Quantum computing is coming, and organisations that do not start preparing now could end up exposing critical data because their encryption methods are not quantum computing ready, according to a European telecoms information security officer.

“Despite violent disagreements between cryptographers and physicists, it is not a question of if, but of when quantum computing will be a reality, and when it is, many of the current encryption techniques companies rely on will be open to cracking,” said Jaya Baloo, CISO of KPN Telecom in the Netherlands.

“Enormous strides are being made towards building viable quantum computers, so it is important that information security professionals understand why this is a threat to many popular encryption methods and that they start taking action now to ensure they are in the best possible position when it happens,” she told Computer Weekly.

Many encryption systems are based on the premise that it would take too long for anyone to carry out the mathematical calculations required to reveal the encryption keys, but even basic quantum computers will be capable of determining encryption keys fast enough for attackers to use.

China is known to be investing heavily in developing a quantum computing capability for both defensive and offensive purposes. Although Europe is investing in developing quantum computing capabilities, Baloo said the investment pledged so far is a fraction of what China is investing.

The good news is that all the symmetric encryption currently in use is unlikely to be affected by the arrival of quantum computing. “As long as we keep refreshing keys and following best practices for transferring keys, we are good to go,” said Baloo.

“The problem arises when it comes to asymmetric encryption. It is all the public key cryptography that is out there because it is based on complex mathematical problems that would even take a super computer a long time to solve, but that principle breaks down with quantum computers,” she said.

Specifically, quantum computers are expected to be able to carry out integer factorisation of very large prime numbers and compute discrete logarithms very quickly, but many current algorithms are based on the assumption that these processes currently require significant time, effort and computing power.

Although it may already be too late to ensure organisations’ encryption processes are completely secured against cracking by quantum computers because it could take up to 20 years for quantum computing proof algorithms to mature and be fully integrated into organisations, Baloo said there are things that information security professionals can and should do now to ensure they are not totally defenceless.

“It is about ensuring that organisations are agile when it comes to encryption and have the ability to adapt and to implement post-quantum ciphers and algorithms when they become available,” said Baloo.

“I want to encourage information security professionals to document their organisations’ current situations, to examine and understand their current cryptographic landscape and consider how to extend that into action,” she said.