In a pre-digital world, documents would be secured and authenticated with a handwritten signature, however this was often prone to forgery and fraud. Modern digital signatures should, hypothetically, make this impossible as they are secured by mathematical operations that could take trillions of years for even the fastest computers to crack. How is quantum computing changing things?
They are so secure that most major countries consider a digital signature to be just as valid as a written signature. Or they have until now – new generations of quantum computers are being built, and they make it possible to crack the powerful encryption that forms the ‘root of trust’ in digital life.
How do we currently create trust?
Whether you are sending an email or signing a digital contract, you will likely be using a public key infrastructure (PKI). Here, one party signs a piece of information, such as an email, with a mathematically complex ‘private key’ that only they have access to, before the recipient then verifies the signature with a public key that can be shared with anyone. Only information secured with a valid private key can be unlocked with the corresponding public key.
Private keys are composed of long strings of zeros and ones (each one a bit), or symmetrical cryptography. If a key is only two bits long then guessing the correct value is easy, but the bigger the number of bits, the harder it is to crack.
What is the threat posed by quantum computing?
Quantum computers are not constrained by the common-sense laws that govern the computers that we have all been using to up until this point. Because of quantum superpositioning, a quantum bit (qubit) can be in more states than one and by that verify different combinations. With greater numbers of qubits, symmetric and asymmetric cryptography becomes much easier to break. This means that instead of taking trillions of years, a bad actor with access to a quantum computer could break the asymmetric encryption or digital signatures securing important information at speed.
It might seem perfectly reasonable to receive an email from your employee now, but once quantum computing becomes widespread there will be no way of ensuring the integrity, authenticity, and non-repudiation of any piece of information that is secured with quantum-unsafe cryptography. The possibility that any document that anyone has signed digitally could be brought into dispute could affect billions of people.
How to prepare for a post-quantum future
Forms of security and encryption that can withstand quantum computers have been developed and are already being implemented, and fortunately there is a long way to go until today’s cryptography will be considered insecure. Before then, regulatory, and legal changes will have to be made, including possible changes to the law that would require documents to be quantum-secure before considered as legally valid.
Companies should start to look at their own inventory of documents and data, assess how they are secured, and decide whether it is necessary to protect them. Many older and invalidated documents might have no value to cybercriminals and would therefore not need to be secured, whereas others may need protecting forever.
The time when organizations will need to introduce crypto agility is coming, so it is more necessary than ever to understand it and how to work with it, instead of against it.