5 misconceptions about Q-Day

There are two families of algorithms used in cryptographic solutions: symmetric and asymmetric algorithms. When Q-Day arrives, only asymmetric algorithms will become vulnerable to attacks from CRQCs. They are widely used because they don’t rely on an identical shared secret like their symmetric counterparts, making asymmetric solutions a perfect fit for dynamic ephemeral connections like HTTPS. To ensure asymmetric cryptography is quantum safe, we will need to replace existing algorithms with new post-quantum cryptography (PQC) algorithms, which are currently undergoing standardization. 

Meanwhile, encryption based on symmetric algorithms is already quantum safe today when taking proper precautions. For instance, we need to make sure the secret key used in symmetric encryption is shared in a way that is also quantum safe. Whenever asymmetric cryptography is used to exchange this key, then the key-exchange method must be replaced with a quantum-safe alternative.

While we may not see a CRQC come online for a decade or more, that doesn’t mean the threat to our data isn’t very real today. There is plenty of evidence that malicious actors are harvesting and storing data now, waiting for the day a CRQC becomes available to crack the encryption that protects it. This technique is called a harvest-now-decrypt-later attack.

This threat is particularly acute for data that needs to be kept confidential for a long time (state secrets, medical records, intellectual property) or information related to systems with a long lifetime (critical infrastructure). But the closer we come to Q-Day, the more data and systems we need to start worrying about.

Quantum key distribution (QKD) can share encryption keys across a network over a quantum communications channel, making it physically impervious to eavesdropping. It’s a promising technology that offers a confidential way to share secret keys between two endpoints using symmetric encryption. However, QKD is not a solution for making asymmetric cryptography quantum safe. 

And while the laws of physics may protect QKD against eavesdropping, they also place limitations on its applicability and scalability. The maximum distance for doing QKD over an optical fiber network is about 100 km, so its reach is severely limited over terrestrial networks. QKD also requires highly specialized equipment and infrastructure. The good news is that current QKD research and development efforts are addressing these challenges. 

It’s important to realize that no cryptography is infallible. With unlimited time and resources, all encryption can be broken (with one exception: a one-time-pad, as proven by Claude Shannon in 1949). The goal of practical encryption methods is to create mathematical problems that require thousands of years to solve, even with access to the best supercomputer. PQC algorithms create new mathematical challenges that — based on what we know today — even a quantum computer can’t solve in any reasonable amount of time.

But PQC has only recently emerged. PQC algorithms have not yet been exposed to the same amount of scrutiny as older cryptographic algorithms. It’s possible that they still hold algorithmic weaknesses we are not yet aware of. And just as quantum security algorithms are evolving, so too are the algorithms that threaten them. Advances in cryptanalysis and related algorithms could still emerge, which could expose vulnerabilities in today’s PQC. Any PQC migration strategy needs to take these uncertainties into account. 

While we tend to focus on the vulnerability of our communications when we talk about quantum security, our network infrastructure has potential quantum weaknesses as well. CRQCs could be directed to disrupt a network’s operation or to exfiltrate data from the systems connected to a network. 

For example, they could achieve denial-of-service by intruding into the management layer to misconfigure network elements. Such an attack would prevent the network from transmitting any data at all. Or a CRQC could acquire unauthorized access to network systems by hacking traditional public key infrastructures. To make sure our networks are quantum secure, we need to ensure every aspect of the network has appropriate quantum-safe protections in place.

If there is one common theme on the list, it’s that there is no one-size-fits-all approach to quantum security. It takes more than implementing a patch of PQC algorithms to make networks quantum safe. 

We will need to take a cryptographically agile approach to quantum security, which might require tuning and perhaps even replacing PQC algorithms as our understanding of Q-Day increases. We will need to take a “defense-in-depth” approach, layering multiple quantum-safe technologies to handle different security scenarios. And we also need to ensure that every aspect of the end-to-end network is quantum safe — not just the communications channel. 

Making our networks quantum safe is a big task, but it’s certainly an achievable one. It just takes the right knowledge and preparation. And in the process, we have an opportunity to set a new level of best practices, ensuring that networks are not only quantum safe but also more resilient to any future security threat.

To learn more, I encourage you to download “The Road to Quantum-Safe Networks” paper. In it, you will find guidance on how to prepare networks for Q-Day and future quantum-security threats.