COMMENTARY
After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world’s strategy to counter the potential threats of quantum computing.
Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on “Q-Day,” when a cryptographically relevant quantum computer (CRQC) comes online.
Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.
The Post-Quantum Transition
PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor’s algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.
Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.
Hybrid Approach to Security
The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.
Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.
Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.
This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn’t quantum-safe will become the focal point of any data harvesting attack.
Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.
Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.
Ready for Q-Day
PQC isn’t the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It’s vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.
Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.
Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.