Quantum computers might be a way away, but the mathematics that makes quantum computing possible already exists. That's the basic premise behind Certes' assertion that right now is the time to prepare for a post-quantum future where existing cryptographic techniques will be brute forced into irrelevance.
That was the key thrust of a discussion with Paul German, Certes CEO. When German started out by describing the present day as 'post-quantum', the first question was a request for clarification; post-quantum? Are we even near pre-quantum? After all, while well-known names like Google and IBM (and lesser known ones like Rigetti Computing and D-Wave Quantum) have quantum computers on the drawing board, they aren't in production yet.
"What we're doing is post-quantum, because we're anticipating what quantum computing will bring in the near future. So, you're quite right about the complications today with delivering robust quantum computers; however, we know that eventually quantum computers will become available and they will break the current encryption standards, because mathematics tells us that that's what will happen," said German.
He explained that hackers are preparing for a quantum future by stealing encrypted data now and saving it for a day when quantum computing is available to smash the encryption. He said businesses relying on RSA (Rivest-Shamir-Adleman), TLS (Transport Layer Security), ECC (Elliptic Curve Cryptography) or standard Public Key Infrastructure, are already exposing their data, they just think it's safe and secure
Headquartered in Pittsburgh, Pennsylvania Certes has long delivered infosec solutions with a specific focus on Data Protection Risk Mitigation (DPRM). German, who noted that he's British but leading an American company, said Certes' track record is germane because quantum encryption isn't a brand new field.
Instead, he explained, it's an iteration on a continuum: "We've been around over 25 years, and primarily the problem we've been solving hasn't changed. However, quantum computers present a risk over the standard methods of data encryption. The existing standards simply won't stand up to them."
Right now, 'classical' supercomputers can be expected to take millions of years to break an RSA-2048 or ECC-256 key. The maths to which German is referring says a quantum computer could do it in hours or even minutes. Echoing a certain event in Normandy, the point at which that happens is widely referred to as 'Q-Day', and when it arrives the foundations of current digital security including RSA, ECC and TCC will be compromised.
While general consensus is that Q-Day will arrive by the early-to-mid 2030s, some analysts anticipate sooner rather than later. German noted the pace of development in AI, which for a considerable time was an unobtainable prize in computing, until it wasn't. In a very short space of time, AI went from the drawing board to ubiquity, and even further to commodity status.
There's every likelihood that a key breakthrough will similarly change the trajectory of what's possible overnight, with Q-Day unexpectedly going from hypothesis to a very brutal reality.
When, not if, that happens, German said quantum computers could simply crush these well-known public key encryption standards. "But, the underlying problem isn't new; just the way in which we now solve it is. The reason I mentioned that is because we're not a startup solving a new problem. We're an established, pedigreed company slightly altering our trajectory in terms of not 'what we do', 'but how we do it'."
Certes' post-quantum solution, explained German, uses new algorithms that he said are NIST-certified as quantum safe (they're even called Post Quantum Cryptography, or PQC). "We're protecting our customers against the post-quantum threat, today."
Moreover, he said the method matters, with Certes encryption travelling wherever the data goes (including to the private stashes of bad actors). "We pride ourselves on the way we abstract data security away from infrastructure and applications. When you look at the threat vectors today, one of the biggest challenges is data exfiltration - your data in somebody else's hands. Traditional encryption methods are tied to the infrastructure. We wrap the data itself in a way that security is owned and controlled by the data owner and, and that security goes with the data everywhere, so it doesn't matter if it's on someone else's computer, the cloud, between clouds, it really doesn't matter."
Should that happen, those who have invested in Post-Quantum Cryptography (PQC) developed by the likes of Certes will have nothing to worry about.
Well, not quite nothing, as German readily affirmed.
After all, until a production quantum computer emerges and is put to work on PKI, TCC or even PQC encryption, the full capabilities can't be known. But in much the same way that quantum physics described the working of a fluorescent tube long before it could be manufactured, the mathematical underpinnings for PQC are likely to hold strong.
"We know what we're working towards," said German. "And it is likely to come towards us very quickly, if we're not in a state of where we're prepared, then we're absorbing a large and frankly unnecessary amount of risk."