Why you should start your post-quantum encryption migration now

This article was first published in Computer Weekly

Firms should already be aware that quantum computing threatens to break the encryption that underpins all current digital interactions. That was already a significant challenge requiring focused attention, but recent developments have made addressing that threat much more urgent.

The National Institute of Standards and Technology (NIST) recently published new quantum resistant public-key cryptographic algorithms and US president Biden directed agencies to “begin the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography”.

However, the consensus was that firms had time to migrate their encryption, with NIST explaining: “Experts predict that, around 2030, we’ll have full-scale quantum computers that can break asymmetric key cryptography.”

This 2030 timeline was based on two assumptions – firstly, that asymmetric encryption such as RSA is more vulnerable than symmetric encryption such as AES, and secondly, that full-scale quantum computers would be required to threaten current encryption.

Now a paper published in Science China Information Sciences seriously challenges both of these assumptions. It has demonstrated that a variational quantum attack algorithm is, firstly, a “threat to symmetric cryptography” rather than asymmetric cryptography. Secondly, it runs on current generation quantum hardware and is “even faster than Grover’s algorithm” – the previous gold standard decryption approach that required a full-scale quantum computer.

This new attack upends the previous consensus in significant ways and firms should now plan on the basis that quantum computers are likely to break current encryption standards by the middle of this decade. Failure to migrate will put many important digital interactions at risk, including banking, web browsing, file sharing, video conferencing and many more.

To start work on what is now an urgent migration from present encryption methods to next-generation approaches, firms should adopt the three As: be aware of the problem, architect a solution, and apply it.

Aware

Firms should make sure they understand the four post-quantum cryptography solutions (PQCs) recently selected by NIST. They need to be aware of how these differ from current methods in their implementation and what this might mean for their individual organisation.

This should include appreciating how the lattice CRYSTALS pair CRYSTALS-Kyber, the only public key scheme selected, and CRYSTALS-Dilithium, one of the digital signature options, complement each other, and when to apply the other two digital signature options, Falcon, which NIST recommends using when Dilithium becomes too large and unwieldy, and Sphincs+, a much more traditional design of scheme.

At the same time, firms should consider where physical quantum key distribution might add complementary protection, using quantum technologies to secure data with physics. These technologies may be more accessible than you think. In the UK, BT is building the world’s first quantum-secured metro network across London.

Using a mixture of new quantum resistant encryption methods avoids the risk of putting all your eggs in one basket, which is an important factor in this emerging field, where we have already seen flaws found in encryption approaches that had previously been seen as promising, such as Rainbow.

Architect

The migration to post-quantum cryptography will be a multi-year process that needs a staged delivery. Systems being delivered today will typically have a multi-year lifespan and firms therefore need to consider the migration to post-quantum cryptography from the start. Equally, for data that needs to be kept secure for a medium to long lifespan, NIST warns of the risk that adversaries “copy down your encrypted data and hold on to it until they have a quantum computer”.

Firms should therefore assess the different types of risk they have across their enterprise architecture – such as the sensitivity of data, the length of time for which encryption needs to be maintained, and the threat of copies being taken by outside actors for future decryption – to plan and prioritise the migration appropriately.

Apply

Finally, firms will need to focus on how they will implement their chosen mix of standardised NIST post-quantum cryptography and physical quantum key distribution. This will require a careful choice of software and firmware. Also, in our interconnected world, firms will need to establish and assure their supply chain and develop the appropriate stress-testing capabilities to maintain security. The best way to do this is to start small and take early action to build your capability and experience.

Only two weeks after NIST announced new post-quantum cryptography approaches, we have had our assumptions on the quantum threat overturned by a new quantum attack that has changed the risk calculation and accelerates the deadline for migration. Action is needed now, and firms must start assessing and addressing this risk today in order to protect themselves in the not-too-distant future.