What Is Quantum Cryptography?
Quantum cryptography leverages the principles of quantum mechanics to create secure communication channels. It encodes information into a quantum system created from collections of tiny particles such as protons and transmits them to create a key that can decrypt the data.
Natasha Eastman, chief of operations for threat hunting at the Cybersecurity Infrastructure and Security Agency (CISA), explains that quantum computers themselves are inherently different than classical computers.
“Classical computers run a series of one and zeros, while quantum computers run zeros and ones all at the same time and ultimately allow the creation of algorithms that process information much, much faster than classical computers,” she says.
Instead of occurring one at a time, calculations can occur at an astronomically higher speed. Quantum computing also provides the means for more complex encryption that is more difficult to decode, because the possible numbers of encryption combinations is nearly infinite.
The mathematical strength of asymmetric cryptography — another name for public-key cryptography, which uses one public key and one private key to encrypt and decrypt data — lies in two areas, Eastman says:
- There is no one method to solve discrete logarithmic problems
- There is not one method to factoring large integers to break them down into smaller, prime numbers
Both calculations are necessary to develop an encryption key. But as methods are developed to better process data inherent to quantum computing, some could threaten the current implementations of asymmetric cryptography, as well as some implementations of symmetric cryptography (based on single keys to decode information).
“That threat to the security of modern cryptographic algorithms is really where we’re concerned, how that will change the nature of how we protect information,” Eastman notes. “Obviously, quantum computing also can be a benefit to how we protect information in cybersecurity.”
CISA and other security agencies and experts are concerned about the next 10 to 15 years in the quantum transition, when they expect the development of a cryptographically relevant quantum computer that could threaten even the most modern cryptographic algorithms protected from classic computers.
How Is Post-Quantum Cryptography Different?
Post-quantum cryptography does not require quantum technologies; instead, it is designed to protect against them.
Quantum cryptography harnesses the properties of quantum mechanics to secure and transmit data in a way that cannot be hacked. Quantum cryptography uses photons — individual particles of light — to transmit data over fiber-optic wires.
Photons are an integral part of providing a secure method for key encryption: quantum key distribution (QKD), which uses a shared private key between two connected parties. Data and the key are both transmitted via photons over optical fiber cable.
The key exchange is based on the Heisenberg uncertainty principle, which states that a person can’t calculate both the position and speed of a particle accurately; the more accurate you get on one, the less accurate you get on the other.
In the case of QKD, photons are generated randomly in one of two polarized quantum states, making the measurement of the quantum property of a photon impossible without altering the quantum information itself.
In such a path, the two endpoints of communication can verify the shared private key; it is safe to use if the photons are unchanged. If a malicious actor intercepts or accesses the message to learn the key, the quantum properties of the photons are altered.
If even a single photon change is detected, both legitimate parties understand the message has been compromised and is not safe to be trusted.
How Does Post-Quantum Cryptography Work?
Post-quantum cryptography, also known as quantum-resistant cryptography, goes a step further than quantum cryptography, says Priti Patel, a security consultant at Coalfire.
“The goal is to develop cryptographic systems that are secure against both quantum and classical computers and that have the ability to interoperate with existing communications protocols and networks,” she says.
NIST’s post-quantum cryptographic standard is expected to be finalized in the next year, but the agency already has resources available, including a white paper titled “Getting Ready for Post-Quantum Cryptography” and a draft version of NIST SP 1800-38A, “Migration to Post-Quantum Cryptography.”
“It is imperative to perform risk assessments specific to each agency, department and critical infrastructure operation,” says Jeffrey Wells, partner at Sigma7. “These assessments will involve meticulously evaluating vulnerabilities, potential attacks and risks associated with quantum computing.”
By conducting such assessments, organizations can proactively identify areas of concern and develop targeted mitigation strategies. These should include deploying quantum-resistant algorithms and encryption methods and diversifying cryptographic systems.
“Taking these proactive measures will help safeguard sensitive data, protect communication channels and ensure the continued resilience of operations in the face of potential quantum threats,” Wells says.