In our previous blog, we covered the basics of how quantum computing is changing the outlook for data security — specifically, how it could affect current data security, sanitization, and destruction standards. But how worried should we be? Is the quantum revolution right around the corner? The answers aren’t so clear cut… except for that preparing now has been determined essential. (This blog builds upon the previous – link here if you need to get caught up.)
Will quantum computers be able to crack today’s encryption?
In time, the answer is most likely that yes — they will — at least for some types of encryption. Experts disagree on the timeline… and it could be a long while. Researchers from Kryptera, in a paper published just a few months ago, outlined how quantum computers could theoretically break modern methods of encryption such as AES and RSA. The rub is in the number of qubits the computer must possess in order to be able to even try — and that assumes it happens in a perfect system with minimal errors.
For example, Kryptera says (in a nutshell) that even with taking into account the current evolution rate of gated quantum computers, it would be several decades before one would even be able to attempt breaking AES encrypted files — and still with a high probability of failure. These researchers also remain bearish on whether quantum computers will be able to break most types of encryption, saying that such as statement is “misleading at best, false at worst.”
On the other hand, Dustin Moody — head of NIST’s post-quantum cryptography standardization project — told the Wall Street Journal that “Quantum computers will crack today’s encryption within a decade.”
Preparing for a post-quantum world
Regardless of these security threats looming in the future, and how much of a risk quantum computers truly present to today’s encryption standards, the race to quantum supremacy has begun in earnest. NIST (National Institute of Standards and Technology) is already working towards developing a standard for quantum-resistant encryption. They have solicited public comment, and have spent over a year of evaluation to come up with the current list of 26 candidates for the next phase of the project.
Governments around the world are also in the quantum race. According to the WSJ, China’s government is spending “tens of billions” on quantum computing research. Meanwhile, the spending in the United States is low by comparison, despite the National Quantum Initiative Act, which was signed into law in late 2018.
The future of data security in a quantum world
While predicting the future is challenging, it’s hard to argue that quantum computing will usher in dramatic changes to how data is protected, encrypted, accessed, and stored.
For example, take data sanitization standards. Currently, NIST’s own data sanitization standard is a reference for efficient, cost-effective, and secure data wiping — and is a service we can implement in customized Sipi Asset Recovery programs. But it’s inevitable that as post-quantum or “quantum-safe” encryption develops, and new standards begin to become accepted, that the NIST guidelines will evolve alongside.
That’s just one example of how quantum computing will intersect with the world of IT, IT assets, and data-bearing assets. We haven’t even touched on quantum data storage!
Concerns for today’s data
This all does sound a little bit sci-fi. Many might wonder about “quantum” in the sense of, is this just a buzzword… or something I need to be worried about today? The truth is, while much of it is currently theoretical, there’s a lot of science at play. And the world is intent on moving it forward.
In January of this year, IBM revealed the IBM Q System One, the world’s first circuit-based commercial quantum computer. CERN, ExxonMobil, and Fermilab are among those signed up to access the system through the cloud. It’s real, and it packs 20-qubit power.
To put things in perspective, the research from Kryptera states that it will require thousands of qubits (with error detection/correction) to realistically attempt breaking AES encryption using Grover’s algorithm, something we discussed in Part 1. Let’s take AES-256 for example, say on self-encrypting SSD media with a 256-bit encryption controller. Theoretically, according to Kryptera, cracking AES-256 would require a quantum computer sporting 6,681 logical qubits — far beyond today’s reality.
However — it’s not all about what can be hacked now, but perhaps about what can be hacked later. It’s thought that state sponsored hackers worldwide place priority on data breaches, especially in fields such as finance and healthcare, amassing large quantities of data in the process. Perhaps that data is inaccessible now, but as the quantum race advances — that could change in an instant.
This means that handling today’s data in a trusted, secure manner with fully verifiable chain-of-custody regardless of where the data-bearing asset ends up (i.e., destruction, wiping, recycling, liquification, etc.) amounts to more than security just in the here and now. It means that data — even though encrypted to today’s standards — doesn’t end up in the wrong hands, not even the smallest portion of it. It amounts to additional peace of mind in the decades to come.