Quantum computers will break classical cryptography with threats including harvest
now, decrypt later attacks.
Where Can I Use This?
What Do I Need?
PAN-OS 11.1 or later.
Public Key Infrastructure (PKI) encryption and IKE key exchange mechanisms use classical
cryptographies such as Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC), and
Elliptic Curve Diffie Hellman (ECDH) extensively. Quantum computers (QCs) are likely to
break these technologies within 5-15 years of NIST's standardization of the first
post-quantum cryptographies (PQCs).
Post-quantum IKEv2 VPNs based on the RFC 8784 open standard resist attacks based on quantum computing and PQCs.
Instead of sending the key material to the IKE peer in the peering handshake, the
administrators configure and share the key material separately, out-of-band. If
attackers steal the data, they can't decrypt it because they don't have the key
material. Palo Alto Networks' solution to resist quantum attacks is based on open
standards to enable and ensure interoperability with other equipment that meets the
The most immediate danger is Harvest Now, Decrypt Later attacks, where attackers steal
data (at rest or in transit) that they can't decrypt now and store it until a
cryptographically relevant quantum computer (CRQC) can decrypt it. A CRQC is a QC
optimized for using quantum algorithms to break encryption in seconds instead of in the
millions of years that a classical supercomputer would take. The data at highest risk is
long-lived data that will still be relevant when CRQCs become available.
Quantum computers (QCs) are essentially the next
generation of supercomputing platforms. QCs use the laws of quantum mechanics to
vastly decrease the amount of time it takes to process data and run algorithms,
including algorithms that can break classical decryption. Operations that would take
a classical computer hundreds or thousands of years to process take seconds or even
microseconds for a QC. Instead of being based on classical bits (zeros and ones)
that increase a supercomputer's power linearly, QCs use qubits, which are based on polarized photons (light) and increase a QC's
processing power exponentially.
There are several ways to create qubits and the method affects qubit quality—the
efficiency of the qubits. The higher the quality of the qubits, the faster and more
effective the QC. Because of their quantum nature, a qubit represents two states at
one time and those states can be replicated across great distances. This is due to
the quantum effects of superpositioning and entanglement:
—A qubit can represent both a one and a zero at the
same time. Combining qubits results in escalating the number of states the
qubits can represent because the number of states increases at a rate of
2**n, where “n” is the number of qubits. So two qubits can represent four
states (2**2), three qubits can represent eight states (2**3), four qubits
can represent 16 states (2**4), etc.
As qubit density (the number of qubits that fit on a chip) increases, the
number of states that the combined qubits can represent increases
exponentially. The better the quality of the qubits, the closer the combined
number of qubits come to a true exponential scale. Low-quality (noisy)
qubits, when combined, don’t increase the number of states exponentially,
but they still increase the number of states significantly compared to a
classical computer. As the quality of qubits improves, QCs come closer and
closer to a true exponential escalation of the number of states
—Entanglement is a quantum bond between qubits. Entangled
qubits generate the same results from running the same quantum algorithm on
them, no matter where they are, even if the qubits are halfway around the
world from each other. So if you run a particular algorithm on entangled
qubits that are located in Bangalore (India) and Los Angeles (United
States), the entangled qubits in those locations yield the same result. The
exact mechanism by which quantum entanglement works is unknown.
There are three types of QCs:
—These are available today. They are the
least-powerful QCs with the narrowest use cases. However, attackers can use
them to factor large numbers using quantum algorithms, which is how to break
Analog Quantum Simulators
—These solve physics problems that are beyond
the ability of classical computers, such as quantum chemistry, materials
sciences, optimization problems, factoring large numbers, sampling, and
Universal Quantum Computer
—These are the hardest QCs to build because
they require many physical qubits. They solve the broadest range of use
cases and several companies are targeting the end of this decade for
commercializing them. When they are developed, these are the computers that
will be CRQCs.
QCs create a multi-dimensional space comprised of many entangled qubits in which to
solve complex problems. For example, classical computers take each element of a
database, process it, and then combine it with other elements after processing all
the elements. QCs create an algorithm that solves for every state and outcome you're
looking for. They pass the entire database through the algorithm simultaneously,
analyzing the data for every outcome simultaneously. This makes QCs potentially
millions of times faster than classical computers and is one reason they are
excellent at solving complex mathematical problems such as breaking encryption.
How Does the Quantum Threat Affect My Network?
The vastly increased processing power and speed of QCs threaten to break classical
methods for encrypting data, which could compromise your public key infrastructure
The most immediate threat is Harvest Now, Decrypt Later attacks that steal your
encrypted data with the intention of using a CRQC to decrypt it in the future. Once
attackers steal your data and classical key material, there's no way to stop them
from decrypting the data in the future using a CRQC. If the stolen data is still
valid at that time, it is compromised.
Classical asymmetric encryption is based on prime numbers and relies on the
difficulty of factoring complex numbers to derive those prime numbers. A quantum
algorithm called Shor's algorithm can factor complex
numbers and solve discrete logarithm problems. Shor's algorithm threatens PKI
security, which is based on two very large prime numbers to produce the key.
However, Shor's algorithm can't break PKI security in less than millions of years
using a classical computer. Without CRQCs, Shor's algorithm wasn't a threat.
However, given the processing power of a CRQC, Shor's algorithm can factor complex
numbers and crack classical asymmetrical encryption (such as the key exchange
material needed to decrypt data) in seconds or less. This is why Harvest Now,
Decrypt Later attacks are an immediate threat.
The consequences of breaking classical encryption include compromising the security
of classical PKI cryptographies that were thought to be secure, such as
Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC), and Elliptic Curve Diffie
Hellman (ECDH). The key exchange is at greatest risk and is why you need to
configure post-quantum IKEv2 VPNs to secure the key exchange.
Certificates have been the foundation of how two endpoints establish trust. However,
CRQCs can also compromise RSA, which is used to create and secure digital
certificates. This means that attackers can steal or impersonate digital signatures
with a CRQC, so the server you think you're connecting to might actually be an
attacker's server. The ability to do this might come as soon as the next decade.
In addition, the sheer brute force processing power of QCs means that symmetric
encryption isn't safe either. Grover's algorithm is a quantum, quadratically
accelerated unstructured search algorithm that finds the unique input that produces
a particular output value. Grover's algorithm targets symmetric cryptography and
hash functions. It essentially halves the crypto strength of AES algorithms, so if
you use AES-128 bit encryption, Grover's algorithm drops it to the crypto strength
of 64-bit encryption. Because classical computers don't have anywhere near enough
processing power, they can't use Grover's algorithm to break symmetric encryption.
However, using a QC, Grover's algorithm can break AES-128 bit encryption.
Because of AES-128 bit encryption's vulnerability to Grover's algorithm, use
AES-256 bit encryption, which Grover's algorithm will not be able to break in
the near or mid-term future.
To help safeguard hash functions, use SHA-384 at a minimum.
Post-quantum cryptographies (PQCs) are available today and most security-savvy people
can download and set up PQCs, which can't be decrypted. If you allow unauthorized
PQCs on your network, an internal bad actor could introduce PQCs into your network.
If that happens, you have no visibility into traffic that uses a PQC and no
visibility into threats in that traffic. Use Decryption features to detect
unauthorized PQCs on your network and automatically block traffic that uses
What to Do Now to Mitigate Harvesting Attacks
Take these actions now to resist post-quantum Harvest Now, Decrypt Later attacks.
Review your VPN connections and harden them: