Quantum Computing and the Future of Password Security

In a time of heightened privacy concerns, it’s essential to understand how quantum computing can affect you.

Quantum computing is a type of computing that applies the principles of quantum mechanics. This branch of physics studies matter and energy, such as atoms and subatomic particles. It differs from classical computing in many aspects, particularly because it uses quantum bits and qubits instead of traditional bits.

Unlike bits, which can only work in two states (0 or 1), qubits can operate simultaneously in multiple states due to a superposition phenomenon. This enables quantum computers to execute sophisticated calculations at unmatched speeds.

Imagine that you’re in a library looking for a specific book and, naturally, can only search for one book at a time until you find the right one. This is classical computing, which we can consider linear and slow. Now, imagine that you can read all the library’s books at once and immediately know where the one you’re looking for is – this is quantum computing, multifaceted and lightning-fast.

This is why quantum computing poses a real threat to encryption, as it can potentially decipher traditional encryption methods that rely on the challenge of factoring large numbers.

The most widely used traditional encryption methods use symmetrical and asymmetrical encryption techniques.

Symmetrical: Relies on a shared key between the sender and receiver, used to encrypt and decrypt data.

• Real-life example: You and a friend have matching keys to a fully locked mailbox. You put a letter there and your friend uses the same key to unlock the mailbox and read the letter.

Asymmetrical: Relies on two distinct keys. A public key for encryption and a private key for decryption.

• Real-life example: You have a mailbox with a slot for incoming mail, allowing anyone to send you a letter by sliding it in (this is the public key). However, only you can read the letter since you’re the sole owner of the mailbox key, which is used to open it (private key).

Despite their differences, all the currently dominant protocols are secure under classical computing. That’s because classical computing doesn’t offer the necessary computational power required to break them. For example, an ECC 256-bit key has around 2^256 possible combinations, which is roughly 10^77 possibilities.

This is a mind-bogglingly large number, considering the estimated number of atoms in the universe, which is around 10^80. Consequently, even the most powerful classical supercomputers would require centuries to decrypt a key with a cracking technique like brute force (trying all the combinations until finding the right one).

Unfortunately, with quantum computing, all this security goes out the window.

Quantum computers are much more than supercomputers since they can exploit superposition and entanglement principles to perform extremely complex calculations effortlessly. This makes them incredibly successful in breaking encryption algorithms.

While quantum computing is still developing, a team of Chinese researchers from Shanghai University has shown that it already poses a credible threat to established encryption methods. In 2024, they cracked a 22-bit key based on Substitution-Permutation Network (SPN) structured algorithms, which are the backbone of encryption protocols like AES.

While the key length is far shorter than what’s used today, it sets a worrying precedent – especially when considering how fast the technology develops. In fact, according to a 2023 quantum threat report by the Global Risk Institute, experts believe that in the next 30 years, quantum computing might break RSA-2048 encryption in only 24 hours.

This only amplifies the need for continuous development of quantum-resistant cryptographic algorithms.

It is often said that for every problem, there is a solution, and humans excel at finding them. This leads us to post-quantum cryptography (PQC), a field of study in cryptography developed by the National Institute of Standards and Technology (NIST) in response to the threat of quantum computing to encryption.

This initiative came about in 2016 when NIST launched an openly public competition to develop post-quantum cryptography schemes.

• Lattice-based cryptography: Relies on creating complex algebraic lattice-related problems that are hard to solve even for quantum computers. (E.g. CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON).
• Hash-based signatures: Depends on cryptographic hash functions for digital signatures. Due to the nature of its security (based on hash function strength), it’s considered safe against quantum attacks. (E.g. SPHINCS+, XMSS, and LMS).
• Multivariate cryptography: Relies on the challenge of solving multivariate polynomial equations over finite fields. (E.g. Rainbow).
• Code-based cryptography: Is dependent on error-correcting codes. This can be essentially described as intentionally adding controlled noise to data, where only the intended recipient can remove this noise to recover the original information. (E.g. McEliece Cryptosystem, SDiTH).

In August 2024, NIST announced the first three winning post-quantum cryptography algorithms.

1. General encryption: FIPS 203 (ML-KEM – Module-Lattice-Based Key-Encapsulation Mechanism).
2. Digital signatures: FIPS 204 (ML-KEM – Module-Lattice-Based Key-Encapsulation Mechanism).
3. Digital signatures (Backup): Stateless Hash-Based Digital Signature Algorithm.

These standardization efforts made by organizations like NIST are key to providing quantum-safe encryption in an era when data protection is more at risk than ever before. That said, the question is whether the progress in the quantum sector can match the challenges it faces for data privacy.

Quantum computing’s potential to break current encryption methods poses a serious threat to not only password security but also to all data in transit or at rest.

As quantum technology advances, cybersecurity measures must also evolve to counter its power. Fortunately, recent studies in PQC have shown promising results in this area, leading to developing new and robust algorithms that could effectively address these challenges.

Nonetheless, the future of password security also rests in the hands of individuals and businesses. We recommend following best cybersecurity practices, staying informed about how quantum computing is evolving, and making all necessary changes to prepare for the transition from traditional encryption to quantum-based encryption.