Can Quantum Computers Break Encryption?
Demystifying the Connection Between Quantum Computing and Encryption
With recent news about advances in quantum computing and the potential risk to information security, a lot of people are wondering about the connection between quantum computing and encryption. This article seeks to answer these questions in simple terms and as a series of questions, so that the average person can make sense of what is going to be a very important topic in the coming months and years, if not already.
What is encryption?
Encryption consists of transforming data into undecipherable strings by using another secret string also known as an encryption key. The transformation algorithms have special characteristics such that once the key is mixed into the original data and many iterations of the algorithm are performed, it is virtually impossible to retrieve the original data from the transformed string without access to the encryption key. Encryption was invented in the late 1970’s and the particular algorithms have evolved to become stronger and stronger over the years under the aegis of NIST. The current gold standard of encryption is the AES 256 algorithm.
Is there more than one type of encryption?
There are two main types of encryption: symmetric and asymmetric.
Symmetric encryption utilizes the same key to encrypt and decrypt data. This means that the same key needs to be available at the time of encryption and also at the time of decryption. Needless to say, this would work in cases where the data that is being secured remains in possession of the party that encrypted it. Alternatively, the party that encrypted it would need to find a safe way to send the encryption keys over to the party that needs to decrypt it. If keys are compromised then the security of the entire encrypted data set is compromised.
So, what about cases where encrypted data needs to be sent to a second party who needs to decrypt it on their end without access to the original key? This is where asymmetric encryption comes in.
Asymmetric encryption utilizes two different, but related, keys – one to encrypt and the other to decrypt the data. In this scenario, encryption keys are created in pairs – known as the public key and the private key.
The relationship between keys is such that deriving one (say the private key) from the other (say the public key) requires factoring exceedingly large prime numbers, which is so computationally intensive, that it would take normal computers a very very long time. Due to the exceedingly long times involved, this has been considered non-viable so far.
So, for two parties to share encrypted data via asymmetric encryption, the party that is encrypting the data grabs the receiving party’s public key from a publicly accessible source and uses it to encrypt the data. They then send the encrypted data over to the receiving party, who uses the associated private key to decrypt the data. Asymmetric key encryption is the foundation behind secure transmission of data across networks. When data is encrypted in this fashion, gathering data via network interception does not yield usable data and therefore does not constitute a data breach.
What makes quantum computers special?
In order to understand why quantum computers are special, let us take a quick look at how traditional computers encode and process data.
Until quantum computers came along, computers stored and processed data utilizing a binary format. Binary implies that the data is encoded into bits that can exist in two states, say 0 and 1. You can think of them as on and off. The amount of data that can be stored on traditional computers and their speed of processing is limited by the number of states i.e. the sheer amount of information that can be held on a single bit.
Quantum computers, on the other hand, utilize special bits called qubits which can take on the value of two bits at once. This means that they can store and process orders of magnitude more information than their traditional binary counterparts. This is significant because this means that a quantum computer can complete computationally intensive operations much faster than traditional computers.
Why does quantum computing put encryption at risk?
Since quantum computers can complete computationally intensive operations, such as factoring prime numbers, very fast, the entire premise behind the security of asymmetric encryption becomes at risk (See answer to previous question for context).
Specifically, a quantum computer could take a publicly available public key and derive the associated private key from it. This means that any data encrypted using that public key could now be decrypted without the consent of the party that sought to protect that data. This applies to all data that is secured using asymmetric key encryption and is a big deal!
Does quantum computing put all types of encryption at risk?
Due to the reasons described above, quantum computing puts asymmetric encryption at risk. Symmetric key encryption is not at risk since the same key is used to encrypt and decrypt the data and this key is typically safeguarded by the party that performed the encryption. In symmetric encryption, there is no concept of a public and private key. In the absence of key pairs there is no risk of deriving a decryption key from an available public key.
What is most concerning about the threat of quantum computing with respect to encryption?
One of the more concerning aspects of the threat of quantum computers to (asymmetric) encryption is the knowledge that bad actors have been intercepting networks and collecting encrypted data for a long time. This “gather now, harvest later” strategy has been adopted by cybercriminals including nation state actors with the anticipation that at some point in the near future this data could become the source of sensitive data, personal data, intellectual property, trade secrets, and national secrets, past and present.
How can we keep encrypted data secure against the threat of quantum computing?
At this time NIST is overseeing the development of quantum safe cryptography. Our advice would be to utilize symmetric encryption for data under your control. For data that does need to be securely shared with another party, wherever possible, we advise sharing sensitive data via a secure data sharing platform (disclosure: this is a use case that Portal26 addresses via the Portal26 Data Security Platform).
A platform (such as Portal26) can secure valuable data using symmetric encryption and make it available to authorized parties in a number of forms. This includes decrypting it (if the data owner permits), making it available for search and analytics without decryption (in cases where the receiving party needs to query the data rather than download it), or make it available in partially masked or redacted formats based on permissions granted by the data owner.
Portal26’s Data Security Solutions
For more information about secure data sharing and other data security use cases addressed by Portal26, please contact us and or book a demo today.
Ransomware Defense: Normalizing Outliers in Cybersecurity – Ransomware Edition Last week, I wrote an article titled “Black Swan in Data Security”. The primary point I