Post-Quantum Cryptography: Nine Industries at Risk From “Y2Q”

What are the industries most at risk from the year-2-quantum (Y2Q) transformation? Find out.

November 23, 2022

Y2Q is short for “year 2 quantum” and refers to the year when quantum computers are expected to become powerful enough to break today’s encryption standards. This poses a serious threat to the security of our networks and data, as quantum computers will be able to decrypt transmissions that are currently considered safe. John Kilhefner, security researcher at Vicarius, takes a closer look at nine industries most at risk from Y2Q and why.

To keep our information safe, we have come to depend on algorithms that rely on the factoring problemOpens a new window . But because quantum computers can solve the factoring problem much faster than traditional computers, they pose a serious threat to the security of today’s algorithmic standards – and by extension, the security of our networks.

One such standard in use today is RSAOpens a new window , named for the MIT scientists who invented it (Rivest, Shamir, and Adleman). RSA came about in 1977 as an asymmetric algorithm using a public key for encryption. This is called public key cryptography, and it’s the product of multiplying two prime numbers. Only the public key creators can generate the necessary private keys to decrypt the transmission. Such integer factorization is the basis for many of the most popular cryptographic algorithms today, including RSA and Diffie-Hellman.  

Quantum systems, when available, will decrypt today’s asymmetric security protocols, which are widely used to secure messages through public channels. And while symmetric encryption protocols are considered safe from the quantum threat, it’s not practical to always use this method. Because in symmetric encryption, the sender and receiver both exchange encryption and decryption keys before any information trades hands, making it impractical when speed is required. So even symmetric encryption must be addressed for efficiency before “Y2Q” (year to quantum) arrives. 

Of course, the best way to prepare for Y2Q is to stay ahead of the game by keeping up with advancements in quantum computing. This means investing in research and development so that we can create quantum-safe algorithms before they’re needed. And it also means developing a better understanding of how quantum computers work so that we can anticipate their every move.

But regardless of what the future holds, one thing is certain: we must be prepared for the quantum threat. Because if we’re not, Y2Q could be the end of encryption as we know it.

Once large-scale quantum computers are built, they will be able to break most of the public-key cryptographyOpens a new window that we currently use to protect our data. This includes popular protocols like TLS/SSL (used to secure HTTPS connections), SSH (used to secure remote access and file transfers), and IPsec (used to secure VPNs).

And while we have no way of knowing precisely the moment when the first fully error-corrected quantum computer will come online, we do know that certain industries are more at risk today than others. And these industries should now take steps to ensure their network security is ready for the age of quantum supremacy.

But the threat isn’t equally distributed. So let’s break down which industries are most  exposedOpens a new window to the quantum threat at various points along the timeline:

Industries Most at Risk Now 

  • Insurance
  • Public Sector
  • Banking

Why: These organizations have data with long shelf lives and systems with extended cycles of development. This means bad actors could harness their data now and wait for quantum computing to come online to break their encryption.  

At Risk Between 2025-2030

  • Life Sciences
  • Advanced industries
  • Global energy and materials

Why: These organizations possess data and systems also have long shelf lives and therefore are at risk of being targeted after 2025 until quantum computing comes online. 

At Risk After 2030

  • Telecom, media and technology
  • Consumer electronics
  • Travel and logistics

Why: These organizations have shorter-duration data and, therefore, may not need to act immediately. However, they still need to act before quantum becomes truly capable.  

As mentioned earlier, traditional cryptographic methods are vulnerable to attack by quantum computers. This means that if quantum computers become powerful enough, they could be used to break current encryption methods and access sensitive information. 

So what can be done to prevent the “Y2Q” threat? The answer lies in post-quantum cryptography, or “PQC,” which we discussed in depth in the first part of this story.

To recap, PQC is a type of cryptography that is designed to be resistant to quantum computers. There are a variety of different PQC algorithms that have been developed, each with its own strengths and weaknesses.

See More: Post-Quantum Cryptography Pt. 1: Are You Prepared for “Y2Q”?

Ways for Security Researchers to Mitigate the Threat 

Post-quantum cryptography is an important step in protecting information from quantum computer attacks. And if you’re a security researcher, it’s crucial that you start preparing for the migration to PQC now. By familiarizing yourself with the basics of PQC and experimenting with different algorithms, you can ensure that you are prepared for the future of quantum computing. 

Fortunately, there are steps you can take today to protect your network security against quantum computing attacks.

First, make sure you have a good understanding of what PQC is and how it works. This will help you make informed decisions about which PQC algorithms to use and how to implement them properly.  

Second, start experimenting with PQC algorithms now. Several different algorithms are available, so it’s important to find one that works well for your needs. For example, some PQC algorithms are faster than others, while some are more secure. But perhaps the best way to protect data against quantum computers is to use a hybrid encryption approach, which combines the strengths of both symmetric and asymmetric encryption. This way, even if one of the methods becomes compromised, the other will still keep our data safe.  

Third, look into multiparty computationOpens a new window (MPC). MPC allows two or more parties to compute a function while keeping their inputs secret. This means that even if an attacker compromises one party, the attacker will not be able to learn anything about the other party’s input. As a result, MPC has been shown to be resistant to both classical and quantum attacks.  

Fourth, you can protect your data through Quantum Key DistributionOpens a new window (QKD). QKD takes advantage of the laws of physics to distribute cryptographic keys securely between two parties. Because an attacker cannot read these keys without introducing errors into them, QKD provides resistance against both classical and quantum hacking attempts.  

Lastly, keep up with the latest developments in PQC. While post-quantum cryptography is still in its early stages, a few major approaches are being researched:

  1. Lattice-based cryptography: These schemes are based on the hardness of certain mathematical problems over high-dimensional lattices. The most popular lattice-based scheme right now is called Ring-LWE.
  2. Code-based cryptography: These schemes are based on the hardness of decoding certain error-correcting codes. The most popular code-based scheme right now is called McEliece.
  3. Hash-based cryptography: These schemes are based on the one-wayness of cryptographic hash functions. The most popular hash-based scheme right now is called Sphincs+.

In addition to these three major approaches, there are also a few miscellaneous schemes that don’t really fit into any particular category, like quantum key distribution and post-quantum zero-knowledge (PQZK).

A Cryptography Scheme that Works for You

So which post-quantum cryptography scheme is the best? Well, that’s a bit of a loaded question since there is no “best” post-quantum cryptography scheme. Each scheme has its own advantages and disadvantages, and it really depends on your particular needs as to which one is the best for you.

For example, if you need a post-quantum digital signature scheme, then you might want to look at hash-based schemes like Sphincs+. On the other hand, if you need a post-quantum key exchange protocol, then you might want to look at code-based schemes like McEliece or lattice-based schemes like Ring-LWE.

The post-quantum cryptography (PQC) initiative is already underway to standardize new protocols that quantum computers can’t compromise. It’s important to remember, however, that even with PQC in place, quantum computing is still in its infancy, and there is a chance that it may eventually become powerful enough to break PQC algorithms. But by staying informed, we can ensure that our data is as safe as possible from the “Y2Q” threat.

How are you preparing for Y2Q threats? Talk to us about it on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON CRYPTOGRAPHY: 

Image Source: Shutterstock

John Kilhefner
John Kilhefner is a security researcher and writer for Vicarius, an autonomous vulnerability remediation solution that helps security and IT teams mitigate threats to their digital environment and consolidate vulnerability remediation tools. John has over a decade of experience in the field, specializing in novel security research and cryptography. His work has been published and cited in numerous print and digital publications across dozens of industry verticals.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.