Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Yehuda Lindell
Yehuda Lindell
Connect Directly
E-Mail vvv

Cryptography & the Hype Over Quantum Computing

It's not time to move to post-quantum cryptography yet -- too many things are still up in the air. But you can start to become prepared by making sure your infrastructure is agile.

If you believe the quantum computing hype, within a few years we will have achieved "quantum supremacy" — meaning that quantum computers will be able to carry out computations not possible with classic computing infrastructure — and within 10 years all cryptography will be broken as a result. This hype is fed by researchers vying for grant money, companies selling post-quantum secure encryption, and the fact that no one can say that they are actually wrong.

Personally, I'm a semi-skeptic. On the one hand, I'm not convinced that quantum computers at scale (at least at a scale large enough to break cryptography) will ever be built. On the other hand, they are possible, but I don't think they will happen anytime soon.

What about those who tell us that quantum supremacy is around the corner and all cryptography is about to be broken? I think they're fearmongers. First, quantum supremacy doesn't mean that computers will be strong enough to break cryptography. Second, reliable researchers that I have listened to and spoken with say that there are still very significant problems to be solved in quantum computing. But if they continue to use the word "possible" when describing quantum computing, I can't actually say that they're wrong.

So, what should we be doing now about the potential "quantum threat"? First, the cryptography research community should be focused on post-quantum secure cryptography. The good news is that this effort has been going on for years and is ongoing. The role of this research community is to make sure that we have the cryptography we need in the decades to come, and they are taking the issue seriously. (As a side note, symmetric encryption and message authentication codes are not broken by quantum computers, to the best of our knowledge.) Second, the cryptography research community should start thinking about standardization so that businesses are ready if the quantum threat does prove real. Once again, the good news is that NIST has already begun the process.

But all of this is about what the "community" should do. What should you — as someone who uses cryptography to secure your business — do? Let's start with what you shouldn't be doing. You shouldn't buy post-quantum encryption and the like before standardization is complete. What if you need to encrypt something that has to remain secret for 20 years? In my opinion, you should still hold off. However, if you are very concerned, you can encrypt using a method that combines post-quantum and classical schemes. Such a method requires an attacker to break both schemes in order to learn anything.

This is the proposed method since although we have confidence in post-quantum secure schemes that have been proposed, they are less well-studied than RSA and ECC. Among other things, this affects our understanding of the required key sizes. If you do insist on moving forward now, I recommend using an academically validated post-quantum scheme combined with a classical scheme, as explained above.

While I don't think most organizations should deploy post-quantum secure cryptography now, there is one thing that everyone should do: transition your cryptographic infrastructure to one that is "agile" — that is, one that makes it possible to relatively easily switch algorithms, key lengths, and so on. When the algorithm and lengths are hard-wired into the code, the cost and complexity of changing can be overwhelming. This is why people continued using MD5 and SHA1 years after they were broken.

Cryptographic agility is an important property even aside from the issue of quantum computing because algorithms are sometimes broken, and key and other lengths sometimes need to be updated. You will therefore be doing yourself a favor even if quantum computing never happens. But if it does, you'll be ready, and you'll be able to replace your existing schemes with the best known at that time. This is my recommendation to everyone.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: Haas Formula 1 CIO Builds Security at 230 Miles per Hour

Yehuda Lindell is the CEO and Co-Founder of Unbound Tech (previously, Dyadic Security) as well as professor in the Department of Computer Science at Bar-Ilan University. Prior to Bar-Ilan in 2004, he was a Raviv Postdoctoral fellow in the Cryptographic Research Group at the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Author
8/26/2019 | 4:41:41 PM
Re: Good for the public, but not for nation-states
D-wave is not a real quantum computer. In any case, what you are referring to is quantum cryptography and not quantum computation to break (standard) cryptography. Quantum key distribution (QKD) can be done, but in my opinion it's solving the wrong problem for the vast majority of use cases. This is not just my opinion, and I recommend reading GCHQ's report on QKD; see https://www.ncsc.gov.uk/whitepaper/quantum-key-distribution. Even if you don't agree with this (and that's your prerogative of course), this has nothing to do with where quantum computing is today, which was the focus of my article.
User Rank: Ninja
8/27/2019 | 9:12:18 AM
Re: Good for the public, but not for nation-states
Interesting points, let me address your points one at a time:
    • D-Wave is not a real-quantum computer
  • "D-Wave's systems are being used by some of the world's most advanced organizations, including Lockheed Martin, Google, NASA Ames, Volkswagen, DENSO, USRA, USC, Los Alamos National Laboratory, and Oak Ridge National Laboratory. D-Wave has been granted over 160 U.S. patents and has published over 100 peer-reviewed papers in leading scientific journals."
  • D-Wave's Patent  - Qubit junction between S-Wave and D-Wave Superconductors
  • Systems and Methods for Achieving Orthogonol Control

 Ok, I think enough said and the patents can be reviewed for clarity to validate that D-Wave is a Quantum computer (period).

 Quantum Key Distribution
  • In my opinion, it's solving the wrong problem for the vast majority of use cases
  • "From this standpoint, we are not looking at all the use cases, this was an example that our news reporters presented (not theirs, ours). In the statement, I brought up earlier today, this was one example of what they are doing with Quantum computing, because in order to develop a "Quantum Key Distribution" System (one must have a Quantum Computer or "QC" for short) in order to perform the calculations necessary to ensure communication across vast distances, from 2012, the chinese were able to communicate across short distances (12-15 Kilometers), now they have developed in 2016 a way to communicate with a satellite that is traveling in space (to your point, you don't have to agree, but they have a working use case that involves space flight and travel) - Enough said"
  •  Article - QKD - Does not address large parts of the security problem
    • I think you may be looking into this more than what was mentioned earlier, they are not looking to address all security issues, they are looking to address a communication encryption problem using their own form of cryptographic communication methods in which we don't have a working model and they have one going to outer space
  • QKD has a number of practical limitations
    • They expressed distance, from a distance standpoint, it seems going to outer-space, seems to address the issue
  • QKD with classical network devices
    • Nowhere in their design does it say "Classical Network Devices"
  • QKD is extremely expensive
    • In order to push the envelope, the technology will be expensive
  •  QKD must not introduce new vulnerabilities (systems using old hardware)
    • Again, who says they are using old hardware or methods that we are currently using now
  • QKD - "the best practical approach to quantum security is to evolve current security applications and packet-based communication protocols towards adopting post-quantum public-key cryptography."
    • Currently, they are testing out this solution for communication purposes but they have a working use case where they have been using this from 2016 with a satellite that is orbiting the world (you might want to repeat that just to make sure you take it all in), by the way, who said they are not using this method or have invented a method of communication that is beyond the scope of this article

Seems to me there are a lot of assumptions made about Quantum computing, remember this is a use case, however, you slice and dice it, this is one use case, they are not trying to save the world but what they are doing is taking concepts and ideas from around the world to create a solution that could change the way communication across the Internet and even in out-space to another level, and now they are making it a reality (they are game-changers to me, again, that is just me).

 And this has all to do with Quantum Computing because this involves one use case. From the statements you made earlier you said D-wave was not a real QC, ok, that has been broken down. Then you say, QKD is not a real-use case, well if communication is not, then your whole argument just fell to the ground.


User Rank: Apprentice
8/27/2019 | 9:15:21 AM
Getting Quantum Ready
Many good points. IBM Research believes a system larger enough to break encryption is 10-30 years out.

But there is one point you should also point out to hedge your bets.

If your company is making a product which has a lifespan of 20,30+ years you need to start thinking about quantum safe cryptography today. Why? Well, if you are launching a satellite into space or building a new powerplant you will want them to be quantum safe today, for tomorrow, because updating the crypto on anything which has been in the field for a few decades will be challenging. So why not prepare today?

The same applies to secrets. If you have secrets which need to remain secret decades from now, you'll want to look at quantum safe crpyto today. This is also why we recently demonstrated that we are making tape drives quantum safe since they store data for many decades https://www.ibm.com/blogs/research/2019/08/crystals/

We have also donated our quantum safe cryptography called CRYSTALS to open source.
User Rank: Ninja
8/27/2019 | 10:37:35 AM
Re: Good for the public, but not for nation-states
This is funny.

Ok, lets address your points:
  • I have provided evidence that they have numerous patents and historical knowledge that their solution is actually a working model, again, this was an example and based on your opinion, you stated that this was not a real Quantum Computer (by all accounts, it is and based on evidence, this is the case). Instead of just offering statements of opinion, there needs to be evidence that this is not a QC, I am not sure if you provided any evidence to support assertion, so again, your statements are based on opinion and not fact (Patents and copyrights that I provided, are based on fact, next point).
  • No, I have not missed the point, earlier I gave an example, you stated that this does not address all the use cases associated with Quantum computing or to your point, the argument was not based on "Quantum Computers Breaking Classical Cryptography", this was nothing more but an example given of what organizations or nation-states are doing in regards to Quantum technology (negating the fact that it is just hype), you felt (your opinion) that this was not a valid use case. I was only giving you an idea of what other countries are in the process of doing, thus the whole point to the "Cryptography & the Hype over Quantum Computing", basically saying that there are other organizations who have catapulted beyond what we have accomplished (now it may be more than just hype, my opinion).

So the point does apply because "Quantum Cryptography" was nothing more than an example and QKD was a use case of how to do this but it is not the only method for doing this and someone (other than the US) is looking to implement this in their satellite communication program.

Seems to me that your emotions have gotten involved instead of fact (opinion as you state it), but again, we are just chatting.

Have a great day.

User Rank: Apprentice
8/29/2019 | 5:03:14 PM
Effects on Quantum Computing on Cryptography
Since several commentators suggested that the article and its readers could benefit from further research references, I invite everyone to look at a recent report published by the National Academy of Sciences "Quantum Computing Progress and Prospects." There is a dedicated section on Cryptography: https://www.nap.edu/catalog/25196/quantum-computing-progress-and-prospects Thank you for the article!
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.