The Quantum Threat to Digital Security
Digital security has long relied on cryptographic systems that use complex mathematical problems (also known as algorithms) to keep sensitive data and transactions safe from unauthorized access. These algorithms were designed to be nearly impossible for classical computers to solve, ensuring robust protection and encryption for online activities like email communication, secure banking, and more. However, recent advancements in quantum computing are challenging this security foundation.
Unlike classical computers, which process data in binary form (0s and 1s), quantum computers use qubits that can exist in multiple states simultaneously, a property known as superposition. This capability allows quantum computers to solve complex algorithms much faster, potentially breaking the cryptographic systems that have protected data and internet transactions for decades.
Quantum computers pose a big threat to digital security because they may soon break the encryption methods that protect our online communications today. Encryption methods like RSA and ECC rely on problems that are hard for regular computers to solve, but quantum computers can solve these problems much faster using special algorithms. This means quantum computers could crack the keys to access sensitive data, such as personal details, financial transactions, and government secrets, putting privacy and security at risk.
As quantum computing technology advances, it’s becoming more urgent to address this issue. Encryption methods that are secure now might not be safe in the future, making it crucial to develop Post-Quantum Cryptography (PQC).
Introducing Post-Quantum Cryptography (PQC)
Post-quantum cryptography (PQC) refers to a new set of cryptographic algorithms that are considered “quantum resistant,” meaning they are expected to remain secure even against powerful quantum computers. The goal of PQC is to provide protection not only against future quantum computers, but also to work smoothly with current protocols and network systems. Effective PQC solutions will integrate with existing systems to protect data from all types of attacks, both current and future, regardless of the computing technology used.
Although quantum computers are still in the early stages of development, cybersecurity experts have already developed PQC algorithms, which NIST has now standardized, that can defend against potential quantum-based attacks. These security measures are designed to evolve alongside advancements in quantum computing, ensuring they stay ahead of quantum threats when properly implemented.
PQC itself is a traditional approach, meaning it does not rely on quantum networks or quantum states. The term “post-quantum” refers to its goal of providing a security solution that cannot be broken by quantum computers. PQC uses different mathematical problems that are believed to be difficult for both classical and quantum computers to solve.
The Role of Standards and Regulations in PQC Adoption
The adoption of Post-Quantum Cryptography (PQC) requires standard bodies and regulations to ensure that organizations worldwide follow a unified approach to securing digital information in the face of quantum threats. Without clear standards, different entities might adopt varying methods, leading to inconsistencies and potential vulnerabilities in data protection.
Standard bodies, such as NIST, play a critical role by evaluating, selecting, and recommending PQC algorithms that are proven to be secure and effective. These standards help industries and governments adapt to quantum threats in a coordinated way. Regulations enforce these standards, ensuring that organizations follow best practices and secure sensitive data before quantum computers become powerful enough to break existing encryption methods. Together, these standards and regulations create a strong framework for protecting digital security across the globe.
While NIST is leading the development of post-quantum cryptography (PQC) standards, other international organizations are also working on this. Groups like the International Telecommunication Union (ITU), ISO, and ETSI in Europe are creating additional PQC frameworks. They understand the urgency of preparing for the impact of quantum computing.
One of the main challenges is to update current standards without causing compatibility issues or disrupting existing systems. These organizations must also consider the specific needs of important sectors, such as finance, healthcare, and defense, which handle highly sensitive information. It is crucial to develop standards that ensure strong security for these industries while transitioning smoothly to quantum-resistant solutions.
Key Considerations for PQC Adoption
As organizations and governments worldwide prepare for the quantum threat, there are several critical factors to consider in the adoption of Post-Quantum Cryptography (PQC):
Future-Proofing Security: Current cryptographic standards, like RSA and ECC, are vulnerable to quantum attacks. PQC algorithms are designed to resist these threats. Regulatory updates are needed to mandate the adoption of PQC, ensuring long-term security.
Compliance and Certification: Many industries are bound by strict compliance requirements. As PQC becomes the new standard, regulations must evolve to incorporate these algorithms into compliance frameworks, so organizations remain certified and legally protected.
Interoperability: New PQC standards must ensure that systems can still communicate securely with existing infrastructure during the transition. Regulatory bodies need to set guidelines for this interoperability to avoid disruptions in communication and data exchange.
Risk Management: As organizations transition to PQC, there will be a mix of traditional and quantum-resistant algorithms in use. Regulatory changes are needed to guide this transition, manage the associated risks, and avoid security gaps.
Global Consistency: Different countries may adopt PQC at varying paces. To avoid fragmentation and ensure global security, international regulatory bodies must harmonize standards, ensuring consistency in PQC adoption worldwide.
The Global Adoption of PQC
The adoption of Post-Quantum Cryptography (PQC) is gaining momentum worldwide, with governments and industry leaders recognizing the urgency of preparing for the quantum threat.
United States: The US is leading the way in adopting PQC to protect against future quantum threats. The National Institute of Standards and Technology (NIST) has already selected several PQC algorithms for encryption and digital signatures. Federal agencies are required to start implementing these standards to ensure national security and protect economic interests. Transitioning to PQC will help the US maintain its lead in quantum technology and secure its digital infrastructure.
France: France is actively working on PQC by funding research and supporting NIST’s standardization efforts. French agencies are also implementing PQC in their systems and encouraging private companies to adopt quantum-safe algorithms.
Germany: Germany recognizes the importance of PQC and has begun its implementation to prepare for quantum computing threats. The government has allocated resources for research and is working with international partners to speed up the deployment of PQC algorithms. Both government agencies and private companies in Germany are being urged to adopt PQC.
United Kingdom: The UK is involved in developing and adopting PQC. The National Cyber Security Centre (NCSC) has advised organizations to start planning for PQC and has funded various research projects. The UK is also participating in international collaborations to advance PQC adoption.
Taipei: At the “PQC Standardization and Migration Workshop” in Taipei, experts emphasized the need to prepare for quantum computing’s impact on cybersecurity. They discussed the importance of global standards and the challenges of implementing quantum-safe solutions. The consensus was that transitioning to PQC is essential for future data security.
Australia: The Australian Signals Directorate (ASD) highlights the importance of PQC in protecting communications from future quantum threats. Thales, a key player in this field, views NIST’s PQC standards as a significant development. They urge companies to adopt quantum-safe methods soon to avoid risks like “Harvest Now, Decrypt Later” attacks. Thales is actively developing quantum technologies and solutions to help organizations transition to PQC smoothly.
China: China is a global leader in Quantum Key Distribution (QKD) and has heavily invested in QKD and quantum computing technologies. Unlike the US, which focuses on PQC, China prioritizes QKD in its quantum strategy. China aims to establish global quantum-safe network coverage using QKD systems on satellites, with plans to launch its first quantum satellite in 2026. It has already built a QKD-secured network between Beijing and Shanghai and is working with Russia on a quantum communication system.
India: India, now the world’s most populous country, is making significant strides in quantum technology, including QKD. The National Quantum Mission launched in 2023 aims to develop quantum-secure networks and reduce reliance on foreign technology. India plans to expand its QKD network and establish a nationwide quantum communication network. The government is also encouraging private companies to invest in QKD research and development.
Japan: Japan is integrating PQC across various industries to protect against quantum computing risks. Government and defense sectors, banks, healthcare providers, telecom companies, and retail businesses are all adopting PQC to secure data and comply with regulations. Japan’s PQC market is expected to grow, driven by technological advancements and increasing awareness of quantum threats.
Malaysia: Following NIST’s release of PQC algorithms, Malaysia has been proactive in advancing PQC. The country hosted the South-East Asia Post-Quantum Cryptography (SEA-PQC) Summit during Malaysia Cryptology Week 2024 to promote regional collaboration and accelerate the development of quantum-safe solutions. Malaysia is committed to aligning with global PQC standards and strengthening regional cybersecurity.
NIST’s PQC Standards and the Transition to Quantum-Resistant Encryption
NIST has already published a set of standard PQC encryption algorithms that can stand up to the risks quantum computing brings. As part of this work, NIST has set standards for several post-quantum cryptographic algorithms. They focus on two key jobs: general encryption, which keeps safe the info shared on public networks, and digital signatures, which check people’s identities.
The new post-quantum encryption standards are based on three encryption algorithms engineered to withstand cyberattacks from a quantum computer:
- FIPS 203: CRYSTALS-Kyber (ML-KEM) – A standard to encrypt general data known for its compact encryption keys and quick operation.
- FIPS 204: CRYSTALS-Dilithium (ML-DSA) – The main standard to safeguard digital signatures.
- FIPS 205: SPHINCS+ (SLH-DSA) – A digital signature standard that uses a different math approach as a backup to ML-DSA.
These standards represent a key step forward in the shift to quantum-proof encryption. They make sure that robust coding methods will keep on safeguarding data when quantum computers become a reality.
The release of the first set of PQC standards is a significant achievement, following an eight-year global effort led by the U.S. National Institute of Standards and Technology (NIST). However, this milestone also signals the beginning of preparations for quantum computing. The recent announcement triggers new U.S. policy deadlines under National Security Memorandum-10, which mandates that federal agencies begin testing and transition to PQC by 2035.
The Urgency of Preparing for PQC
The National Security Agency (NSA), alongside the Cybersecurity and Infrastructure Security Agency (CISA) and NIST, has released a roadmap for organizations, especially those in critical infrastructure, to start migrating toward PQC standards. They stress the need for proactive measures now to stay ahead of quantum threats, emphasizing that government and industry collaboration will be essential in addressing these vulnerabilities.
CISA underscores the need for immediate preparation for PQC migration. Together with the NSA and NIST, CISA has issued guidance urging critical infrastructure sectors to create quantum-readiness plans, inventory their cryptographic systems, and work with vendors. They warn that quantum computing could soon threaten current cryptographic standards, making it vital to begin planning now to protect sensitive data from future risks.
The UK’s National Cyber Security Centre (NCSC) also stresses the urgency of preparing for PQC. Future quantum computers could break current encryption methods, so they recommend starting migration efforts now. Organizations should identify critical assets and determine where vulnerable cryptographic algorithms are used. The NCSC supports adopting the standard quantum-safe algorithms approved by NIST and encourages a phased approach to ensure national infrastructure and sensitive data remain secure.
Similarly, the European Union Agency for Cybersecurity (ENISA) emphasizes the need for immediate implementation of PQC protocols to address the potential threat quantum computing poses to current encryption methods. They advocate for integrating post-quantum systems into existing protocols, using hybrid approaches that combine both pre-quantum and post-quantum cryptography to enhance security during the transition.
Conclusion: Securing the Future with Post-Quantum Cryptography
Post-Quantum Cryptography (PQC) is becoming a critical requirement for securing digital systems as quantum computing advances. The quantum threat is real, and taking steps now is vital. Standards bodies and governments are pushing for the adoption of PQC in existing cryptographic systems. By updating regulations and integrating PQC alongside current methods, these organizations are emphasizing the importance of strong encryption to protect against future quantum risks.
PQC is essential for ensuring long-term security in the face of these new threats. As Google and other industry leaders work to safeguard sensitive data and communications, it is crucial for organizations of all sizes to stay informed and proactively prepare for the transition to quantum-resistant encryption. By embracing PQC standards and collaborating with regulatory bodies, we can collectively secure the future of our digital landscape.
To learn more about preparing for PQC, visit the IT Fix blog for additional resources and expert guidance on navigating the shift to a quantum-safe future.
