On Q-Day, a quantum computer will succeed in cracking the world of encryption wide open, putting vast amounts of data at risk. This event isn’t as far away as you might think; although some experts take a conservative view that Q-Day will hit in 2030, others take the aggressive view that it could happen as early as 2026.

Is your organisation prepared for all encryption to be undermined?

Understanding quantum computing has many levels – some involving a physics degree – but the core principle is that it’s a completely new form of computing rather than an advance on the classical approach. Algorithms on a classical computer run all available options, but a quantum computer runs algorithms based on how probabilities interact, giving it advanced, extremely fast capabilities. This opens up new mathematical approaches to complex tasks that are simply beyond the scope of current computing.

On Q-Day, a quantum computer will break asymmetric encryption, the most commonly used form. This form of encryption algorithm works by multiplying two huge prime numbers to create large products and then generating a key pair, one public and one private, used to encrypt and decrypt data. There’s no known way for a classical computer to crack this due to the time it would take. However, it's a different matter for a quantum computer, meaning all data could become readable, including any data compromised a while ago on a 'store today, crack later' basis. 

Preparing cryptography for Q-Day and beyond involves finding a new mathematical problem (not the factorisation of prime numbers) that neither classical nor quantum computers can solve. Crucially, it also involves accepting that there will never be a single, unbreakable algorithm. Instead, organisations need crypto agility to be able to switch out algorithms within their systems.

The good news is that the global cyber security community, led by the US National Institute of Standards and Technology (NIST), has been working on creating, testing and agreeing post-quantum encryption algorithms for some time, and is making good progress. In parallel, the market is developing wider methods to defend data against quantum crypto-cracking.

Unwilling to wait for the full launch of NIST’s new algorithms, many organisations are already putting defences against the power of quantum to give maximum protection against the ‘store now, decrypt later’ strategy. Two approaches are leading the market:

At the core of this solution is the ability to create and rotate symmetric keys on demand to encrypt and protect sensitive data between point-to-point VPN links. This not only protects against future quantum threats, but it also defends data in transit from ‘store now, decrypt later’ attacks.

QKD is a method of distributing quantum-safe encryption keys between parties. Rather than relying on mathematics, it uses the quantum properties of light to generate secure random keys for encrypting and decrypting data, meaning that QKD-protected transmissions can never be intercepted and decrypted by adversaries. QKD ensures the keys used in public-key infrastructure are constantly refreshed, making it impossible to hack into the key.

In the complex quantum environment, an organisation's initial preparations are surprisingly simple and can be broken down into a four-stage sequence.

Although security teams will need to take the lead in preparations, quantum needs to become an issue for the whole senior leadership team. Work out how to communicate the critical points and who to include in strategic discussions.

It’s important to prepare a comprehensive inventory of your cryptography, so you know exactly where and how your organisation uses cryptography to protect data at rest and in transit, enabling you to work out how Q-Day could affect your operations. It’s only at this point that you’ll be able to make conscious and informed decisions about how and what to update.

Next, combine the detailed inventory of your current encryption with a broad risk assessment so you can prioritise actions and work on protecting your most critical assets first. This will also help you identify any obsolete or weak encryption systems, and be able to find, classify and analyse risks in real-time.

Once you understand your organisation’s current encryption position and risks, you’ll be in a position to work towards tailored and effective Q-Day mitigation.