National agencies and scientific institutions are well aware of the threat of quantum computers to current cryptography. In 2015, the US National Security Agency first published warnings of the need to move to quantum resistance algorithms. One year later, the National Institute of Standards and Technology (“NIST”) began a standardization initiative for post-quantum cryptography and secure operating parameters. Post-quantum cryptography is the study of encryption systems that can run on a conventional computer and are sufficiently secure against both quantum and classical computers. However, the experiment process is lengthy and NIST continues to review and examine potential quantum-resistant algorithms. The initiative has identified five classes of quantum-resistant encryption systems currently: network-based; Quadratic multivariate equations; Retail based. Based on code and supersymmetric elliptic curve. NIST is expected to announce its first standardization-eligible algorithm within the next two years.
During this transitional period while the world awaits the results of NIST, there are measures that can be taken now to start securing data against quantum computing and prepare for the next migration. Organizations should begin engineering work to prepare their infrastructure to implement quantum post-cryption as soon as the migration is ready. To start preparing now, experts recommend that organizations create a reference index of those applications that use cryptography and ensure that current and future systems have sufficient cryptographic flexibility. Indexing allows organizations to assess quantitative vulnerabilities to ensure that all applications are migrated, reducing the risk of incidents occurring in one part of their digital ecosystem. It is imperative that organizations continuously assess their risks and migrate quickly to prevent systemic data insecurity.
Organizations should develop a plan to move to quantum-resistant encryption. Advance planning will reduce system downtime and provide flexibility to respond to any implementation flaws. Organizations can use their reference index to ensure that all of their devices are capable of using quantum-resistant encryption. The migration process will require complex planning and budgeting, but by starting to prepare now for the upcoming transition to post-quantum cryptography, organizations can ensure a less disruptive transition.
Additionally, to protect data from potential “catch now, exploit later” attacks, companies can start implementing a hybrid approach to encryption using both classical and post-quantum schemes together. Migrating applications to quantum-resistant encryption quickly is the only proactive step organizations can take to mitigate these risks. If an organization implements hybrid cipher, it is essential to remain aware of the NIST results in case the chosen quantum-resistant algorithm is found to be crackable. Furthermore, the applied quantum post-coding may need to be updated in order to comply with the NIST safe operating parameters.
As the race continues to protect the Internet from the threat of exploitation using quantum computers, it is imperative that organizations today prepare themselves for the complexities involved in the global migration to post-quantum cryptographic algorithms. Today’s digital information security depends on it.
1 Vasilius Mavroidis and others The impact of quantum computing on current cryptography9 IJACSA 1, 1 (31 March 2018).
2 Quantum computing has been on Gartner’s list of emerging technologies frequently over the years. This 2019 article estimated 5-10 years before consistent results were achieved, allowing for the commercialization of quantum computing. https://www.gartner.com/smarterwithgartner/the-cios-guide-to-quantum-computing/
3 Campagna M., LaMacchia B., Ott D. (2020) After quantum cryptography: challenges of preparedness and the approaching storm. https://cra.org/ccc/resources/ccc-led-whitepapers/#2020-quadrennial-papers