This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on quantum.
Planes would fall from the sky. Pacemakers would stop beating. Power outages would be widespread. Yet, for anyone old enough to remember the Y2K hysteria, often referred to as the “millennium bug,” civilization was not destroyed when the clock struck midnight on January 1, 2000.
Over two decades later, a new Y2K has arrived in the form of quantum computing. With the ability to solve complex problems in seconds that modern computing technology would take years to do, experts believe that quantum computing could potentially break the internet and render all forms of encryption useless. Online security and privacy would evaporate in an instant.
The debate over quantum was alive and well at RSA Conference 2023 starting with the Cryptographers’ Panel. Speakers on the topic seemed to agree that the takeaway from the Cryptographers’ Panel was that quantum is so nascent, we don’t have anything to worry about for at least 50 years or longer. But that didn’t stop discussion about some of the things we can or should be doing now to prepare for the inevitable.
In the session, Preparing for Quantum: A Pragmatic Approach Towards Readiness, Jaya Baloo, CISO, of Rapid7, stated, “There is still a concern that even if we don’t have to wait until there is a quantum computer that we still have this ‘capture now, decrypt later’ problem,” referring to the concern that attackers are stealing large amounts of encrypted traffic today with the intention of unlocking it at a later time when the technology exists to do so.
Co-presenter Donna Dodson, Senior Strategic Advisor, at evolutionQ, discussed some of the considerations of moving into the quantum world. Dodson noted, “We hear a lot about the advances in technology. We talk about standards, and we hear a lot about the algorithms, but not always do we think about some of the other pieces that need to be in place in order to build that infrastructure.” One of those pieces is the workforce. Quantum computing is creating a new skills gap as the need for physicists and mathematicians grows. The World Economic Forum reports that more than half of quantum computing companies are hiring. And while funding in the field has increased dramatically, talent recruitment is lagging and making progress difficult to measure.
Research in the area of post-quantum cryptography is ongoing. In July 2022, the National Institute of Standards and Technology (NIST) selected four algorithms believed to be the best candidates to withstand quantum attacks from a competition that began in 2016. Adi Shamir, Professor of Computer Science at the Weizmann Institute in Israel, expressed skepticism about some of these post-quantum (PQ) algorithms in the panel session, Migrating to Post-Quantum Schemes. “I’m far from being convinced that the new post-quantum algorithms are going to remain secure forever,” he said. Specifically, he called out lattice-based schemes and why they might become breakable not by quantum but other non-quantum methods. His observation is to be taken seriously as the CRYSTALS-Kyber algorithm, which belongs to the lattice-based family of cryptography, was reported to have been cracked already using AI.
If quantum computing is so far away, how can we prepare for something we still know very little about? Or better yet, should we even be preparing right now at all? Michael Jenkins, Secure Protocols Team Lead at the NSA’s Center for Cyber Security Standards, took on this, and other myths, in his session, Common Myths about PQ Migration and Standards Busted. While there is disagreement on when a cryptographically relevant quantum computer will come about, government and industry still need to be acting now. Jenkins encouraged attendees to participate in standards bodies and share their experiences and expertise. “You don’t have to be a consumer of this. You don’t have to stand around and wait for this to happen to you. You can get involved.”