Will Quantum Computing Break Encryption and Threaten IoT Security?
Introduction
Quantum computing is an exciting new field that leverages the properties of quantum mechanics to perform calculations exponentially faster than classical computers. However, the prospect of large-scale, general purpose quantum computers poses a potential threat to current encryption standards. In this article, I will examine the potential impacts of quantum computing on encryption and Internet of Things (IoT) security.
How Quantum Computers Could Break Encryption
Most of today’s encryption relies on the extreme difficulty of factoring large prime numbers. However, quantum computers can use Shor’s algorithm to factor these large numbers exponentially faster. This could allow quantum computers to easily break commonly used encryption schemes like RSA and ECC.
Additionally, Grover’s algorithm gives quantum computers a quadratic speedup for brute-force attacks against symmetric algorithms like AES. While not an outright break, this speedup reduces the effective key size. For example, an AES-256 key could be broken with the same computational effort as an AES-128 key on a classical computer.
The Threat Depends on Quantum Computer Scale
-Small quantum computers (50-100 qubits) will have limited cryptanalysis abilities. Larger quantum computers with thousands of logical qubits could break current public-key encryption.
-Symmetric algorithms like AES will come under increasing brute-force threat as quantum computers scale up. Quantum-safe symmetric algorithms will need larger minimum key sizes.
-The threat to public-key encryption like RSA/ECC is more urgent. New quantum-resistant algorithms will be needed as a replacement.
Impacts on IoT Security
Many IoT devices use lightweight encryption to protect communications and authenticate device identity. This leaves them particularly vulnerable if those cryptosystems are broken by quantum computers.
IoT Communication Protocols
-Low powered IoT devices often use ECC keys for TLS/DTLS secure connections. Quantum computers could allow passive eavesdropping of those communications.
-Bluetooth, ZigBee, WirelessHART and other wireless protocols are also reliant on ECC. Quantum computers could allow decryption of leaked IoT wireless signals.
Embedded Device Identities
-
X.509 certificates used for TLS typically use RSA or ECC keys to establish identity. Quantum computers could allow impersonation of devices if the public key is obtained.
-
Many IoT devices rely on ECC keys for authenticating firmware updates. Quantum computers could allow malicious firmware flashing if the public key is known.
Long Lifetimes Means Future Crypto Threat
-
IoT devices often have operational lifetimes of 10-20 years. They need encryption that will remain secure over that timeframe in the quantum era.
-
New IoT devices should integrate crypto-agility so encryption schemes and keys can be upgraded post-deployment.
Protecting IoT Devices from Quantum Threats
Several strategies exist today to hedge against quantum threats to encryption:
Hybrid Encryption
Use symmetric encryption for data/messages, and public-key to exchange symmetric keys only. Limits quantum computer abilities to passive eavesdropping of key exchange.
Quantum-Resistant Algorithms
-
Use lattice-based and multivariate cryptography resistant to quantum attacks. Candidates include NTRU, SPHINCS and McEliece ciphers.
-
Implement next to incumbent algorithms (hybrid mode) for crypto-agility.
Key Updates
-
Update public/private keys frequently to limit window of compromise if eventually broken.
-
Have secure automated key generation and revocation workflow.
Physical Security
Store private keys in hardware security modules or trusted execution environments. Make key extraction difficult.
Conclusion
Quantum computing poses a serious threat to the encryption many IoT devices rely on. Developers of IoT products need to monitor developments in quantum cryptography and integrate necessary mitigations. However, with prudent cryptography choices and upgrades, we can work to safeguard IoT security in the coming quantum era.
