There’s a lot of talk these days about the quantum threat and how it will annihilate current encryption algorithms. What is often overlooked is the timeline, or when we can expect quantum computers to start having an impact. Let’s find out.
The processing power of quantum computers is not measured by instructions per second or MIPS. What matters instead is the number of qubits the computer can process at the same time. A qubit loosely corresponds to a bit in a classical computer, except that a qubit value can be uncertain – this is the reason why quantum computers are so powerful.
Currently (November 2022), the largest superconducting quantum computer known, the IBM Osprey, has 433 qubits, which is still way less than the estimated minimum 4000 qubits that would be required to break 2048-bit RSA key in a matter of seconds. Predictions on when such processing power might be available vary from 2 to 20 years from now. However, there are three issues making things more urgent:
1. Secret development
Because of the transformative power of quantum computers and the race to be the first one to obtain them, it is likely that some development is done in secret, and military or national security organizations are ahead in development over what is publicly known.
2. Hybrid decryption
In reality, decryption systems containing quantum computers will be architecturally complex, containing clusters of classical computers alongside a quantum computer. Further, there are algorithms called quantum annealing, which can simulate some quantum computer operations on a classical computer and dramatically reduce the qubit requirement.
3. Recording attacks
Organizations usually handle long-term secrets that are valid for 10 or more years, like personal health information, credit card numbers or trade secrets. Current encrypted communications containing these secrets can be intercepted and stored. When the needed quantum processing power is available, the correspondence (and with it, the long-term secrets) can be exposed. Because of recording attacks, the quantum threat is already impacting the present day.
So, how urgent is it then to get protected against the quantum threat? You don’t exactly know when the “Q-Day” will hit, but by doing nothing, you are risking your organization’s long-term secrets. Is the risk acceptable? It depends on how valuable you consider your long-term secrets to be. However, if you had an easy option to get quantum-safe, would you take it?
To ensure your secrets are quantum-safe does not require huge investments into infrastructure, and you certainly don’t need to acquire new hardware or install new fiber cables. You can upgrade to quantum-safe communications simply by upgrading your software. There are already production-ready solutions on the market that are both affordable and easy to use, like SSH Tectia Quantum-Safe Client/Server and SSH NQX network-level encryptor.