Post-Quantum Cryptography: A SAFE Opinion

Post-Quantum Cryptography: A SAFE Opinion

By PaperClip - 23 January 2025

Gartner recently released their initial guidance for 2025 related to cybersecurity via a paper titled “2024 was a future-forward year! Head into 2025 with our top 5 forward-thinking insights”.

After reviewing the paper, I zeroed in on one primary topic—post-quantum cryptography. In my humble opinion, the Gartner recommendations around quantum cryptography lack logic and are approaching irresponsibility and abuse of influence.

 

Don’t get me wrong, I have a lot of respect for Gartner’s opinions and recommendations. They have a stable of analysts and access to vast resources supporting their research and opinions. Their influence on organizational decision making has historically been well received and the trust they’ve built is why they’re a global powerhouse for technological guidance. I feel that in this particular case influencing organizations to divert their limited resources away from obtainable goals to a potential future concern is irresponsible.

 

Not all hype is good hype. Yes, we should be aware of and concerned about the potential of quantum computing, both positive and negative. Yes, we should challenge vendors on their post-quantum strategies as it is a technology with a lot of promise (and potential threat actor use case). As far as implementing quantum cryptography now? That is, in my opinion, a very irresponsible use of their influence. “Post-quantum ready” is an important strategy consideration, but if we don’t address what is happening now, by 2029 we may be purchasing the right to use our own valuable data from threat actors.

 

Right now, as we begin 2025, we’re approaching a situation where criminal threat actor groups may have better control over private, controlled, and sensitive data than, for example, the legitimate healthcare vertical. How close are we to seeing a healthcare provider negotiate with a threat actor group just to perform a patient’s medical procedure, or to obtain approval for insurance coverage? Following this through a little deeper, by 2034 criminal threat actor groups (including rogue nations), as data aggregators, may need quantum computing power just to support analytical projects upon their massive datastores. Ye who controls the data, controls the usage, and by extension, the revenue. Forget ransom payments, we’ll need to negotiate annual subscription licensing contracts.

 

Need heart bypass surgery? You may be on hold because your healthcare provider let their data “subscription” with an organized cyber-crime group lapse.

 

That all may be a little extreme or overly sarcastic in the name of making a point, but there is often reality found within satire.

 

As we enter 2025, the adoption rate related to data encryption technology is unacceptably low, and that’s with current cryptography such as AES 256. We’re handing over control of our most valuable data, not because cryptography is weak, but because it’s simply not utilized. Even with something as “commoditized” as archive encryption the adoption rate is just over 50% globally. And encryption of data-in-use (the most valuable data) is around 1% globally. Without quantum computing capabilities, data theft and ransom combined accounted for the loss of legitimate control of over a BILLION critical records.

 

Here’s a partial list of data loss incidents  reported last year as per TechCrunch:

 

 

  • January 2024:
    • LoanDepot lost control of more than 16 million personal records
    • Fulton County, GA lost control of records impacting over 1 million private citizens
    • Southern Water lost control of 470,000 customer records
  • February 2024
    • Change Healthcare and UnitedHealth (reported in April) lost control of at least 100 million records (still counting)
  • March 2024
    • Omni Hotels lost control of over 3.5 million customer records
  • June 2024
    • Evolve Bank lost control of over 7.6 million records
    • Synnovis lost control of over 400 gigabytes of sensitive data or around 300 million patient interactions dating back years
  • July 2024
    • Columbus, OH lost control of over 500,000 residents of the City of Columbus. The Rhysida cybercrime gang claimed responsibility for the attack and claimed that they had stolen 6.5 terabytes of data from the city.
  • October 2024
    • Casio lost control of personal information belonging to employees, contractors and business partners along with “information about some customers”. The actual number had not been disclosed at the time of the article.
  • November 2024
    • Blue Yonder lost control of over 680 gigabytes of data as per the claims made by the Clop and Termite ransomware gangs.
  • December 2024
    • NHS Hospitals lost control of an undisclosed number of patient records

 

We also saw massive data breaches disclosed by AT&T (73 million customers), 23andMe (7 million customers), Snowflake (led to attacks on customer like AT&T, Ticketmaster, and Santander Bank), Moneygram, Hot Topic (57 million customers), Avaya, Check Point, and Verizon.

 

According to Cybercrime Magazine, data breaches are expected to cost the world $9.5 trillion USD. Economically, this has a global impact on every breathing individual (global population of approximately 8,250,423,615 in 2024) amounting to just over $1,151 USD per global citizen, or $4,604 USD per family of four. That is an inflationary impact affecting every product or service sold globally. If we don’t do anything different, that impact is expected to grow through the foreseeable future.

 

Threat actors do not require quantum computing to steal your plaintext data. Unencrypted, plaintext data is by far the biggest risk to data theft today. It should come as a shock that often the first time data is encrypted, it is done so by the criminal group who stole control of it. Plaintext, unencrypted data is always vulnerable, no matter what technology you build around it. Today’s encryption is very strong and the best way to truly secure data. Unfortunately, it’s just not widely utilized. We’re not going to solve that by unnecessarily distracting budget and human capital with a future possibility. Since the vast majority of data stolen or ransomed last year wasn’t encrypted, does it make sense to abandon what can be done now for what MAY be done in the future?

 

Plan for the future but live in the present. I’m not saying that we should ignore quantum computing and cryptography, but NIST has just recently identified three quantum cryptography techniques as candidates for Post-Quantum Encryption Standards. NIST now needs to test those algorithms against full quantum computing power (doesn’t yet exist) before certifying. So, what exactly are we implementing? Currently, only theory states that quantum computing speeds/capabilities MAY be able to break AES 256 cryptography. To date, quantum technology has been unable to break AES 256 encryption.

 

Maybe, just maybe, in 2025 we’ll see a renewed focus on encryption and a shift toward finally implementing strong encryption on data is at rest, in transit, and in use. Take back control of data now, so we can position for successful quantum challenges by 2029 and beyond.

 

Yes, there are fascinating advancements in quantum computing development. Depending on who you ask in the quantum computing field, practical commercial adoption of quantum computing will happen somewhere between 5 and 20 years in the future. Just recently at CES Las Vegas, Nvidia CEO, Jasen Huang (who has invested heavily in quantum computing innovation) was quoted when asked about quantum computing practical application:

 

“If you said 15 years for very useful quantum computers, that would be on the early side. If you said 30 it is probably on the late side, but if you picked 20, I think a whole bunch of us would believe it”.

 

Even here at Paperclip, we consider future challenges not limited to but including quantum computing and cryptography. This is a very important piece to the power and scalability of the SAFE technology.

 

 

Paperclip’s SAFE® Data-in-Use Encryption Technology is Post-Quantum Ready

Paperclip is focused on addressing today’s threats. As such the SAFE data-in-use technology standardizes upon AES 256 cryptography as the most secure encryption protocol commercially available. Currently, AES 256 has not been broken by quantum computing power. At this point, it’s important to point out how Paperclip takes SAFE technology beyond reliance on present day cryptography. Without getting too technical, here is how SAFE technology is scalable and positioned to protect data from the most advanced attacks:

 

  1. Crypto-Agile: SAFE was designed to adapt new advancements in cryptography as they’re available. SAFE is not a proprietary cryptography. It currently leverages NIST approved AES 256 cryptographic keys but can easily plug in more advanced cryptographic keys as they become necessary and available. Protect now, and scale to the future as it is relevant.
  2. Beyond Encryption: SAFE may be the only quantum ready encryption solution on the market right now. This is a bold statement, but 100% based on fact. SAFE goes beyond encryption, employing Paperclip Patented shredding technology prior to applying encryption to each shred or fragment of data. This technique creates data entropy and breaks all context. Even if quantum computing attains the power to break AES 256 cryptography, it will have to assemble millions (or more) data shreds into contextual or properly assigned form. For example:

 

Quantum computing breaks the AES 256 encryption layer. The result is decrypted pieces of data such as “123”. Due to shredding, salting, and hashing techniques prior to encryption, there is no way of knowing if the “123” is a real number or data point. Even if “123” is real, there is no way of knowing if it is part of a street number, Social Security Number, employee ID, date of birth, driver’s license, phone number, procedure code, bank account number, etc. The quantum computer may have succeeded at its task, but the result of the successful task will result in nothing useful. The data is still SAFE.

 

Visit www.paperclip.com/SAFE to learn more about Paperclip’s SAFE technology, and how it’s applied to active operations without changing the way your teams work.

 

 

A final thought to leave you with:

Only the cat knows for sure. Quantum has bubbled up to the top of the trend list and it’s as fascinating as it is difficult to understand. Until we open the box, no one knows whether Schrödinger’s cat is dead or alive. Quantum engineers will continue to build on the technology and investors will pump billions of dollars into the technology for the foreseeable future. Pay attention as it will eventually change the way we understand everything. This will be for the better, and equally, for the worse. No different than every innovation since the beginning of time. Just imagine if we gave up on the wheel because we’d eventually figure out how to fly.

 

Originally posted at: Paperclip

Category: Cybersecurity, e-Delivery, Health Tech, Innovation, InsurTech
Tag: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *