By The Conversation
Keith Martin, Professor, Information Security Group, Royal Holloway University of London
Will quantum computers crack cryptographic codes and cause a global security disaster? You might certainly get that impression from a lot of news coverage, the latest of which reports new estimates that it might be 20 times easier to crack such codes than previously thought.
Cryptography underpins the security of almost everything in cyberspace, from wifi to banking to digital currencies such as bitcoin. Whereas it was previously estimated that it would take a quantum computer with 20 million qubits (quantum bits) eight hours to crack the popular RSA algorithm (named after its inventors, Rivest–Shamir–Adleman), the new estimate reckons this could be done with 1 million qubits.
By weakening cryptography, quantum computing would present a serious threat to our everyday cybersecurity. So is a quantum-cryptography apocalypse imminent?
Quantum computers exist today but are highly limited in their capabilities. There is no single concept of a quantum computer, with several different design approaches being taken to their development.
There are major technological barriers to be overcome before any of those approaches become useful, but a great deal of money is being spent, so we can expect significant technological improvements in the coming years.
For the most commonly deployed cryptographic tools, quantum computing will have little impact. Symmetric cryptography, which encrypts the bulk of our data today (and does not include the RSA algorithm), can easily be strengthened to protect against quantum computers.
Quantum computing might have more significant impact on public-key cryptography, which is used to set up secure connections online. For example this is used to support online shopping or secure messaging, traditionally using the RSA algorithm, though increasingly an alternative called elliptic curve Diffie-Hellman.
Public key cryptography is also used to create digital signatures such as those used in bitcoin transactions, and uses yet another type of cryptography called the elliptic curve digital signature algorithm.
If a sufficiently powerful and reliable quantum computer ever exists, processes that are currently only theoretical might become capable of breaking those public-key cryptographic tools. RSA algorithms are potentially more vulnerable because of the type of mathematics they use, though the alternatives could be vulnerable too.
Such theoretical processes themselves will inevitably improve over time, as the paper about RSA algorithms is the latest to demonstrate.
What we don’t know
What remains extremely uncertain is both the destination and timelines of quantum computing development. We don’t really know what quantum computers will ever be capable of doing in practice.
Expert opinion is highly divided on when we can expect serious quantum computing to emerge. A minority seem to believe a breakthrough is imminent. But an equally significant minority think it will never happen. Most experts believe it a future possibility, but prognoses range from between ten and 20 years to well beyond that.
And will such quantum computers be cryptographically relevant? Essentially, nobody knows. Like most of the concerns about quantum computers in this area, the RSA paper is about an attack that may or may not work, and requires a machine that might never be built (the most powerful quantum computers currently have just over 1,000 qubits, and they’re still very error prone).
From a cryptographic perspective, however, such quantum computing uncertainty is arguably immaterial. Security involves worst-case thinking and future proofing. So it is wisest to assume that a cryptographically relevant quantum computer might one day exist. Even if one is 20 years away, this is relevant because some data that we encrypt today might still require protection 20 years from now.
Experience also shows that in complex systems such as financial networks, upgrading cryptography can take a long time to complete. We therefore need to act now.
What we should do
The good news is that most of the hard thinking has already been done. In 2016, the US National Institute for Standards and Technology (Nist) launched an international competition to design new post-quantum cryptographic tools that are believed to be secure against quantum computers.
In 2024, Nist published an initial set of standards that included a post-quantum key exchange mechanism and several post-quantum digital signature schemes. To become secure against a future quantum computer, digital systems need to replace current public-key cryptography with new post-quantum mechanisms. They also need to ensure that existing symmetric cryptography is supported by sufficiently long symmetric keys (many existing systems already are).
Yet my core message is don’t panic. Now is the time to evaluate the risks and decide on future courses of action. The UK’s National Cyber Security Centre has suggested one such timeline, primarily for large organisations and those supporting critical infrastructure such as industrial control systems.
This envisages 2028 as a deadline for completing a cryptographic inventory and establishing a post-quantum migration plan, with upgrade processes to be completed by 2035. This decade-long timeline suggests that NCSC experts don’t see a quantum cryptography apocalypse coming anytime soon.
For the rest of us, we simply wait. In due course, if deemed necessary, the likes of our web browsers, wifi, mobile phones and messaging apps will gradually become post-quantum secure either through security upgrades (never forget to install them) or steady replacement of technology.
We will undoubtedly read more stories about breakthroughs in quantum computing and upcoming cryptography apocalypses as big technology companies compete for the headlines. Cryptographically relevant quantum computing might well arrive one day, most likely far into the future. If and when it does, we’ll surely be ready.
The Conversation is a nonprofit organization and our work is made possible by the generosity of our readers, foundations, and university and college members. They make it possible for us to bring this journalism to the public without paywalls or licensing fees.
