The journey towards post-quantum cryptography

• Post-quantum cryptography aims to provide cryptographic security that will remain unbreakable even in the presence of quantum computers.
• While quantum computers may not be able to crack conventional encryption protocols until 2030, McKinsey reckons that many cybersecurity and risk managers should evaluate their options now.

Post-quantum cryptography refers to cryptographic algorithms and protocols designed to be secure against attacks by quantum computers. According to McKinsey, while quantum computers may not be able to crack conventional encryption protocols until 2030, many cybersecurity and risk managers should evaluate their options now.

For starters, quantum computing holds promise for problems out of reach for currently available high-performance computers. However, the technology’s power poses a significant cybersecurity risk because quantum computers can break many cryptographic algorithms presently used to secure our digital communications.

That said, the purpose of post-quantum cryptography in today’s day and age is to ensure that digital communications and data remain secure against potential attacks from quantum computers. Quantum computers can break many of the cryptographic algorithms currently used to secure our digital systems, such as online transactions, banking systems, and communication networks.

Key elements involved in post-quantum cryptography

Cryptographic security is achieved by using mathematical problems that are believed to be challenging even for quantum computers to solve, such as lattice-based cryptography, code-based cryptography, and hash-based cryptography. Post-quantum cryptography will also become the standard for cryptographic protocols in the coming years.

It is important to note that transitioning to post-quantum cryptography is a complex process that requires careful planning and coordination, as it involves updating the entire cryptographic infrastructure of our digital systems. According to the National Institute for Standards and Technology (NIST), large quantum computers will be powerful enough to breach vital public schemes currently in use in a few years. 

In 2022, US President Joe Biden signed the Quantum Computing Cybersecurity Preparedness Act to prepare for such incidents. By July 5, 2023, the Office of Management and Budget show will begin implementing the NIST-approved cryptographic algorithms to protect systems in the executive branch. Microsoft, AWS, VMWare, Cisco Systems and Samsung are among 12 companies the NIST has selected to guide the nation’s migration to cryptographic standards that are immune to the computation powers of a quantum machine. 

At the same time, the Cybersecurity and Infrastructure Security Agency (CISA) also established a Post-Quantum Cryptography (PQC) Initiative to unify and drive agency efforts to address threats posed by quantum computing. In coordination with interagency and industry partners, CISA’s new initiative is building on existing Department of Homeland Security (DHS) efforts as well as those underway at NIST to support critical infrastructure and government network owners and operators during the transition to post-quantum cryptography.

CISA’s PQC Initiative will oversee its activities in four critical areas:

• Risk Assessment: Assess vulnerability across the U.S. critical infrastructure by assessing risk in the 55 National Critical Functions (NCFs). Through this macro-level assessment of priority NCFs, CISA will determine where post-quantum cryptography transition work is underway, where the greatest risk resides, and what may require federal support.
• Planning: Plan where CISA and its partners should focus resources and engagement with owners and operators across public and private sectors.
• Policy and Standards: Work with partners to foster adoption and implementation of policies, standards, and requirements to improve the security of the Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) entities; critical infrastructure; and the underlying technology that supports all of these entities.
• Engagement and Awareness: Engage stakeholders to develop mitigation plans and encourage implementation of standards once they are available across the FCEB, SLTT, and critical infrastructure sectors. Develop technical products to support these efforts.

It is also important to note that implementing post-quantum cryptography requires updating the entire cryptographic infrastructure of digital systems, including software, hardware, and communication protocols. This may take several years to complete and will require careful planning and coordination.

Some general steps to be considered in implementing post-quantum cryptography include evaluating current cryptographic infrastructure, which involves assessing current cryptographic protocols, algorithms, and keys to identify areas that need to be updated to provide post-quantum security.

That step is followed by selecting post-quantum cryptographic algorithms that meet security requirements and are compatible with an organizations’ systems. Once that is done, businesses should perform extensive testing and validation of the post-quantum cryptographic algorithms to ensure they are secure and work correctly.

Last but not least, communicate the changes to all relevant parties, including customers, employees, and partners, to ensure that they know the new post-quantum cryptographic protocols and can adjust their systems accordingly.

---

---

---