Cybersecurity Canon Candidate Book Review: “Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto”
Book written by Roger A. Grimes
Book review by Ben Rothke
Hall of Fame Candidate:
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
If there were a Twilight Zone episode about quantum cryptography, it might start like this: "Picture if you will, a time in the not too distant future, where all of the strongest encryption protocols can be broken in less time than it takes to read this sentence."
While that scenario may not be totally accurate, there is a significant basis to note that when quantum cryptography becomes viable, it will overturn much of how the technology world and security field deals with cryptography.
In Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto (Wiley Publishing), author Roger Grimes has written a remarkable and Canon-worthy book on how to prepare for that day when quantum crypto starts turning the security world upside down.
Some years back at an RSA Conference (remember when they used to have conferences?), I asked Dr. Jane Melia of QuintessenceLabs, a quantum cryptography hardware and software provider, why firms should consider purchasing their expensive products. She offered several reasons: it was a hedge against broad quantum cryptography becoming mainstream, which would render much of a firm's secrets quite public. How long that hedge will be is anyone's guess. But everyone agrees that it is inevitable.
While quantum mechanics is weird and quite unintuitive, Grimes does a great job explaining it in layman's terms. He provides an excellent and readable introduction to the various areas of quantum mechanics and quantum physics.
The notion that quantum computing and its quantum cryptography will break everything is a bit of hyperbole. And the book makes it eminently clear that such is not that case. Grimes writes of what quantum computers will be able to break and what they won't be able to. In short, quantum computers will be able to break any cipher algorithm whose security relies on problems related to integer factorization, discrete logarithm, elliptic-curve, or any other closely related mathematical problems. What quantum computers won't be able to break are symmetric ciphers such as AES, newer integrity hashes such as SHA-2 and SHA-3. The book lists in detail which ciphers and algorithms are at risk.
Grimes writes that most changes won't happen instantly, but will occur across many timelines based on different use cases and applications. Some will be in weeks, others in months and years. But far-reaching monumental changes are coming.
The first part of the book is introductory and theoretical, but the rest of the book is highly practical. Grimes lays out the various use cases and concrete steps one needs to take to ensure quantum cryptography's upcoming advent does not blindside them. One may take the naïve approach to throw out all of their vulnerable non-quantum cryptography and replace it with quantum-resistant solutions. But Grimes writes that one has to approach that method with caution for several reasons. Rushing prematurely into the world of quantum cryptography will likely not make things much better.
To that, the book details how one should adequately prepare for the quantum apocalypse. He lists four major post-quantum mitigation phases and six significant post-quantum mitigation project steps. It also mentions numerous vendors currently active in the quantum cryptography space.
Companies, mainly in the financial services sector, are spending large amounts of money on quantum cryptography to protect themselves as a hedge, given the risk of broad-based quantum cryptography can put their trillions of dollars in assets at risk. While your firm may not have those same risks, knowing about quantum cryptography should be considered to be part of the information security common body of knowledge.
Everyone in information security has to ask: will your organization be protected the day a quantum computer breaks encryption? For those who want to answer that in the positive, Cryptography Apocalypse has all you need to know to respond positively.
This is the format guide for writing book reviews for the Cybersecurity Canon Project. It contains the names of key elements to include in your review, the format for those key elements, and examples of what a typical entry would look like. Use this format. Write your book review in a text document, a Microsoft Word Document, or a Google Docs document and send it to Helen Patton: firstname.lastname@example.org
You will hear from a Canon Committee member within five business days that they received the review.