Vous êtes sur la page 1sur 8

POSTQUANTUM CRYPTOGRAPHY, PART 1

The Day the Cryptography Dies

John Mulholland | evolutionQ


Michele Mosca | University of Waterloo
Johannes Braun | Technische Universitt Darmstadt

Typical digital technology users are often unaware of the cryptographic capabilities they utilize daily. The
implications of quantum computers for various digital technologies and environments are discussed, and
potential threat actor behaviors are explored.

M odern life is infused with digital technology


and mobile communications to an extent we
couldnt have imagined a few decades ago. Regard-
their personal technology with them. Their practices
and technology could form attack vectors that threat
actors use to penetrate even the most security-conscious
less of our occupation, location, or degree of technical organizations defenses.
knowledge, weve become increasingly dependent on Often these concerns are mitigated by training peo-
instant access to information, coworkers, clients, and ple to follow good security practices and employing
family. This has changed the way we procure goods, extensive security tools, many of which provide digi-
manage finances, conduct research, and seek healthcare. tal security through cryptography. But what happens if
The trend continues as we deploy new technology to virtually all our cryptographic security tools suddenly
improve, monitor, or automate more aspects of our lives. become ineffective, all at once?
This development has forced us to be more aware What will happen to the security of our digital life on
of the pitfalls that come with widespread adoption of the day the cryptography dies?
digital technologies. Cybersecurityonce the concern
of governments, financial institutions, large organiza- Background
tions, and technology or security practitionersis now Cryptography provides significant benefits to the pub-
everybodys concern. lic, including privacy/confidentiality, authentication,
In simpler times, the average persons view of infor- integrity, and nonrepudiation, but the average persons
mation security was considered less important. Cer- view of this technology is difficult to capture. Most
tainly, those who pay insufficient attention to security only vaguely understand and view it with a mixed per-
will become targets of various forms of privacy viola- spective based mostly on media reporting on encryp-
tion, financial fraud, ransomware, or identity theft. But, tion and security issues. Encryption is considered to
increasingly, such individuals bring their technology be dual-use technology, because it furnishes the aver-
habits into the workplace, and in many cases, they bring age person with privacy for their information and

14 July/August 2017 Copublished by the IEEE Computer and Reliability Societies  1540-7993/17/$33.00 2017 IEEE
communications but also provides these to organiza- Different variants of public-key technology are embed-
tions and individuals who want to hide illegal or rep- ded in most of the digital devices, applications, services,
rehensible activities. This has led to debates between and protocols that we use daily.
technology and privacy experts who advocate for it, Confidence in the security of public-key crypto
and law enforcement officials concerned about the graphy is very high, and cyberthreat actors seldom
impact it will have on their functions. attempt direct attacks on these virtually impenetrable
Beyond this debate, the average person is most con- systems. Instead, they exploit poor implementations
cerned with obtaining cryptographys benefits without (bugs and configuration errors), bad practices (poor
significantly impacting the ease of use or performance or reused passwords), or human nature (phishing), all
of the technology. Additional passwords, key manage- of which are far more lucrative ways to breach a com-
ment processes, or steps added to routine processes all puter or telecommunications system. The mathematical
detract from the end-user experience. The procedures foundations of public-key cryptography dont promise
that are so necessary to proper security are often the perfect security, but its unlikely that attackers using cur-
very reason many avoid traditional cryptography. rent computing technologies will be able to penetrate a
Fortunately, in the past few decades, cryptography properly implemented public-key system.
has evolved to supply tools that avoid its traditional Public-key cryptography has been so successful and
pitfalls. The oldest form of cryptographyprivate-key, ubiquitous because it functions in the background, with
or symmetric-key, encryptioninvolves some form of the average person seldom aware of its operation. An
shared secret. Relatively easy to implement and oper- icon or a color change on an applications taskbar might
ate, private-key encryption suffers from two difficulties. be the only visible indication that a secure process has
First, the communicating been initiated. In matters
parties must share of security, many
secret information, The average person is most concerned with people rely on assur-
which then becomes obtaining cryptographys benefits without ances from their ser-
the basis for the secu- vice providers. Few
significantly impacting the ease of use or
rity of the encryp- have the knowledge
tion process. To do performance of the technology. or tools to verify that
so, they must meet their information is
in person or have actually protected
some other secure channel they can use to share the by encryption or understand the circumstances that
secret. The second difficulty is that the secret should be enable or prevent cryptography use. Nonetheless, orga-
changed frequently or attackers might discover it. How nizations and individuals routinely perform sensitive or
long it takes for attackers to discover it depends on the valuable digital transactions that rely on this security.
nature of the secret, but reusing the same secret cre- But what if we couldnt rely on the security fur-
ates patterns that cryptanalysts can eventually exploit. nished by public-key cryptography? How realistic is this
These two problems result in much of the management scenario?
overhead associated with traditional cryptography.
Private-key cryptography is popular among those orga- Quantum Computers and Cryptography
nizations that truly value their security and are willing The security of public-key systems depends on the
to undertake the key distribution and management pro- computational difficulty of one of several mathematical
cesses that it entails. problems. These are called one-way functions because
Public-key cryptography, also called asymmetric they are relatively easy to compute but extremely hard
cryptography, doesnt require a shared secret. Security to reverse. RSA, one of the earliest public-key algo-
relies on a mathematical relationship between multiple rithms, uses one such problem: the difficulty of fac-
keys, some of which are public and some of which are toring large numbers.1 Security here relies on the ease
private. Public-key methods are generally less efficient of multiplying two large prime numbers to compute a
to operate than private key, so theyre typically used to result; its exceedingly difficult to take the result and
establish a secure channel and exchange a secret key determine which two primes were used to produce
that symmetric algorithms then use to protect sensi- it. Different mathematics based on the discrete loga-
tive information. However, the unique capabilities of rithm problem lie at the core of Diffie-Hellman algo-
public-key cryptography include the creation and shar- rithms2 and the digital signature algorithm (DSA).3
ing of secret keys and the provision of secure authenti- When applied to certain elliptic curves, the discrete
cation and nonrepudiation services. Hence, its a critical logarithm problem is also the basis of elliptic curve
tool that underpins the security of our digital economy. cryptographic algorithms.4

www.computer.org/security 15
POSTQUANTUM CRYPTOGRAPHY, PART 1

Implications for the Security of Our


Digital Lives
Public-key cryptography has become widespread in
Secure web browsing our digital lives because it requires very little end-user
The Internet TLS/SSL RSA, DSA, DH, knowledge or awareness. As a result, few are aware of
Cloud computing Application updates ECDH, ECDSA etc
Payment systems Digital signatures the breadth of services and applications that depend on
Internet of Things VPNIPSec AES, 3-DES, SHA public keys for security. Individuals outside the security
e-Health Secure emailS/MIME etc
and technology communities might not comprehend
PKI
etc the impact of the loss of public-key cryptography.
How do you determine whether your common digi-
tal activities will become vulnerable once quantum
computers arrive? Perhaps even more important, how
Figure 1. Security in digital environments such as the Internet rely on would victims even become aware that theyd been the
applications and protocols, which depend on the security of cryptographic target of a quantum-enabled attack, and what could
algorithms. Todays algorithms are vulnerable to attack by quantum computers. they do to protect themselves?
Figure 1 provides a high-level overview of how
deeply public-key cryptography is embedded in the fab-
Solutions to these problems are exceedingly difficult ric of the digital ecosystem.
using the technology available today, but quantum com- We explore these questions in more detail by look-
puters will change this situation. Quantum computers ing at activities commonly performed today in the digi-
wont merely be faster or more powerful than the con- tal environment.
ventional computers we use today. They will rely on the
principles of quantum physics, which describe a radically Modern Digital Environments
different way of looking at the universe. For example, We take for granted a great many activities in our digital
whereas conventional computers operate using bits that lives that rely on public-key cryptography for security.
are always in one of two binary states (0 or 1), quantum
physics allows for bits to be in both the 0 and 1 states at the Public Key Infrastructures
same time. By manipulating a large collection of quantum Public-key infrastructure (PKI) systems furnish com-
bits, a quantum computer could, in a special way, simulta- prehensive identity management and security services
neously explore the countless configurations of 0s and 1s. to organizations that deploy them.12 These complex
Since the mid-1990s weve known of algorithms that systems dont operate transparently. However, properly
can use this quantum capability. Sufficiently capable implemented and managed installations can hide much
quantum computers could apply Shors algorithm5 to of the complexity from the average user. At their core is
solve the mathematical problems that are the founda- a Certificate Authority (CA) that creates public/private
tion of public-key algorithms, rendering anything pro- keys and integrates them into security certificates. PKI
tected by them vulnerable to exploitation. systems arrange for the integration and use of certifi-
Symmetric-key algorithms are also affected; quan- cates in various processes and applications that require
tum computers using Grovers algorithm6 could reduce them; issue, validate, and revoke them; take care of key
the strength of algorithms such as the Advanced Encryp- management issues; and furnish the background ser-
tion Standard7 and 3-DES8 (Triple Data Encryption vices necessary to ensure the long-term viability of the
Standard) by approximately 50 percent for a given key system and the information it protects. Organizations
length. In some cases, this could be offset by increasing deploy a PKI because they require strong identity man-
the length of the symmetric key. However, this approach agement and secure control over information access.
wont work for public-key algorithms, because they rely They generally invest significant resources in establish-
on mathematical problems that require subexponential ing and maintaining PKI systems, and training users in
time to solve on classical computers. These problems their operation. PKI systems and CA-issued security
become solvable in polynomial time on quantum com- certificates are all based on public-key cryptography.
puters, meaning that regardless of key length, it would
take pretty much the same time to encrypt a message Internet Security
with a public key as it would to attack and decrypt it. Internet security is important when you want to estab-
This problem isnt yet upon us, but its approaching. lish secure connections to websites, protect your cre-
Experts in quantum technology have forecast that quan- dentials when you log in to remote systems, or ensure
tum computers with the necessary capabilities could that information you access or download remains
exist in the next 10 to 15 years.911 unchanged until it reaches you or if you want privacy

16 IEEE Security & Privacy July/August 2017


while browsing or downloading information. Most security tenant is that software updates and patches
Internet security relies on the TLS/SSL protocol, which must be applied regularly. These updates could become
employs public-key algorithms for key exchange.13 The a source of malware if threat actors change it or replace
servers participating in TLS/SSL transactions must be it with one of their own. To avoid this problem, vendors
issued security certificates, which also rely on public-key use the public keybased DSA to sign an update before
cryptography. The TLS/SSL protocol is a key enabler of releasing it. This signature is evaluated (using the cor-
digital commerce, employed to protect financial trans- responding certificate) on the device before the update
actions and electronic banking. Most email services also is installed. Any modification to the package will cause
use it to provide a secure tunnel for messages while in the signature to fail, and properly configured devices and
transit between senders and recipients. applications wont apply updates without a valid signa-
ture. The security of most digital devices and applica-
Email tions depends on reliable software updates using DSA.
Encrypted email (employing Secure/Multipurpose
Internet Mail Extensions, or S/MIME) is used on top Internet of Things
of the secure communications provided by TLS/SSL to The evolving Internet of Things (IoT) is bringing the
further protect users communications.14 S/MIME uses benefits of digital technology to virtually all aspects
public-key encryption and digital signatures to furnish a of our lives. The IoT relies on secure connections over
full range of security services: message privacy, authen- public networks between devices (things), websites,
ticity, integrity, and nonrepudiation. Unlike TLS/SSL, and end users. True IoT security will require the abil-
this protection persists even while messages are stored ity to send messages that remain secure end-to-end
on servers or devices. S/MIMEs capability exists in between devices and users, and this will likely involve
most email clients or services but requires CA-issued public-key cryptography. This is beyond the capability
digital certificates. S/MIME is most often used by of many current devices, but TLS/SSL plays a signifi-
large organizations and government agencies that have cant role in ensuring that these communications travel
invested in such infrastructure. inside a secure tunnel on public networks.

VPN and Intranet Healthcare


Its quite common for employees and trusted partners The digital age has influenced healthcare in many ways.
to have remote access to an organizations information Wearable technology monitors specific aspects of a per-
resources. This usually requires a VPN, which creates a sons health and behavior and transmits it to servers and
secure communications tunnel that penetrates an orga- storage over public networks. Medical records, lab test
nizations boundary security to permit access to internal results, and patients histories are increasingly digital in
information and resources. VPNs are generally based on nature and can be moved among offices, clinics, phar-
Internet Protocol Security (IPSec), which uses several macies, laboratories, and hospitals so that medical prac-
public-key mechanisms for key exchange. titioners can swiftly diagnose health issues, prescribe
Intranet security issues are much the same as those medication, and furnish the best possible care. Its
on the Internet, but with well-defined boundary protec- essential, and often required by law, that this informa-
tions intended to block access to anyone but employees tions privacy, integrity, and authenticity be protected,
and trusted partners. Secure access control mechanisms sometimes even after the patients death. The health-
such as passwords are often the primary security tool care industry has begun adopting digital technologies
to access servers and information. Even on Intranets, such as remote access methods, cloud computing, and
public-key cryptography (often TLS/SSL) is used to mobile devices. To accomplish this securely, they man-
protect access credentials from being captured while in date the use of digital signatures and encryption of data
transit. Most noncryptographic security measures can in transit using industry-standard cryptographic algo-
be bypassed by privileged users or compromised by rithms such as S/MIME and TLS.15 Encryption of data
poor user security practices, leaving important infor- at rest is still uncommon but is recommended.
mation vulnerable to an insider threat. Cryptographic
protection will remain the best and last line of defense Finances
for high-value information, intellectual property, or per- Payment card transactions as well as sensitive communi-
sonnel records. cations between banks and major financial institutions
tend to use symmetric encryption. As with all symmet-
Software Updates ric encryption, organizations must exchange the secret
Virtually all digital systems, devices, and applications in keys that enable these communications. These keys are
the digital ecosystem depend on software, and one major often transferred by nondigital means (for instance, by

www.computer.org/security 17
POSTQUANTUM CRYPTOGRAPHY, PART 1

courier) and ultimately reside in secure storage devices. At the organizational level, the implications are even
Even so, these keys could be protected by public-key greater. Few organizations operate in isolation; they rely
cryptography for at least some portion of their transfer on digital networks to connect their distributed sites,
between organizations. their partners, and their clients. Theyre dependent on
Blockchains are being used and considered for a the security of supply chains, distribution networks,
wide range of applications such as Bitcoin and other financial management systems, and communications
digital currency.16,17 Although blockchain technol- and control systems, which all rely to some degree on
ogy mostly relies on symmetric-key cryptography, public-key cryptography. Technology organizations
public-key crypto graphy remains important. For could appear to be distributing malware once threat
example, public-key technologies are used to manage actors are able to forge their digital signatures. To avoid
the addresses of bitcoin wallets, and the public key is major losses, financial organizations would need to
exposed when one spends bitcoins. The quantum vul- review their symmetric-key cryptographic algorithms
nerabilities can be avoided with careful management. and devices and ensure that their key distribution pro-
cesses avoid processes or distribution networks pro-
Critical Infrastructures tected using public-key cryptography.
Major critical infrastructure systems such as oil, gas, These threats could be extended to the level of
water, and electrical distribution are composed of het- nation-states, if one considers the potential for threat
erogeneous, geographically distributed equipment that actors to disrupt the operation of major financial or
must operate virtually instantly in response to real-time infrastructure networks.
events. Traditionally, these were predominantly net- How great is this risk? How will threat actors take
works of largely analog devices controlled from advantage of quantum technology once its available?
manned operational control centers, but this is chang-
ing as equipment is updated and replaced with digital Threat Actors and Their Behavior
versions. Even so, the widespread and remote distribu- Its always difficult to predict adversaries actions,
tion of equipment, the performance and response time because theyre constantly morphing their behavior to
requirements, and the need for near-100-percent avail- stay ahead of security practitioners and their tools. It
ability make these systems quite different from typical will be particularly difficult to predict their actions in
IT environments. However, security in these networks the quantum era, because there arent historical records
relies on public-key technology. VPNs could be used to showing how threat actors will access and apply quan-
secure remote access connections, secure versions of tum technology. Nonetheless, certain features of quan-
standard protocols like File Transfer Protocol Secure tum computers will likely influence how different threat
(FTPS) for file transfers and Simple Mail Transfer Pro- actors will employ them.
tocol Secure (SMTPS) could be applied, and TLS/SSL In the early stages of the quantum era (once quan-
could be employed to protect network traffic. tum computers can run Shors algorithm), access to such
technology will be extremely limited. Nation-states will
Implications for the Digital Ecosystem likely be the earliest to obtain access, and this might
Vulnerabilities in any one of the systems and processes happen even before the technology breakthrough
discussed above will certainly have a damaging effect on becomes common knowledge. However, it wont be
modern life. But if these vulnerabilities occur simulta- long before quantum computing time becomes avail-
neously, they could lead to the destruction of the secu- able to researchers in large labs, and to the general com-
rity fabric that connects much of modern society. munity in some shared manner. Its likely that organized
Without public-key cryptography, we could no lon- crime will obtain access by buying time on these com-
ger trust in the privacy or proper functioning of our puters or using coercion.
devices and systems. Software updates could be replaced The threat actor must still obtain access to the
with versions that include malware, possibly turning our networks and data containing the information to be
mobile and home automation devices into tools under decrypted. In many cases, sensitive or valuable informa-
the control of threat actors. The credentials used to access tion will reside unencrypted in an organizations data
our bank and payment card accounts could be captured. servers, protected by access controls and insecure tun-
Electronic identities could be spoofed, and we couldnt nels while moving on internal networks. The challenge
be sure that our messages werent intercepted, changed, will be obtaining the information and then filtering it
or redirected on their way to the intended recipient. The down to acceptable volumes for processing on limited
history of where we go and what we do while carrying quantum resources.
or using mobile technology could be available to suffi- We can make some predictions. First, trusted insid-
ciently motivated threat actors. ers will become a much more powerful threat, especially

18 IEEE Security & Privacy July/August 2017


privileged personnel such as systems and security per- Fifth, threat actors generally look for relatively small
sonnel who have easy access to network appliances. The nuggets of information with high value and long life.
most useful tools available to protect against insider In most cases, keys used to protect a single message
threats are access controls and forms of encryption. It will be of little value, unless the message itself contains
will become very difficult for an organization to pro- keys or information with strategic value and a relatively
tect itself if network traffic, secure email, and encrypted long lifetime. For example, master keys (symmetric
documents can be read by using a quantum computer keys with a relatively long lifetime) might be shared
to exploit public-key cryptography such as that found in between organizations to facilitate communications
TLS/SSL and security certificates. or distributed production processes. An organization
Second, strong access control processes will remain might create these via a secure process inside a secu-
a key deterrent, because hashing techniques used for rity appliance, such as a hardware security module,
password processing will be largely unaffected by and then send them to other organizations via various
known quantum algorithms. Even today, threat actors processes, possibly employing nonelectronic meth-
have demonstrated their ability to penetrate systems by ods such as couriers. If the process involves placing
exploiting user weaknesses (poor passwords and phish- the keys on a network at any point during the transfer
ing attacks). However, in the quantum era, it will become between secure digital fortresses, a quantum com-
even easier to bypass access puter could capture, exfil-
controls. By exploit- trate, and decrypt
ing TLS/SSL tun- the data containing
nels, threat actors We need to implement algorithmic tools these master keys.
can capture creden- into real products that can be deployed and Any information or
tials in transit. For tested in real-world environments. activity protected
more sophisticated by these master keys
organizations with would then become
identities based on vulnerablea situa-
CA-generated certificates, quantum computers will tion that threat actors could exploit for years.
allow threat actors to forge anyones digital identity Finally, its unlikely that threat actors will use quan-
(that is, recreate their private key) using available pub- tum computers to access the activities or identities of
lic certificates. In the same manner, threat actors could specific individuals, unless these individuals have spe-
forge the identity of any secure webserver by forging the cialized roles or privileges that could be exploited to
certificates used to establish TLS connections. access major systems or networks. Its far more likely that
Third, there might be fewer indications that threat threat actors will recover signing credentials that permit
actors are attacking. Today, adversaries must explore sys- them to install malware via software updates, thereby
tems looking for weaknesses (bugs, vulnerabilities, or converting large numbers of digital devices into tools
poor configuration) or exploit human weaknesses (phish- they could use for their own purposes.
ing approaches). Security tools, savvy systems, and secu- Its possible that the actions of quantum-era threat
rity analysts can detect these threats. In the quantum era, actors will be very different than described here. Quan-
adversaries merely need access to encrypted data. They tum technology will open up such a broad spectrum
could collect it as it travels over the Internet, obtain it from of security weaknesses that adversaries will have a vast
a tapped leased line or satellite feed, or bribe or coerce an array of opportunities to exploit our digital ecosystem
insider to obtain it from internal networks and databases. and undermine our way of life.
Once they have the data, adversaries can process it when-
ever quantum computing resources are available. What Do We Do?
Fourth, its unlikely that quantum attacks will occur in Theres a very real danger that many who research and
real time. Threat actors will gather data (this could even deal with cybersecurity threats could view the impend-
be happening now) and store it for offline processing ing demise of public-key cryptography as just another
when time on quantum computers becomes available. form of zero-day attack, and so will plan to deal with
Or they might arrange to exfiltrate encrypted data from the problem as the threat emerges. But the methods
an organizations backup storage location, although this used to patch vulnerabilities and zero-day attacks are
approach might result in a volume of data too great for intended to limit the damage from specific weaknesses
early quantum devices. The only threat actor that could that can be identified and patched. Trying to apply that
possibly approach near-real-time or large-data quantum thinking to the demise of public-key cryptography is
processing would be nation-states with early access to, like trying to use your finger to block a hole in a dam
and control over, dedicated quantum resources. while the whole structure is collapsing around you.

www.computer.org/security 19
POSTQUANTUM CRYPTOGRAPHY, PART 1

No amount of finger-pointing will remedy the fact that July 2013; nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS
quantum computing will collapse the cryptographic .186-4.pdf.
security structures that weve erected to protect our 4. Public Key Cryptography for the Financial Services Industry:
information and systems. The Elliptic Curve Digital Signature Algorithm (ECDSA),
Dealing with this problem will require strategic Am. Natl Standard for Financial Services, ANSI
thinking and long-term planning. Researchers have X9.62-2005, 2005.
already begun looking at quantum-safe cryptographic 5. P. Shor, Polynomial-Time Algorithms for Prime Fac-
algorithms to replace or, more likely, to complement torization and Discrete Logarithms on a Quantum
existing public-key algorithms that are deemed safe Computer, SIAM J. Computing, vol. 26, no. 5, 1997, pp.
against classical computer attacks.17 But this thinking 14841509.
needs to move outside the research labs. We need to 6. L.K. Grover, A Fast Quantum Mechanical Algorithm for
implement these algorithmic tools into real products Database Search, Proc. 28th ACM Symp. Theory of Com-
that can be deployed and tested in real-world environ- puting (STOC 96), 1996, pp. 212219.
ments. Only with years of real-world testing will we be 7. Announcing the Advanced Encryption Standard (AES),
able to demonstrate the security and performance char- NIST-FIPS 1-51, Fed. Information Processing Standards
acteristics of proposed quantum-safe approaches. Publication 197, NIST, 26 Nov. 2001; nvlpubs.nist.gov
Quantum technologies also furnish a solution to /nistpubs/FIPS/NIST.FIPS.197.pdf.
the problem, in the form of quantum-key distribution 8. W.C. Barker and E.B. Barker, Recommendation for
(QKD).18 This technology is already deployed in a few the Triple Data Encryption Algorithm (TDEA) Block
locations in the world, but it has limitations that make it Cipher, NIST Special Publication 800-67, revision 1,
difficult to use as a plug-and-play replacement for cur- 23 Jan. 2012; nvlpubs.nist.gov/nistpubs/Legacy/SP
rent computer security methods. Research is ongoing to /nistspecialpublication800-67r1.pdf.
overcome QKDs performance, distance, and usability 9. M. Mosca, Cybersecurity in an Era with Quantum Com-
restrictions, but there are situations in which QKD can puters: Will We Be Ready?, Intl Assoc. for Cryptologic
be deployed to overcome some of the problems out- Research, 2015; http://eprint.iacr.org/2015/1075.
lined here. 10. D. Evans, Top 25 Technology Predictions, CISCO
What we cant do is ignore the public-key problem. Internet Business Solutions Group, 2009; www.cisco
Ten to 15 years might seem the distant future, but it will .com/c/dam/en_us/about/ac79/.../Top_25_Predictions
take considerable time for the necessary changes to be _121409rev.pdf.
deployed throughout our digital ecosystems. To name 11. B. Bauer et al., Hybrid Quantum-Classical Approach to
just one, consider the complex network of devices and Correlated Materials, Physical Rev. X, Sept. 2016; journals
systems in the payment card network that enables vir- .aps.org/prx/abstract/10.1103/PhysRevX.6.031045.
tually all noncash transactions today. Its possible that 12. D. Cooper et al., Internet X.509 Public Key Infrastruc-
most of these devices will need to be changed to imple- ture Certificate and Certificate Revocation List (CRL)
ment quantum-safe cryptographic capabilities. We Profile, RFC 5280 (proposed standard, updated by RFC
might already be too late to start the changes required 6818), May 2008; www.ietf.org/rfc/rfc5280.txt.
to ensure cyber safety in the quantum era. 13. T. Dierks and E. Rescorla, The Transport Layer Secu-
rity (TLS) Protocol Version 1.2, RFC 5246 (proposed
standard, updated by RFCs 5746, 5878, 6176, 7465,

U rgent action is required today to ensure that this


critical technology remains a viable security tool.
With planning, preparation, and collaboration, we can
7507, 7568, 7627, 7685), Aug. 2008; www.ietf.org/rfc
/rfc5246.txt.
14. J. Galvin et al., Security Multiparts for MIME: Multipart/
take the necessary steps to ensure that the cryptography Signed and Multipart/Encrypted, RFC 1847 Oct. 1995;
doesnt die. tools.ietf.org/html/rfc1847.
15. Canada Health Infoway, white paper, Gartner, Nov. 2015.
References 16. D. Tapscott and A. Tapscott, Blockchain Revolution, Port-
1. R.L. Rivest et al., A Method for Obtaining Digital Signa- folio Penguin, 2016.
tures and Public-Key Cryptosystems, Comm. ACM, vol. 17. M. Mosca and D. Stebila, Open Quantum Safe, Soft-
22, no. 2, 1978, pp. 120126. ware for Prototyping Quantum-Resistant Cryptography,
2. W. Diffie and M. Hellman, New Directions in Cryptogra- Open Quantum Safe, 2017; openquantumsafe.org.
phy, IEEE Trans. Information Theory, vol. 22, no. 6, 1976,
pp. 644654. John Mulholland leads evolutionQs development of
3. Digital Signature Standard (DSS), FIPS Pub 186-4, Fed. quantum threat and risk assessment processes. Hav-
Information Processing Standards Publication, NIST, ing established a framework for quantum assessment,

20 IEEE Security & Privacy July/August 2017


he works with a team of globally renowned experts in focus on public-key infrastructures, electronic identi-
quantum science, technology, and cryptography to ties, and long-term security. Braun received a PhD in
help organizations understand and manage the cyber- computer science from TU Darmstadt. Contact him
security issues emerging with quantum computers. jbraun@cdc.informatik.tu-darmstadt.de.
Contact him at john.mulholland@evolutionq.com.

Michele Mosca is cofounder of the Institute for Quan-


tum Computing at the University of Waterloo and a
professor in the Department of Combinatorics and
Optimization. His research interests include quantum
computation and cryptographic tools that will be safe
against quantum technologies. In 2015, he cofounded
evolutionQ to support organizations as they evolve
their quantum-vulnerable systems and practices to
quantum-safe ones and serves as the CEO and president.
Mosca received a doctorate in mathematics in quantum
computer algorithms from the University of Oxford.
Contact him at michele.mosca@evolutionq.com. F O LLOW US

Johannes Braun is the manager of the DFG Collab-


orative Research Center 1119 CROSSING and a
postdoctoral researcher in the Cryptography and
Computer Algebra research group at Technische
Universitt (TU) Darmstadt. His research interests
@s e cu rit y p riva c y
include IT security and applied cryptography with a

Now theres
Read all your IEEE magazines
and journals your WAY on
even more to
love about your
membership...

Introducing myCS, the digital magazine


portal from IEEE Computer Society.
Go beyond static, hard-to-read PDFs
with an easily accessible, customizable,
and adaptive experience.

Theres No Additional Cost!

LEARN MORE AT: mycs.computer.org

IEEE myCS half Page Space Ad 2016_4-26-16.indd 1 4/28/16 3:03 PM


www.computer.org/security 21