to pick several algorithms as part of the standard “in case a problem that we think is hard [for quantum computers] isn’t.”

There might also be trade-offs between different algorithms, like speed or key size. “If I'm going to be transmitting 3GB files, I don’t care if the cryptography adds a second or a millisecond, because that’s not the bottleneck, but in other situations, I might gravitate to faster algorithms.”

IBM isn’t jumping the gun by not waiting for the NIST standard, he said. It’s starting now because integration will take time. “You can’t wait until the standards exist and then adopt them immediately, because there’s a lot of preparation required. You have to make sure that your network is ready for these different types of algorithms, because they have slightly larger keys, and the speeds may be different.”

Getting ready for quantum-safe cryptography is a two-stage process: first, make sure you’re using modular cryptography, so you can plug in new algorithms, and then adopt the new algorithms once they’re standardized.

There are already forks of projects like OpenSSH, OpenSSL, and OpenVPN using open source quantum-safe algorithms to test that the switch to new protocols is going to work. “Usually, nothing goes wrong, but maybe 1 percent of the time somebody hard-coded the key length into something and that breaks, so you have to do a lot of tests and quality control to make sure that nothing like that has happened.”

Further work will still need to be done across the ecosystem; Kubernetes, for instance, has its own cryptography implementation, and that would need to support quantum-safe cryptography to be able to use that with a quantum-safe enabled OpenSSL client. Lyubashevsky estimated that if quantum computing at scale was imminent, all the necessary work could be finished in under a year, but until that happens the urgency isn’t there.

Adding quantum-safe cryptography to an HSM might be more complicated, because you’d need to have extra security properties like power measurement to protect against side-channel attacks. At the other extreme, IBM’s prototype quantum-safe tape drive is simpler, because it’s a self-contained environment. “It’s easy to upgrade the cryptography here before standards, because the tape drive isn’t talking to anything except the reader, and we’re controlling both cryptographic parts of that.”

## Plan for Long-Term Data

Encrypted tapes rely on asymmetric encryption to exchange keys between the tape drive and the key manager to authenticate between them, to wrap keys stored on tape, and to verify tape-drive firmware. The IBM Quantum-Safe Tape Drive uses IBM’s Kyber key encapsulation mechanism to transport keys between the tape drive and the key manager and the Dilithium digital signature scheme for authentication and verification, with data encryption done using symmetric AES-265. Kyber and Dilithium use the quantum-safe lattice-based cryptography IBM has submitted to NIST.

It’s probably not urgent to quantum-safe encrypt your hard drives today, Lyubashevsky said. But if the data on them will still be confidential or valuable in thirty years, he suggested making sure that your drive disposal policy ensures the data can’t be recovered and decrypted in the future.

“Right now, what people should be doing is figuring out what data … will have some value in ten to thirty years, and which data is only going to be around for a few years. if some things really do need to be secure in 10 to 30 years, and you are afraid that they're being harvested, then you really need quantum security now.”

You might not need to go quantum-safe for five or even thirty years, depending on how quickly stable qubits that can power quantum computing at scale are developed. Breaking elliptic curve cryptography will take about 1,000 qubits – that’s when you’re talking about logical qubits. “Those are perfect cubits that are almost like logic gates: you know exactly what's going to come out and nothing goes wrong. But physical qubits, they have errors, sometimes they disappear.” To get those 1,000 logical qubits, you need 50-100,00 physical qubits. “And right now we’re at 50,” he noted.

But knowing what data needs to be protected and making sure your systems use modular cryptography and are ready to switch to those protocols will protect you better against today’s attacks as well. “There are still people using 1024-bit keys for RSA, because they have a system that’s hard-coded for it.” That’s no longer considered secure. “If we can get them ready for quantum-safe cryptography, even if they’re not using it, at least they can use secure RSA!”