IBM at the IBM Think 2018 conference today made a case for a new approach to cryptography that will be made necessary by the imminent cracking of encryption based on elliptical algorithms by quantum computers.
Michael Osborne, manager of the security research group at IBM Research, said that while this may seem like a far-off issue, it’s expensive to try to apply new algorithms to legacy applications already running in a production environment. Because of that issue, many organizations are investigating new approaches based on lattice cryptography, which hides data inside complex algebraic structures called lattices.
IBM is predicting that within the next five years quantum computers will be able to break elliptical cryptography algorithms. That said, many of the applications being built today still will be running in production environments long after the elliptical cryptography relied on to encrypt data has been rendered obsolete.
More troubling still, hackers already are making extensive use of encryption to hide their malware from content inspection tools. As quantum computers becomes more accessible over the next decade, it’s only a matter of time before cybercriminals working on behalf of nation states aggressively crack legacy cryptography algorithms.
IBM said lattice cryptography will also provide an important foundation on the march to fully homomorphic encryption (FHE), which promises to enable processing of data while still encrypted. Today, data needs to be decrypted while running, which creates an opportunity for hackers to focus their attacks. FHE right now is too slow and expensive to be used broadly. But Osborne said algorithmic tuning and hardware acceleration techniques have reduced the time and expense of using FHE. Calculations that would have required years can now be done in hours or even minutes.
The next step is to advance cryptography standards. IBM has already submitted post-quantum encryption techniques to the National Institute of Standards and Technology (NIST) for consideration as a global standard.
Use of encryption today remains spotty. There’s plenty of unencrypted data that hackers routinely target. There are also multiple generations of cryptography. The first generation of encryption based on algorithms developed by RSA are still widely employed. Organizations that make extensive use of encryption are just now making the transition to elliptical algorithms. Over the next five years, many organizations will be managing multiple types of encryption algorithms. In fact, Osborne said the type of encryption that will be applied will be correlated to the value of the data that needs to be protected.
Of course, cybercriminals are keenly aware of the value of encryption. A large percentage of malware attacks now being made are encrypted, which prevents organizations from inspecting content for malware. It’s only a matter of time before those cybercriminals also take advantage of new forms of encryption. In the meantime, however, there will soon come a day when more data is encrypted than not. That means savvy organizations need to think of encryption in terms of multi-year horizons starting now.