Google Warns of Quantum Threat, Outlines Post-Quantum Security Commitments

Google is sounding the alarm about an impending quantum threat to current encryption standards, urging immediate action to secure digital infrastructure. The tech giant warns that increasingly powerful quantum computers—capable of solving problems beyond the reach of even the most advanced supercomputers—could soon break the public-key cryptosystems protecting everything from bank transfers to classified information. “The encryption currently used to keep your information confidential and secure could easily be broken by a large-scale quantum computer in coming years,” Google states, highlighting the risk of “store now, decrypt later” attacks already underway. Since 2016, Google has been proactively developing post-quantum cryptography (PQC) and is now rolling out these capabilities, alongside advocating for policy changes to prepare for this quantum future.

Quantum Computing Threat to Current Cryptography The advent of quantum computing presents a clear and present danger to established cryptographic systems, threatening the confidentiality of digital information worldwide. These powerful machines, capable of solving problems intractable for even the most potent classical supercomputers, “will also allow them to bypass our current digital locks,” including those safeguarding bank transfers and classified data. Unlike gradual security vulnerabilities, the risk isn’t hypothetical; malicious actors are already suspected of employing “store now, decrypt later” attacks, hoarding encrypted data anticipating future quantum decryption capabilities. Over the past decade, research has dramatically reduced the computational resources needed to compromise current encryption standards, such as 2048-bit RSA. Google, recognizing this escalating threat since 2016, has been actively developing post-quantum cryptography (PQC) – algorithms designed to withstand attacks from large-scale quantum computers. Following a multi-year international effort, America’s National Institute Standards & Technology (NIST) announced the first PQC standards in 2024, a crucial step towards bolstering future security. Google is now focused on “crypto agility,” the ability to “updating or replacing cryptographic algorithms without disrupting services.” The company is on track to complete PQC migration within NIST guidelines, prioritizing securing critical shared infrastructure and fostering a robust security ecosystem. However, a comprehensive response requires collaboration; “security will be a team sport” even in the quantum era. Kent Walker, President of Global Affairs at Google & Alphabet, emphasizes the need for policymakers to “drive society-wide momentum, especially for critical infrastructure,” extending efforts beyond public sector networks to address vulnerabilities in sectors like energy and healthcare. Google’s Post-Quantum Cryptography Transition Since 2016 Since 2016, Google has proactively addressed the looming threat of quantum computers capable of breaking current encryption standards, initiating a comprehensive transition to post-quantum cryptography (PQC). Recognizing the potential for “store now, decrypt later” attacks, the company moved beyond simply acknowledging the risk and began pioneering experiments with PQC algorithms. This foresight culminated in the rollout of PQC capabilities within Google’s products and a sustained effort to share expertise through technical papers and threat models. A core strategy has been focusing on “crypto agility,” enabling the updating or replacement of cryptographic algorithms without disrupting existing services. Google’s commitment extends to actively researching and disseminating information regarding the evolving timelines for breaking public-key cryptography. They are sharing findings to provide insights on the latest requirements needed to break asymmetric encryption and digital signatures, helping to refine PQC migration timelines and assess the impact on sectors like health and finance. Currently, Google is on track to complete a PQC migration safely within the guidelines established by America’s National Institute Standards & Technology (NIST) in 2024, having already begun implementation within its internal operations. “Preparing for the quantum era requires a dual commitment to research and action,” states Google, emphasizing their dedication to both fronts. This includes securing critical shared infrastructure and facilitating broader ecosystem shifts to build a more robust security foundation, reflecting a “deep investment in the long-term integrity of our digital economy.” NIST PQC Standards & Migration Strategies These algorithms, designed to resist attacks from future large-scale quantum computers, represent a critical step in safeguarding digital infrastructure. This underscores the urgency of transitioning to PQC. Google has been preparing for this shift since 2016, prioritizing “crypto agility,” defined as the ability to update or replace cryptographic algorithms without disrupting services. Beyond technological advancements, policymakers have a crucial role to play. Google advocates for driving society-wide momentum, particularly for critical infrastructure, and ensuring that artificial intelligence is “built with PQC in mind,” recognizing cryptography’s foundational role in AI security. A unified, global approach is also vital, with NIST standards offering “a globally agreed, scalable and secure benchmark” if widely adopted. Policymaker Actions for Quantum Era Security The looming arrival of cryptographically relevant quantum computers (CRQC) demands proactive governance, extending beyond technical preparedness to encompass societal-wide strategies. Policymakers must drive momentum, particularly within critical infrastructure sectors like energy, telecommunications, and healthcare, addressing existing workforce challenges to ensure a robust defense. Protecting the “trust infrastructure” underpinning digital systems is paramount, requiring collaborative efforts with certificate authorities to accelerate progress. This isn’t simply about securing government networks; it’s about fortifying the entire digital ecosystem against future disruption. Furthermore, policymakers should incentivize cloud-first modernization, recognizing that migrating away from legacy systems and hard-coded cryptography will be a significant undertaking. Rather than investing in outdated infrastructure, governments should prioritize cloud migration, leveraging the ongoing work of providers like Google Cloud to enable post-quantum cryptography (PQC) across networks. Securing the foundation of increasingly reliant artificial intelligence systems is also critical; “Let’s treat PQC as a necessary foundation for the enduring economic potential of AI innovation.” Finally, consistent dialogue with experts, including research institutions and teams like Google’s Quantum AI, is essential. “A CRQC is not ‘forever a decade away,’” and ongoing consultation will help policymakers anticipate and mitigate emerging threats, ensuring a proactive rather than reactive stance. A CRQC is not “forever a decade away.” While no one knows precisely when it will arrive, ongoing dialogue with experts from research institutions and groups like Google’s Quantum AI team will help policymakers stay ahead of emerging threats. Source: https://blog.google/innovation-and-ai/technology/safety-security/the-quantum-era-is-coming-are-we-ready-to-secure-it/ Tags: