Quantum threat to encryption rises
ScienceAlert summarises analysis that a March Google Quantum AI result could bring forward timelines for quantum machines capable of threatening current encryption, implying organisations should inventory cryptographic dependencies. The coverage recommends mapping which apps and identity systems rely on vulnerable crypto to prioritise future migration. (sciencealert.com)
A new analysis says quantum computers could threaten today’s encryption much sooner than expected, and organisations should map where vulnerable cryptography is used. (sciencealert.com 1) (sciencealert.com 2) Quantum computers can run Shor’s algorithm, a 1994 quantum method that factors large numbers and solves elliptic-curve discrete logs far faster than classical machines. (en.wikipedia.org) In late March, Google Quantum AI and collaborators published a whitepaper with updated resource estimates showing attacks on elliptic-curve cryptography need far fewer quantum resources than earlier thought. (research.google) (research.google.com) The new technical estimates put the logical-qubit cost below about 1,200 and suggest an attack on the secp256k1 curve could run on a machine with roughly 500,000 physical qubits, roughly 20 times fewer qubits than prior estimates. (eprint.iacr.org) (eprint.iacr.org, securityweek.com) Those figures do not mean an attack is immediate: Google’s largest Willow processor today has about 105 qubits, and researchers stress the hardware gap remains large. (blog.google) (blog.google.com, forbes.com) Why act now: the United States National Institute of Standards and Technology finalised the first post-quantum cryptography standards in August 2024, but real-world migrations take years and require inventories to prioritise systems. (nist.gov) Cryptocurrency wallets and many identity systems still rely on the secp256k1 elliptic-curve standard used by Bitcoin and other chains, which Google’s paper singled out as vulnerable in future attack models. (eprint.iacr.org) (eprint.iacr.org, coindesk.com) Security teams should inventory certificates, key-management systems, single-sign-on providers and any applications that expose public keys, because exposed public keys are the immediate risk vector post-quantum. (research.google) (research.google.com, sciencealert.com) Google and several researchers are urging a measured migration to post-quantum algorithms and responsible disclosure practices, while noting that hybrid deployments and staged testing can reduce operational risk. (research.google) (research.google.com, postquantum.com) Start with an inventory, map dependencies, and prioritise high-value keys and exposed identities for post-quantum replacement — experts and Google recommend this sequence as the next step. (sciencealert.com) (sciencealert.com, bloomberg.com)
