Quantum apocalypse: Experts warn of ‘store now, decrypt later’ hacks

19 Aug 2022

Image: © Alex/Stock.adobe.com

Cybersecurity experts have warned that hackers are stealing data now to decrypt it in the future, as quantum computing could render modern encryption methods obsolete.

Quantum computers are expected to shake up our world for better – and, potentially, for worse.

These powerful machines merge computer science and quantum physics to vastly increase processing power, and can solve certain types of problems much faster than a conventional computer.

Once true quantum computers become a reality, they are expected to surpass modern computers in almost every way, performing calculations that would otherwise be impossible.

However, there is a growing concern among cybersecurity experts that the quantum apocalypse is approaching. This is a term used to describe the predicted fallout of quantum computers being able to solve current cryptographic algorithms quickly.

Jason Soroko is the CTO of PKI at cybersecurity firm Sectigo. He told SiliconRepublic.com that while quantum computing has progressed in a linear way, we have to anticipate “eureka” moments that could really speed up its advancement.

“It is a matter of when rather than whether quantum computers will change the digital world as we know it,” Soroko said.

But there are already suggestions that sensitive data is being stolen by hackers to be decrypted in a quantum future, setting an urgency to update modern encryption methods.

The importance of cryptography

Encryption involves complex maths problems that modern computers cannot solve to keep data secure.

“Cryptography is ubiquitous in computer systems, including critical infrastructure, banking and even in your own daily computing life such as your smartphone and wearables,” Soroko said.

The issue comes with the potential power of quantum. It is believed that quantum computers could become advanced enough to crack through modern encryption measures, which poses a future cybersecurity risk.

Classic computers use binary bits, which can be either one or zero. But a quantum computer uses quantum bits or qubits, which can be one, zero or both at the same time.

Rebecca Krauthamer is the co-founder and chief product officer of QuSecure, a post-quantum cybersecurity firm. Krauthamer explained the difference between binary and quantum bits with a maze, where classic computers have to choose which direction to go.

“If you’re a quantum computer and you enter that maze, you don’t have to pick, you can go both ways at once,” she said. “And then with the quantum algorithm side, that cleverness is how you chop off the path that is not the most optimum path through the maze.

“So what you’re left with in the end is this instantaneous, optimum path.”

To explain the vast difference in power, Soroko said the average computer would need 300trn years to break a message encrypted with standard algorithms, while a quantum computer with enough qubits could crack it in “months or weeks”.

Security measures are being taken to prepare for the arrival of quantum computers. Last month, the US National Institute of Standards and Technology (NIST) selected a group of encryption algorithms that could become the new cryptographic standard in a post-quantum world.

“Academia and industry needs to ensure that quantum-resistant encryption is a reality before this quantum apocalypse arrives,” Soroko said.

Store now, decrypt later

Krauthamer pointed out that certain data has a long shelf life, with banking details, medical records and social security numbers being valuable for years to come.

She explained that when data travels between two points, it is possible for hackers to intercept that transfer to “harvest” or “store” the encrypted data. This creates the risk of a “store now, decrypt later”, or SNDL, strategy.

Krauthamer said this type of attack has grown to become a “very popular method”. Essentially, hackers may be stealing data today based on current encryption methods, with a view to decrypting it using future quantum computers further down the line.

“It really does underscore the urgency of getting the rest encrypted properly,” Krauthamer said. “We can’t turn back the clock but we can get ahead of it.”

This tactic was also noted by Soroko, who said it is “imperative” that efforts are made to protect both businesses and governments from the potential threat.

“With this harvest now and decrypt later strategy, [hackers] exploit the kind of secret information which will be just as damaging if it reaches the public eye now, or years from today,” Soroko added.

Time to take inventory

Despite the urgency to upgrade modern encryption, it is a daunting task to try change these algorithms. Soroko said it is unlikely that current cryptographic algorithms will entirely go away, due to “the sheer number of systems that use them”.

“Enterprises need a bridge solution that will allow them to transition to the new algorithms when the time comes,” Soroko added. “This way, when quantum-resistant algorithms become available, those with hybrid certificates will be able to migrate with no disruption to the business.”

The US Cybersecurity and Infrastructure Security Agency said NIST’s “post-quantum cryptographic standard” will replace current public-key cryptography and recently shared a roadmap that organisations should follow to prepare for the transition.

Companies like QuSecure, meanwhile, have integrated the recommended algorithms into their cybersecurity software to offer a third-party service for enterprises and government agencies.

Krauthamer said the company’s QuProtect platform aims to be flexible, by protecting existing data without needing to change the current encryption that exists in enterprises.

“We’ve known these standards were coming for some time, and QuSecure by design set out to be the ‘easy button’ to make this upgrade for enterprise and government,” Krauthamer said.

It is possible that the current standard being set by NIST will change in the future, as there are reports that some of the selected algorithms have been breached in test attacks.

Regardless, experts like Soroko said enterprises need to start taking inventory of their systems and to prepare to “get your hands dirty” with the technology that will help bridge towards quantum-resistant digital identities.

“Thankfully, those bridge technologies such as hybrid certificates and certificate authorities capable of issuing those quantum-resistant certificates are available now,” Soroko said. “That includes using post-quantum algorithms that have been determined by NIST to go towards full standardisation.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic