IBM made some news recently when they announced availability of Quantum computing capability via the IBM Cloud platform. You can find more information on their website at IBM.com and the press release is here.
Recognizing that US government agencies needed some guidance on this topic, the NSA released an FAQ about Quantum computing and guidelines for national security systems (NSS). You can find that guidance here.
I know that many of you are skeptical about NSA guidance. The NSA has probably earned that skepticism based on its poor behavior around the EC-DBRG debacle as well as other activities. If it is any comfort I believe that the National Institute of Standards and Technology (NIST) will also be taking up this issue and involve the global cryptographic community. When that work is finished I believe they will release independent guidance around this question, too. But until then I think the NSA guidance is pretty good.
Because data is often stored for long periods of time, the NSA guidance attempts to insure data protection for several decades in the future. So what are the recommendations?
The encryption most often used for storage is AES. If you have a concern about long term storage the NSA recommends the use of 256-bit AES encryption. The implication is that 256-bit AES encryption will resist the advances of Quantum computing and keep your data safe for a long time to come. Remember that the concern is for data security many years in the future, so if you are using 128-bit AES encryption to protect data today you probably don’t need to panic. But as you move forward and replace backup and storage solutions I would recommend that you use 256-bit AES encryption for data protection.
Protecting data in motion is more affected by the strength of the asymmetric keys that are used to negotiate end-to-end connections. While 2048-bit RSA keys are now considered strong encryption, the NSA recommends moving to 3072-bit or larger RSA keys. Elliptic curve should move ECDH with NIST P-384, and Diffie Hellman should move to 3072-bit keys or larger. Again, there is no need to panic if you are using smaller keys, but if you are concerned about the capture of secure internet sessions and the security of those sessions some years from now you should move to the larger key sizes soon. Before you make any changes please be aware that larger RSA key sizes will impose a performance penalty. Look before you leap!
I believe that for the vast majority of non-governmental organizations the current recommended key sizes are adequate and you should not be overly concerned about the impacts of Quantum computing. The NSA guidance and the forthcoming NIST guidance will give us a good consensus on the recommendations for encryption key sizes.
Patrick