By: Jacob Austin
Store Now, Decrypt Later.
Encryption is a way to convert data to an unreadable form, to prevent unauthorized access. Currently modern encryption is very successful at this task. This may not be the case forever, however. Store Now, Decrypt Later is a surveillance strategy presumably utilized by many threat actors and governments. This threat, while not currently feasible, consists of the idea that encrypted traffic can be captured and stored over secure channels. This data is then stored for an indefinite amount of time, until the current encryption algorithms are cracked, allowing for the reading of possibly sensitive data. Quantum computing is expected to break asymmetric encryption, by allowing for decryption without the prior knowledge of a private key.
The Quantum Threat
The main concern for current encryption algorithms is quantum computers. While many advancements have been made in the area of quantum computing, the inherent instability of quantum computing makes progress slow and intensive. Many estimates state that it will likely take ten to twenty more years to progress to the point of breaking modern algorithms. However, because a tool like this would have such powerful implications for information security, there is a very real possibility of an advanced quantum system being developed in secret. CISA states that with the knowledge of nation states and private companies pursuing quantum computers, breaking modern encryption is not a matter of “if” but “when.”
Mitigating the Threat
This possible threat concerns almost all digital data and so although it may not be a current threat, preparations need to be made. NIST called for proposals for post-quantum cryptographic systems (PQC) officially on December 10th, 2016, citing quantum computing as a threat to RSA, DSA, and elliptical curve cryptography. There are several proposals for post-quantum systems, all of which are extremely technical out of necessity. Some of these systems include lattice-based, code-based, and multivariable systems, as well as hash-based signatures. The proposals have gone through four rounds of testing, and on July 5th, 2022 NIST announced the cryptographic systems that qualified to be standardized. The four systems to be standardized included one key establishment mechanism called CRYSTALS-KYBER as well as three digital signature systems, CRYSTALS-Dilithium, FALCON, and SPHINCS+. While there are many promising ideas to prepare for the future, the switch from modern to post-quantum encryption is not expected to be simple. There are a few complications that make the switch difficult for all involved. The systems need to be developed, standardized, and implemented across all affected areas. This also all needs to be done before any large scale and stable quantum computers are developed, meaning there is a deadline that needs to be met.
Who is at Risk?
The average person’s data, even when unencrypted, will not be very valuable years into the future. However, the White House stated in a Presidential National Security Memo that the progression of quantum computing will jeopardize civilian and military communications, undermine control systems for critical infrastructure, and bypass security for online transactions. While “store now, decrypt later” may not be a detriment to individuals, the progression of quantum computing will unless mitigations are put into place.
Actions to Take
CISA states that while NIST is not expected to release their post-quantum cryptographic standards for commercial use until 2024, there are steps that organizations are recommended to take to make the switch as seamless as possible. CISA recommends taking an inventory of all systems that use public-key cryptography, testing the new post-quantum systems in a lab environment, creating a transition plan, alerting IT departments and vendors of the changes, and providing any necessary education for the change.
- Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Quantum. Retrieved from https://www.cisa.gov/quantum
- Cybersecurity and Infrastructure Security Agency (CISA). (2022, July 5). Prepare for the New Cryptographic Standard to Protect Against Future Quantum-Based Threats. Retrieved from https://www.cisa.gov/news-events/alerts/2022/07/05/prepare-new-cryptographic-standard-protect-against-future-quantum-based-threats
- National Institute of Standards and Technology (NIST). (n.d.). Post-Quantum Cryptography – Workshops and Timeline. Retrieved from https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline
- National Institute of Standards and Technology (NIST). (n.d.). Post-Quantum Cryptography Standardization – Call for Proposals. Retrieved from https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/Call-for-Proposals
- The Quantum Insider. (2023, February 7). Guest Post: Harvest Now, Decrypt Later – The Truth Behind This Common Quantum Theory. Retrieved from https://thequantuminsider.com/2023/02/07/guest-post-harvest-now-decrypt-later-the-truth-behind-this-common-quantum-theory/
RIT Cyber Security Policy and Law Class Blog 