Quantum-Safe vs. Quantum-Secure Cryptography
In 2010, I was serving as an interim CISO for an investment bank. During that time, I was already trying to figure out the risks posed by quantum computing. One day, I was approached by a vendor who, with great confidence, made two bold claims. First, they insisted that the Q-Day is just around the corner, claiming they had insider information from the NSA suggesting CRQCs were mere weeks away. This, of course, was a load of rubbish. The second claim was even more audacious: they guaranteed that their algorithms were quantum-secure, offering absolute security against any quantum attack.
These statements have since become my personal pet peeve as I am increasingly dealing with the quantum risk in my practice. The potential threat of quantum computing is a massive problem, and there will undoubtedly be a market for all vendors that can genuinely provide solutions. Making such exaggerations unnecessary and misleading. So, I’d like to explain the differences between the terms “quantum-safe” and “quantum-secure“, and why these distinctions matter. These terms are frequently mentioned, often interchangeably, but they carry distinct meanings that are crucial to understand.
Quantum-safe (or Quantum-Resistant) cryptographic methods are those that are believed to be resistant to attacks by quantum computers. These methods are designed with the understanding that quantum computers can solve certain mathematical problems much faster than classical computers, rendering many of our current cryptographic techniques obsolete. See “What’s the Deal with Quantum Computing: Simple Introduction.” Quantum-safe algorithms are thus seen as a safer choice compared to classical cryptographic methods, which are vulnerable to quantum attacks. However, calling these methods “safe” rather than “secure” underscores the fact that this confidence is based on our current understanding and assumptions. In other words, they are believed to be secure against known quantum attacks, but have not necessarily been proven to be secure against all possible quantum attacks.
In contrast, quantum-secure cryptographic methods imply a higher level of confidence and assurance in the algorithm’s ability to withstand quantum attacks. For an algorithm to be deemed quantum-secure, it would need to be mathematically proven to be secure against all known quantum attacks. Achieving this level of security is an extremely high bar. The process of proving absolute security is fraught with complexity, and the evolving nature of quantum computing and quantum attack methodologies means new vulnerabilities could be discovered at any time.
Currently, there are no universally accepted quantum-secure algorithms. The cryptographic community has yet to identify algorithms that meet the rigorous standards required for absolute security in the face of quantum computing. If someone wanted to confirm their algorithm as quantum-secure, the process would be exceptionally challenging, and it is currently considered almost impossible to achieve absolute certainty. Here’s why:
- Comprehensive Mathematical Proofs: To confirm an algorithm as quantum-secure, one would need to provide a comprehensive mathematical proof that the algorithm can withstand all conceivable quantum attacks. This would involve demonstrating that no quantum algorithm could solve the problem on which the cryptographic security is based, faster than a classical algorithm could. Given the complexity of quantum mechanics and the theoretical nature of quantum algorithms, providing such a proof is extremely difficult.
- Evolving Quantum Computing Capabilities: Quantum computing is a rapidly evolving field. New discoveries and advancements are continually being made, which could introduce new attack vectors or make existing attacks more efficient. An algorithm considered secure today might not remain so in the face of future advancements. This dynamic nature of the field makes it challenging to assert absolute security.
- Broad Consensus and Peer Review: Achieving broad consensus within the cryptographic and quantum computing communities is another hurdle. The process of peer review, rigorous testing, and validation by independent researchers is crucial. Even if a strong theoretical proof is provided, it must withstand scrutiny and testing over time to be accepted as quantum-secure.
The distinction between quantum-safe and quantum-secure is crucial for several reasons:
- First, it shapes our expectations and preparedness. By understanding that current algorithms are quantum-safe rather than quantum-secure, we recognize that while they offer a strong defense against known threats, there is no absolute guarantee. This awareness prompts ongoing vigilance and research, ensuring we remain prepared for new developments in quantum computing.
- Second, it impacts policy and decision-making in cybersecurity. Organizations need to adopt quantum-safe algorithms to mitigate risks, but they must also remain flexible and ready to update their cryptographic methods as new quantum threats emerge. In other words, they have to become crypto-agile. This distinction drives investment in continuous improvement and adaptation.
- Finally, it affects vendor claims and market dynamics. As seen from my experience in 2010, exaggerated claims can mislead and create false confidence. Clear distinctions between quantum-safe and quantum-secure help set realistic expectations and foster trust in the cryptographic solutions being developed and marketed.
Organizations like the National Institute of Standards and Technology (NIST) are at the forefront of efforts to identify and standardize quantum-resistant cryptographic algorithms. NIST’s Post-Quantum Cryptography (PQC) project is an extensive initiative aimed at developing and standardizing cryptographic algorithms that can resist the threats posed by quantum computers.
The term “quantum-safe” or “quantum-resistant” is used by organizations like NIST to reflect the current state of knowledge and the ongoing research in this field. It acknowledges that while these algorithms are robust against current known quantum threats, the absolute security of these methods cannot be guaranteed. The cryptographic community continues to analyze and test these algorithms rigorously to ensure they meet the highest standards of security against both classical and quantum threats.
The ongoing research and standardization efforts highlight the challenges in transitioning from the current state of quantum-safe algorithms to a future where we might have more confidence in declaring algorithms as quantum-secure. Until then, the term quantum-safe remains a pragmatic choice and achieving crypto-agility remains the pragmatic strategy.
And if you have a vendor today that is claiming their solution is guaranteed quantum-secure, it’s time to show them the door. Such a claim indicates one of two things: either the vendor lacks a fundamental understanding of the complexities and current limitations of quantum cryptography, or, even worse, they are intentionally trying to mislead you. In either case, trusting them could put your organization’s security at significant risk. Always seek solutions from those who acknowledge the nuanced realities of the quantum threat landscape and who are committed to transparency and continuous learning and adaptation.