National agencies and scientific institutions are well aware of the threat of quantum computers to existing cryptography. In 2015, the United States National Security Agency first published warnings of the need to transition to quantum-resistant algorithms. One year later, the National Institute of Standards and Technology (“NIST”) began a standardization initiative for post-quantum cryptography and secure operating parameters. Post-quantum cryptography is the study of crypto-systems that can be run on a conventional computer and is sufficiently secure against both quantum and conventional computers. However, the trial process is lengthy and NIST continues to review and scrutinize potential quantum-resistant algorithms. The initiative identified five classes of cryptographic systems that are currently quantum-resistant: lattice based; multivariate-quadratic-equations; hash-based; code-based; and supersingular elliptic curve isogeny. NIST is expected to announce the first algorithm to qualify for standardization within the next two years.
During this transition period while the world awaits NIST’s findings, there are measures that can be taken now to begin securing data against quantum computing and preparing for the upcoming migration. Organizations should begin the engineering work necessary to prepare their infrastructure for the implementation of post-quantum cryptography as soon as the migration is ready. To begin preparing now, experts recommend that organizations create a reference index for those applications that use encryption and ensure that current and future systems have sufficient cryptographic agility. Reference indexing allows organizations to assess quantum vulnerabilities ensuring that all applications are migrated, minimizing the risk of incidents occurring in one part of their digital ecosystem. It is essential that organizations perform an ongoing assessment of their risks and migrate quickly to prevent systemic data insecurity.
Organizations should develop a plan to transition to quantum-resistant encryption. Planning ahead will minimize system down time and provide flexibility for responding to any implementation flaws. Organizations can utilize their reference index to ensure that all of their hardware is capable of utilizing quantum-resistant encryption. The migration process will require complicated planning and budgeting, but by beginning to prepare now for the upcoming migration to post-quantum cryptography, organizations can ensure a less disruptive transition.
In addition, to protect data from potential “capture now, exploit later” attacks, enterprises can begin implementing a hybrid approach to encryption by using both classical and post-quantum schemes together. Migrating applications to quantum-resistant encryption quickly is the only proactive step organizations can take to mitigate this risk. If an organization implements hybrid encryption, it is essential to remain aware of NIST findings in case the chosen quantum-resistant algorithm is found to be breakable. Moreover, the implemented post-quantum encryption may need to be updated in order to align with NIST secure operating parameters.
As the race continues to protect the internet from the threat of exploitation using quantum computers, it is essential that organizations prepare themselves today for the complexities involved in a global migration to post-quantum cryptographic algorithms. The security of today's digital information depends on it.
1 Vasileios Mavroeidies et al., The Impact of Quantum Computing on Present Cryptography, 9 IJACSA 1, 1 (Mar. 31, 2018).
2 Quantum computing has been on Gartner’s list of emerging technologies repeatedly over the years. This 2019 article estimated 5 to 10 years before consistent results are achieved, allowing for the commercialization of quantum computing. https://www.gartner.com/smarterwithgartner/the-cios-guide-to-quantum-computing/
3 Campagna M., LaMacchia B., & Ott D. (2020) Post Quantum Cryptography: Readiness Challenges and the Approaching Storm. https://cra.org/ccc/resources/ccc-led-whitepapers/#2020-quadrennial-papers