Skip Sanzeri is the founder, board chair and COO of QuSecure, a top post-quantum cybersecurity company.
If you have seen any of my previous Forbes articles, you will know that I write about the quantum computing threat to the encryption we all use to keep our data safe and private. Quantum computers, because they operate differently than our standard computers, have been mathematically proven to eventually break the internet’s encryption. Called public-key Infrastructure (PKI), this is the cryptography that protects us as we are exchanging data online. The current gold standard, or commonly applied highest level of encryption is RSA (Rivest Shamir Adleman) 2048. So, to date, quantum computers have not been powerful enough to crack RSA 2048. However, there is a process called SNDL (Steal Now, Decrypt Later) wherein data stolen today is then stored on remote servers (in other countries) for decryption later. Since adversarial nation-states are storing this data, there is an exceptionally good reason for enterprises and government organizations to start moving to advanced cryptography now.
However, on September 18, the cybersecurity community was shocked to learn about a development from San Diego-based MemComputing (Mem) regarding a new, more imminent danger. Mem was asked by the US Air Force to use their technology to see if there was a way to easily crack PKI. Mem did the work and then published a white paper on how they used in-memory processing ASICs (Application Specific Integrated Circuits) to simulate breaking RSA in real time. The paper called “Scaling up prime factorization with self-organizing gates: A MemComputing Approach” describes how they used software emulation focusing on factorization test problems from 30 to 150 bits: “Results showed that the circuit generated the appropriate congruences for benchmark problems up to 300 bits, and the time needed to factorize followed a 2nd-degree polynomial in the number of bits.”
In other words, Mem’s findings estimate their ASIC chip can crack RSA 2048 in two years or less using classical, not quantum, computing. Compare this to our best estimates for supercomputers that would take millions of years to do the same. If Mem is right, their development demonstrates a fundamental breakthrough: A bad actor could threaten the world’s public key encryption including all data traveling over the internet.
Previously we were more worried about quantum computers breaking public-key encryption. Commonly referred to as “Q-day,” this depicts the time when quantum computers are powerful enough to break RSA 2048. The current estimates are anywhere from 5 to 10 years, and all believe that it will take an extremely powerful quantum computer to break public-key encryption.
The Mem breakthrough shows that this is no longer just about quantum computing but about how there are other clever methods to crack encryption. We can bet that if we know about this advancement, our adversaries know as well.
We Are Not Standing Still
Fortunately, our federal government has been hard at work. NIST (National Institute of Standards and Technology) has been working on this problem for over seven years and has nearly finalized recommendations of new cryptography that can be tested now. The new algorithms (also called quantum-resilient) are based on new and different cryptographic infrastructures using math problems different from the current prime factoring problems we use today for cryptography. They are tested to be quantum-resilient and should hold up against decryption methods such as Mem’s and other developments.
On December 21, 2022, President Biden signed into law Public Law 117-260—the “Quantum Computing Cybersecurity Preparedness Act”—“An act to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography, and for other purposes.” It is the first step in mandating that our entire federal government upgrade from our existing standard cryptography to new, quantum-resistant cryptography.
What To Do
It is now even more vital that enterprises and federal government organizations start the upgrade process to new encryption. Even if large organizations initiated a cryptographic upgrade today, it is going to take years, or even a decade, to complete the process. With Mem’s development, and powerful quantum computers on the way, we have zero time left to be safe.
Here are some steps organizations can take right now:
Learn About New Cryptography: Business leaders should stay informed about the progress of new, available cryptography via NIST. These new quantum-resilient algorithms use different math and are not based on factoring large numbers like our existing encryption.
Act Now—Test New NIST Algorithms Right Away: There is insignificant risk in testing quantum-resilient algorithms. By bringing this new cryptography into the network, enterprises and government organizations will quickly gain valuable hands-on experience, thus getting a jump on the larger, permanent upgrade that will be necessary.
Stay Crypto-Agile: Companies should start planning for a transition to advanced cryptography with the ability to change cryptography on the fly. At the same time, we expect the new algorithms to go through difficulties. Some will fail, some will need adjustment, some will work. So being crypto-agile is a way organizations can use new cryptography without worrying about committing to one new algorithm.
Ease Of Deployment: Deployment of new cryptography algorithms will take time and organizations can reduce risk by finding partners who can install these algorithms over the existing cryptography: so, no rip and replace.
Address Your Entire Network: Any outdated or vulnerable cryptography provides an attack vector. Think of servers, switches, phones, laptops, cloud-based servers and even satellites.
Scalability: Look for partners that can deploy quantum-resilient algorithms without installing anything on edge devices. This will make it much easier and quicker to secure your organization as there is no change to the endpoint or user experience.
Hybrid Approach While Transitioning: While quantum-safe cryptography is being standardized, organizations should use a hybrid approach. Finding a solution that leaves existing encryption to remain in place while transitioning to quantum-resilient algorithms is key.
With the Mem breakthrough, the reason to test and deploy advanced, quantum-resilient cryptography has intensified. Make no mistake, if public-key cryptography starts breaking, this will prove to be an existential threat to our nation, allies and the free world.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?