Security News

Apple says it's going to upgrade the cryptographic protocol used by iMessage to hopefully prevent the decryption of conversations by quantum computers, should those machines ever exist in a meaningful way. The protocol, dubbed PQ3, is intended to safeguard users' chats in some future era of quantum computing, when these computers may be able to break classical encryption methods and render today's messaging security obsolete.

"Leading experts forecast that cyber security risks associated with quantum will materialize in the coming decade," reasoned [PDF] the MAS. Cryptographically relevant quantum computers "Would break commonly used asymmetric cryptography, while symmetric cryptography could require larger key sizes to remain secure," it added. The monetary authority warned that the security of financial transactions and sensitive data financial institutions process could be at risk, thanks to quantum computers that can "Break some of the commonly used encryption and digital signature algorithms."

In today's increasingly automated operational environment, crypto agility-i.e., an organization's ability to switch rapidly and seamlessly between certificate authorities, encryption standards and keys and certificates with minimal disruption to one's digital infrastructure-becomes essential to business. In 2020, Apple reduced the lifespan certificates to a year, pushing others to match them, and in March 2023, Google announced a proposal to reduce TLS certificate validity to 90 days.

I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard.

Some popular projects using implementations of Kyber are Mullvad VPN and Signal messenger. The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption.

Researchers are exploring promising quantum computing applications across various domains, from cryptography and optimization problems to drug discovery and artificial intelligence. Quantum computers, with their ability to perform complex calculations at speeds unattainable by classical counterparts, possess the potential to crack widely used encryption methods, posing a significant threat to the privacy and security of sensitive information.

NIST, the US National Institute of Standards and Technology, is leading a process to create and standardize new encryption algorithms to replace RSA and ECC. The new algorithms rely on mathematical approaches that are not easily broken by quantum or classical computers. In December of 2022, US President Joe Biden signed into law the Quantum Computing Cybersecurity Preparedness Act which mandates timelines for moving government systems to PQC algorithms.

With global governments having collectively pledged more than $38 billion in public funds for quantum technologies and $2.1 billion of new private capital flowing to quantum companies in 2022, quantum technologies, particularly quantum computers, are rapidly moving from the lab to the commercial marketplace. By leveraging the principles of quantum mechanics, quantum computers have the potential to perform certain computations exponentially faster than classical computers.

In an era where data security is paramount, the recent revelations about firmware backdoors implanted by Chinese government-backed hackers serve as a stark reminder of the evolving threat landscape. To secure data today from the risks of tomorrow, organizations need to take proactive measures in securing data against quantum risks.

Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it's keeping...