Post-Quantum Cryptography Risks for Software Security
Quantum computing has had several exciting developments recently, especially from major companies like Google and Microsoft. But when these devices and algorithms come online, how will they change digital security? While quantum computing comes with huge potential, it also brings new threat vectors that shouldn’t be ignored or glossed over. Today, we’ll discuss what threats this technology poses to modern software security and how to begin developing for post-quantum cryptography sooner rather than later.
How Quantum Computing Threatens Modern Cryptography & Software Security
There are several major areas where quantum algorithms could break current encryption methods and wreak havoc on software that isn’t prepared.
Breaking Public-Key Cryptography
Most encryption today relies on public-key algorithms like RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman. The foundation of these algorithms is how difficult it is for classical computers to factor large numbers and solve discrete logarithmic problems. Quantum computers use Shor’s algorithm, which is an efficient way to factor large numbers and therefore makes systems like RSA nearly obsolete. Digital signatures that are used for authentication and software integrity would become easily forgeable. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols would be compromised, and even blockchain and cryptocurrency security would be at risk.
Weakening Symmetric Encryption
Even more resistant encryptions like AES (Advanced Encryption Standard) and SHA-256 are vulnerable to quantum attacks. Grover’s algorithm uses quantum mechanics to search unsorted databases in a time proportional to the square root of the database size, contrasting classical algorithms, which require linear time. This means that quantum computers using Grover’s algorithm can gain access to systems via brute force attacks much quicker than attempts using classical computers. As a result, encrypted databases and cloud storage could become more vulnerable, and historically strong methods like secure hashing algorithms used for password storage might fall apart.
Harvest Now, Decrypt Later Attacks
This is a strategy that cybercriminals are using right now to collect and store encrypted data today that they might not be able to crack, but keeping it until breakthroughs like quantum computing enable them to decrypt. This is a major concern, because the organizations being compromised might not even realize it’s happened until it’s too late. Information like corporate trade secrets and intellectual property may already be stolen, just waiting for the right tools to break in.
What is Post-Quantum Cryptography?
Post-quantum cryptography (PQC), also known as quantum-resistant or quantum-safe cryptography, refers to the development of secure algorithms to protect against attacks from classical and quantum computers. These cryptographic methods will likely be the future of data security as quantum computing becomes more readily available. Some emerging frameworks like lattice-based, code-based, and multivariate polynomial-based schemes are considered candidates for PQC. Specific algorithms within these families include CRYSTALS-Kyber, McEliece cryptosystem, and Rainbow.
What’s its Purpose?
The objective of PQC is to future-proof our data and systems to ensure their security in a future where quantum computers and algorithms are commonplace. In addition, these algorithms should work with existing communication protocols without major disruptions to smoothly transition from classical to quantum and eliminate any gaps in protection.
Risks of Not Transitioning to Post-Quantum Cryptography
There are significant risks for those who don’t start making this transition, or those who lag behind in adoption and investment.
Data Breaches and Loss of Confidentiality
The most obvious risk is that of data breaches — eventually, non-PQC databases, emails, transactions, and communications will be readable by attacks using quantum algorithms. This could result in leaks or blackmail of classified, corporate, or personal data, which would likely be catastrophic for users and businesses alike.
Loss of Trust in Digital Systems
If encryptions do fail, authentication methods that users have trusted (like digital signatures) could become unreliable. The inability to verify these systems could lead to code-signing certificate forgeries, which allow cybercriminals to distribute malware disguised as legitimate software updates. Identify verification mechanisms also rely on these encryptions, so identity theft could run rampant if these systems are disrupted.
Breakdown of Blockchain and Cryptocurrency Security
Most blockchains currently use encryption methods like RSA or ECC for wallets and transactions. As discussed in the threats section, these are incredibly vulnerable to quantum decryption because their reliance on factoring large numbers is not a challenge for quantum algorithms. Theoretically, this could be used to derive private keys and steal cryptocurrency, as well as forge blockchain transactions and further undermine trust in historically reliable systems.
Regulatory and Compliance Risks
Even if an organization escapes attacks and external threats posed by weak security, regulatory bodies might impose harsh penalties. It’s highly likely that upgrading to PQC will be required for compliance with data protection laws like HIPAA, GDPR, and more. Businesses that aren’t proactive about achieving compliance could be subject to fines or legal action.
What are the Challenges in Implementing it?
Although important to upgrade to PQC methods, there are challenges in implementation that should be considered.
Algorithm Transition and Compatibility Issues
New algorithms like the ones we mentioned above (e.g. CRYSTALS-Kyber) need to replace legacy encryption methods. However, many existing protocols like TLS will have to be re-engineered to support these PQC algorithms without breaking compatibility with current algorithms. There are also hybrid algorithms that mix classical and quantum-safe methods, but these aren’t necessarily “better” for compatibility because the combination introduces significant complexity in testing and implementation.
Performance and Efficiency Trade-offs
As a factor of their complexity, many post-quantum cryptography algorithms require larger keys, which are more secure but slow down performance. This means that applications using these security features, especially embedded systems, Internet of Things devices, and mobile devices, can suffer. Software performance testing should be used to verify that security improvements don’t come at the cost of application usability.
Ensuring Secure Implementation in Development Pipelines
Cryptographic algorithms need to be implemented and configured correctly to prevent vulnerabilities. Side-channel attacks and incorrect randomness usage are both ways that poor management could leave the door open to attacks. QA needs to catch these misconfigurations, inadequate key management, or insecure fallback mechanisms before deployment.
Backward Compatibility with Legacy Systems
While we need to look forward for future-proofing, many industries still rely on legacy systems that are decades old and can’t easily transition to PQC infrastructure. This includes banking, healthcare, telecommunications, and more. Software testing strategies must account for incremental adoption, verifying that hybrid cryptography works with both classical and quantum-resistant methods.
Resilience Against New Quantum-Specific Attacks
Lastly, while post-quantum algorithms are meant to be quantum-resistant, this is an ever-evolving field. Research into new quantum attack vectors is still ongoing, and software development teams need to anticipate these advancements to test against in order to prevent future attack strategies.
How to Start Preparing Today
That being said, there are steps that development and testing teams can take today to start preparing for these changes. This includes adopting and testing hybrid cryptographic solutions that combine both classical and PQC algorithms like CRYSTALS-Kyber or CRYSTALS-Dilithium. Testers should validate that these implementations don’t introduce new vulnerabilities and assess the additional performance overhead from larger key sizes. Beyond PQC methods, it’s vital to strengthen your existing security testing to minimize the risk of Harvest Now, Decrypt Later attacks. This also extends to third-party dependencies, which you’ll need to monitor for potential weaknesses.
Doing all of this requires cutting-edge development and testing tools to transition into this new age of software and cybersecurity. Now is the time to invest in future-proofing your applications, and Spira is the ultimate upgrade for your test management and ALM needs. With powerful industry-leading capabilities like resource management, automated testing, reporting dashboards, source code management, AI-driven testing, and more, Inflectra’s suite of products is the ideal solution for improving software quality assurance. Hear from our partners what makes them so valuable, or try for yourself with a free 30-day trial.
