Quantum computing is a multi-disciplinary field that combines computer science, physics, and mathematics with quantum mechanics. It’s aimed at solving complex problems, such as predicting the effects of climate change or discovering new drugs, with a faster turnaround than is possible on classical computers that rely on sequences of zeroes and ones. Distinguished Engineer Anne Dames, cryptographic technology architect at IBM, shares her insights into quantum-safe cryptography with the mainframe.
According to Dames, conventional computers operate on binary values (bits) which have one of two states — zeroes and ones. These systems manipulate strings of zeroes and ones to solve problems. “Algorithms in these computers follow specific instructions to complete tasks,” she adds. “A supercomputer is a large number of conventional computers coupled together that decompose problems into operations that could be run in parallel, focusing the extra computing power on several aspects of the same problem to find a solution.” Quantum computers, Dames explains, “use qubits or quantum bits with multiple states, which enable users to complete different kinds of processes to solve complex problems in, for instance, areas like materials science chemistry or in cryptography.”
The Role of Quantum-Safe Cryptography
As quantum computing improves and becomes “cryptographically relevant” in terms of factoring large numbers outside the reach of classical computers, the security of traditional hardware, like the mainframe, could be compromised. Why would bad actors want to break into the mainframe? Mainframe computing has traditionally included the business of buying and selling and the transfer of ownership.
According to Dames, systems like the mainframe use cryptography for use cases, such as protecting the integrity of the firmware running on the system. Individual applications also have their own cryptographic algorithm requirements for use cases that require confidentiality, authentication, integrity, or proof of authorship. These cryptographic algorithms need to be resistant to attacks from both classical and quantum systems.
Quantum computing access in the wrong hands could eventually break through traditional encryption keys, which rely on one or two prime numbers that are hundreds of digits long, to gain access to data and transactions that the mainframe has secured. Dames adds, “A quantum computer could solve great problems and unlock innovation, but in the hands of a criminal, it could be used to break through many of today’s cryptographic algorithms, unless mainframe and its applications are using quantum-safe algorithms.”
To ensure transactions on classical systems are protected against fraud, enterprises may want to look to quantum-safe cryptography as a means of protecting data streams from disruption and theft. Quantum-safe cryptography is the firewall they need to guard against such attacks, including pre-emptively encrypting data that may remain sensitive into the future to protect against the illicit harvesting of data that cannot yet be decrypted with the intention of compromising it in the future.
Quantum-Safe Algorithms Boost Mainframe Security
“What mainframes and enterprises need going forward are new algorithms that are resistant to an attack,” Dames explains. Dames adds that quantum-safe algorithms can either impact the cryptography on our classical systems or break through classical system’s cryptography. “Public key cryptographic algorithms will be completely broken, while symmetric key cryptographic algorithms will be impacted,” she explains.
Quantum-safe cryptography for the mainframe is especially important for data that must remain protected for a long time and throughout the value chain. “Think about health care providers, financial institutions, and government agencies that house data for years and even decades,” says Dames. “These organizations need to assess their data protections and security protocols now and consider employing quantum-safe algorithms where needed. Otherwise, that data could be at risk.”
Enterprises need to create a crypto inventory that identifies what cryptography is used, where it is used, and how it is used. Dames advises that enterprises examine their cryptographic posture. Dames says, “The inventory must not only cover information related to the protection of data, but all cryptographic algorithms used in the system so that risks can be assessed, and action items prioritized.” There should be a clear understanding of the options used to protect their data, as well as any retention policies associated with the data they secure. This will help determine what data is at risk. They can then choose the best cryptographic algorithm for the data. “For example, if the data must remain confidential for an extended period of time, enterprises may want to select a quantum-safe algorithm for protection, such as AES with 256-bit keys,” Dames says.
“If you have a mainframe system and you want to use the quantum-safe cryptography, then you will need access to a provider of those cryptographic algorithms. For example, IBM’s hardware security module, the Crypto Express 8S card along with the Integrated Cryptographic Service Facility (ICSF) product provide implementations of quantum-safe algorithms. There are also algorithms for hashing and encryption,” explains Dames.
Data protection schemes often rely on public key algorithms for establishing a secret key for securing the data. Dames points out that the public key algorithms can be easily broken when there is a sufficiently strong quantum computer. This is why the National Institute of Standards and Technology (NIST) initiated a process to identify new quantum-safe algorithms to replace the existing public key algorithms.
During a six-year competition, NIST sought quantum-safe public key algorithms, which were vetted and reduced from about 80 or more submissions to eight finalists and seven alternates. According to Dames, the first four of those algorithms — three of them from IBM and their academic and industry partners — were selected for standardization because they made it through several rounds of evaluation. NIST is expected to complete the standardization process in 2024.
Dames recommends that enterprises create a crypto inventory now, assess what cryptography they are using for which data, and adjust the necessary encryption processes before the data is compromised. Updating cryptography to ensure data security could entail replacing hardware, software, and services.
With a cryptography inventory, “you can start to understand what you don't even need to change,” she explains. “I think it’s especially important for people to understand where they’re using crypto. You know it’s going to take time to roll out the latest quantum-safe algorithms in the places where it is needed. It’s better to start early,” Dames says. Each organization needs to understand its cryptography posture and risk, as well as what their internal and external dependencies are.