Image by Gerd Altmann from Pixabay
Why today’s pre-quantum encryption now faces a Y2K scenario
I had the opportunity to attend the Quantum to Business (Q2B) 2024 Silicon Valley event in December 2024, courtesy of Allie Kuopus, one of the organizers.This is the second post in a series on my main takeaways from the event.
Time to start migrating to standard post-quantum cryptography
One of the talks I didn’t have a chance to attend at Q2B 2024 was Konstantinos Karagiannis’s presentation “NIST PQC is Here: Why It’s Secure and What Comes Next.” Karagiannis is Director, Quantum Computing Services at Protiviti, a global consultancy headquartered here in the San Francisco Bay Area. He was on the Q2B agenda to provide an overview of post-quantum cryptography (PQC) and related strategy.
Fortunately, Protiviti had posted an interview in mid-October 2024 with Karagiannis that also touched on the PQC topic. The interview, conducted by editor-in-chief Joe Kornick of VISION by Protiviti, focused on a recent claim that the Chinese had successfully cracked military-grade encryption. Kornick asked bluntly, “So is the end of encryption here early? Has Q-Day arrived?”
“The short answer is no, which is good,” Karagiannis answered. As he described it, a good translation of the Chinese paper was not available. Only the abstract was in English. Machine translations that were available had “holes in them”, inhibiting the ability to reproduce the results of the paper.
Karagiannis didn’t accept the claims in the paper at face value, but he didn’t dismiss them entirely either. Interestingly, his privacy protection through renewed encryption advice remains the same regardless. In either case, it’s time to act to ensure the continuation of effective encryption by starting to adopt appropriate post-quantum cryptography. “Let’s say the claims are true. Even if the claims are true, it doesn’t spell the end of encryption.”
The fact he pointed out is that the US National Institute for Standards and Technology (NIST) published new post-quantum encryption Federal Information Processing Standards (FIPS) 203, 204, and 205 in August 2024. Every device that currently uses public key cryptography will eventually need to discard the older, pre-quantum encryption in pervasive use that’s vulnerable to factoring attacks.
Adam Zewe in MIT News in August 2024 described the challenge organizations face if they stay with the older encryption methods this way: “Quantum computers promise to rapidly crack complex cryptographic systems that a classical computer might never be able to unravel. This promise is based on a quantum factoring algorithm proposed in 1994 by Peter Shor, who is now a professor at MIT.
“But while researchers have taken great strides in the last 30 years, scientists have yet to build a quantum computer powerful enough to run Shor’s algorithm.”
Events such as Q2B 2024 persuade me that the day scientists do manage to run Shor’s algorithm -– the “Q-Day” that Kornick mentioned -– is getting closer. Maybe it’ll be in five years, maybe less. Organizations will have to move to the new standard before Q-day, just as they had to make sure to be Y2K-compliant (by upgrading older systems that couldn’t manage dates with more than two digits in the year field) before January 1, 2000 arrived.
Those attacks aren’t yet imminent, says Karagiannis, which means organizations have the time now to make the shift methodically.
Karagiannis provided some welcome reassurances about the new NIST standards. “This approach that was published in the Chinese paper can’t touch the new NIST post-quantum cryptographic standards that were released on August 13, 2024. The lattice-based approach in there is safe from this type of attack and safe from Shor’s algorithm–the quantum attack we were all worried about. So really the best thing you could be doing right now is starting the migration plans to PQC.
“It’s time to start taking inventory, start looking at what cryptographies you have in place, start looking at which critical assets you might want to protect first,” Karagiannis concluded. “Because migrating to new cryptography takes time, and it’s tricky. This paper will not threaten PQC, so why not start now?”
Ways AI and trusted knowledge graph technology can help with post-quantum encryption migration
One of the good things about the era of hybrid or neurosymbolic AI (NSAI)-enabled automation (statistical neural net plus symbolic AI plus a fresh crop of agents and an expanded range of interaction capability) is that it promises to lighten the burden of major migration challenges such as those involving post-quantum encryption.
Software development firm RTS Labs in a November 2024 post at the firm’s website, for example, points out that AI can automate key generation, distribution, and monitoring processes, reducing the risk of human error.
More broadly, the use of NSAI rather than statistical and agentic AI methods alone implies a much bigger opportunity for scaling and boosting the uniformity of encryption management across supply chains.
I have more questions than answers here. For instance, what’s the inventory management and documentation and key management needed to prove and verify compliance? Should there be a meta-layer of agent-oriented compliance management for reasons of scale economies, visibility and assurance? How can we ensure that hostile actors won’t invade systems in the middle of upgrades?
Just more things to ponder. Every challenge here becomes an opportunity for hybrid AI-enabled systems that are only getting started. We do want these systems to be trustworthy, a challenge requiring lots of human oversight, vision and proactive leadership ability.
){kind=link}