SECURING COMMUNICATIONS IN THE QUANTUM COMPUTING AGE MANAGING THE RISKS TO ENCRYPTION MICHAEL J. D. VERMEER | EVAN D. PEET C O R P O R A T I O N Cover design: Peter Soriano Cover image: Adobe Stock/sakkmesterke Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.html. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. R® is a registered trademark. For more information on this publication, visit www.rand.org/t/RR3102. Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0461-9 © Copyright 2020 RAND Corporation Summary and broad consumer survey. This approach was meant to Recommendations assess the likely events, risks, and uncertainties and recommend appropriate policies and risk-mitigation he world is waiting for the first quantum com- actions. The results of this research, in brief, are as puters, which are expected to revolutionize follows: computing. Their unprecedented power may also enable them to crack the digital encryp- • Quantum computers capable of cryptographic Ttion system upon which the modern information and applications are expected, on average, to be communication infrastructure depends. By breaking approximately 15 years away—roughly 2033. that encryption, quantum computing could jeopardize However, experts assess that both earlier and military communications, financial transactions, and much later development are possible. the support system for the global economy. • Standard protocols for PQC are expected to This report explores those risks by assessing, be drafted and released within the next five first, how quickly quantum computers are likely to years. The expected time to near-complete be developed; second, how quickly encryption that adoption of PQC protocols varies but is gen- can withstand attacks by quantum computers—or erally expected to extend into the mid- to late- postquantum cryptography (PQC)—is likely to be 2030s, and potentially much later. However, standardized; and third, how quickly and widely the nationwide or global transition necessary PQC will be adopted. The analysis concludes that the to implement the standard protocols and threat to the security of the modern communications mitigate the vulnerability from quantum com- infrastructure is urgent but manageable, and the puting is expected to take decades—far longer authors offer recommendations to the U.S. govern- than the time that experts estimated would be ment for responding. available for the task. There is already a race among nations and • If adequate implementation of PQC has not corporations attempting to develop quantum com- taken place by the time capable quantum com- puters (primarily in the United States, China, and puters are developed, it may become impossible the European Union, though many other nations to ensure secure authentication and commu- are pursuing this goal as well), and many expected nication privacy without major, disruptive commercial applications are unrelated to cryptogra- changes to our infrastructure. These vulner- phy. Quantum computers capable of undermining abilities are expected to be not only worse in current cryptography are likely at least a decade off, many respects than current cybersecurity but they are already introducing risks, and these risks vulnerabilities, but also of a different kind, will grow over time. PQC solutions are under devel- expanding the varieties of cyber weaknesses. opment but will need to be improved, standardized, • Consumers have low awareness of quantum and implemented. This transition will be challenging computing generally, as well as low awareness and time-consuming, potentially stretching out over of the risks associated with its advent. This decades. Moreover, the advent of quantum comput- is true across demographics, even among the ers presents retroactive risk, because information most informed age group, 18-to-35-year-olds. being securely communicated today without PQC, • Consumer responses to the potential which may have been captured and stored but never threats of quantum computing show logical decrypted, may be revealed once quantum computers consistency—the more proximate the threat, are created. The period during which cryptography the greater the response. Moreover, a survey is expected to lag quantum computing developments suggested that certain consumers are likely to presents a vulnerability that prudence requires us to respond to security threats and reward com- address today. panies they perceive to be more adequately To assess these timelines and associated risk, we protecting their security. undertook a mixed-methods approach consisting of • Nevertheless, the lack of consumer awareness a literature review, a review of expert opinion, and a of quantum computing and associated risks 1 Abbreviations NSTAC National Security Telecommunications Advisory Council AES Advanced Encryption Standard NSTC National Science and Technology Council CA certificate authority NTIA National Telecommunications and CFRG Crypto Forum Research Group Information Administration CIO chief information officer NQCO National Quantum Coordination Office CISA Cybersecurity and Infrastructure Security NQIA National Quantum Initiative Act Agency NQIP National Quantum Initiative Program FIPS Federal Information Processing Standards OMB Office of Management and Budget GAO Government Accountability Office OSTP Office of Science and Technology Policy GCS Google Consumer Surveys PKC public key cryptography GSA General Services Administration PKI public key infrastructure IAD Information Assurance Directorate PQC postquantum cryptography IETF Internet Engineering Task Force QIST Quantum Information Science and Technology IoT internet of things QKD quantum key distribution ISO International Organization for Standardization SCQIS Subcommittee on Quantum Information Science IT information technology SEC U.S. Securities and Exchange NAS National Academies of Sciences Commission NIST National Institute of Standards and S&T science and technology Technology TLS transport layer security NSA National Security Agency implies that consumers will likely not be the including the passage of the National Quantum primary drivers for policy change on this issue. Initiative Act and the formation of the National As a result, federal leadership will be needed to Quantum Coordination Office (NQCO), but as of yet advocate for consumer protection. it is not clear that it has adequately responded to the Combining these results and other expert assess- threat to our security posed by quantum computers. ments and recommendations, we judge the threat to The threat is similar in many ways to the cir- be urgent. There is little to no margin of safety for cumstances surrounding preparations for Year 2000 beginning the migration to PQC. The vulnerability (Y2K) conversion. The Y2K problem, also known as presented by quantum computers will affect every the “Millennium Bug,” arose from fear that a calendar government body, critical infrastructure, and indus- software glitch would cause the world’s computers try sector. This presents a national security threat to fail at midnight on Dec. 31, 1999, when the clock that requires a centrally coordinated, whole-of-nation rolled over to the year 2000. This presented a similar approach to risk mitigation. The United States gov- risk to the global information and communication ernment has recently taken multiple actions meant infrastructure. One of the primary lessons learned to maintain and assure its position as a global leader from the response to the Y2K challenge was that in quantum information science and technology, federal leadership and partnerships were key to suc- cess, particularly executive branch coordination and 2 bipartisan congressional oversight. These, in turn, information systems that could improve led to successful partnerships with states, cities, and our ability to respond to both current and industry groups, useful legislation and mandates, and future cyber threats. The efforts to promote allocation of human capital and resources needed to PQC adoption and quantum computing help entities prepare. preparedness should have the tandem goal There are notable differences between the threat of restructuring systems to enable greater from Y2K and the threat from quantum comput- cyber-resilience and cryptographic agility. ers. The world had a known deadline for fixing the 3. Prepare for an uncertain future. Timelines for vulnerability from Y2K, while we lack such a certain quantum computing development are still very date when the risk from quantum computers might uncertain, but an uncertain future need not be appear. Moreover, unlike Y2K, which threatened a less-secure future. Communications to the wholesale failure of systems without human inter- public on risk from quantum computers should vention, with quantum computers the threat is due seek to find a middle ground between exagger- rather to the presence of a vulnerability