Post Quantum Computing: A New Era of Digital Security

Today, there is a buzz around Quantum-Safe or Post-Quantum Cryptography (PQC), and a similar buzz was observed in the late 1990s and early 2000s. This coincided with the development of quantum cryptographic algorithms such as the Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic Curve Cryptography (ECC) algorithm. Currently, these algorithms are vulnerable to attackers, which calls for a transition into the quantum-safe world. 

Current progress around PQC

At present, the most concerning threat is “Harvest Now, Decrypt Later (HNDL),” in which sensitive data that holds value for more than five years is extracted and decrypted later using quantum computing. Many enterprises are worried about this and are looking for safer options. 

Significant progress has been witnessed in the field of PQC; algorithms such as CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and SPHINCS+ are identified by NIST as replacements for traditional quantum cryptography algorithms like RSA, ECC, and others.

Role of Standardization

Standardization plays a vital role in the PQC market. Since 2016, efforts have been made to set standards. A lack of standards hinders the interoperability and widespread adoption of PQC. It also exposes the risk of inconsistencies, leading to vulnerabilities that can be exploited by attackers.

On August 16, 2024, NIST finalized and published its three PQC standards: Federal Information Processing Standard (FIPS) 203, FIPS 204, and FIPS 205.

• FIPS 203 is based on the CRYSTALS-Kyber algorithm, which has been renamed as Module Lattice-Based Key Encapsulation Mechanism (ML-KEM)
• FIPS 204 is based on the CRYSTALS-Dilithium algorithm, which is now the Module Lattice-Based Digital Signature Algorithm (ML-DSA)
• FIPS 205 is based on the Sphincs+ algorithm, which is now the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA).

BSI—Bundesamt für Sicherheit—is a German federal cybersecurity authority that provides recommendations for PQC. They recommend code-based cryptography like Classic McEliece, Lattice-based cryptography like Frodo KEM, and Hash-based cryptography such as XMSS and LMS. They also suggest that organizations deploy a hybrid approach by combining classic cryptography and PQC.

Further, BSI also recommends crypto agility, which is believed to be crucial. Crypto agility simply means remaining flexible and prepared to adapt to new cryptographic algorithms as needed. With HNDL attacks, increasing integration of Generative AI, and the development of quantum computers, the crypto world is expected to evolve rapidly. Therefore, organizations need to be crypto-agile to cope with these developments.

Food for thought

In the near term, establishing a robust crypto strategy and centralized governance will be critical to protecting the digital world from the emerging threats associated with quantum computers. This evolving space of cryptography is expected to create new opportunities, such as developing a Crypto Center of Excellence (CCoE) to guide cryptographic policies and support the development teams. By 2029, a new era of PQC is expected to take over the digital security.