By Dr Ali El Kaafarani, Founder and CEO of PQShield
July 5th, 2022, marked an important milestone in the fight to secure sensitive data against future cyber-attacks from quantum computers.
The U.S. National Institute of Standards and Technology (NIST) selected the first group of quantum-ready cryptographic standards known as post-quantum cryptography. These cryptography schemes are purpose built to withstand attacks from a quantum computer, which will eventually have the power to break the current security encryption used to protect virtually all of the world’s sensitive information.
The announcement, which was the culmination of the first stage of a six-year effort managed by NIST, showcased the fruits of global cooperation from the cryptographic community. For the second stage additional algorithms are under consideration for inclusion in the standard, with this multi-stage process allowing for the robust and thorough testing of all algorithms. This process has already allowed the cryptographic community to scrutinise and rule out weak candidates.
Why the quantum threat isn’t overhyped
For many, the prospect of a quantum computer at a scale needed to threaten our encryption is in the long and distant future. However, with $3.2 billion investment in 2021 for quantum technologies and China already committing $10 billion investment towards its development, the threat they pose to encryption is no longer a question of if, but when.
Quantum computers are a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers. Through this new computational model, quantum computers will be able to break all current public key encryption used ubiquitously today.
The risk is rapidly becoming a major concern for policy makers: the G7, led by the White House, recently included the quantum threat in their key 21st Century challenges.
From a risk perspective however, independent of how quickly this emerging technology is developing, what makes the threat even more dangerous is that quantum attacks, namely the “Harvest Now. Decrypt Later (HNDL), can be carried out retrospectively. This means that an institution can be targeted today with a ‘harvest now and decrypt later’ attack. Threat actors have the capability of harvesting encrypted sensitive data from across sectors and levels including financial information, national security intelligence and business and consumer data and then storing this data for decryption at a later date.
It is this fact that demands an urgent response from the cybersecurity community. Security is about identifying and mitigating risk: the longer businesses delay replacing exposed encryption with post-quantum cryptography, the greater the quantity of data will be exposed.
What do the NIST standards mean for businesses?
There is growing recognition of the need for businesses to prepare for this new and sophisticated threat, especially to the cyber systems that our critical infrastructure and democratic institutions rely on. The primary purpose of the NIST process was to identify a robust suite of encryption that businesses could trust and utilise in defending themselves against this threat.
Under the guidelines and protection of these new standards, businesses can chart a path to long term cybersecurity with the certainty that the encryption they are using is quantum secure.
The process to achieve quantum security is simple in concept but the challenge will be in the execution.
Businesses first need to identify their exposure through a comprehensive audit of the encryption they use and its locations. With this clear picture and armed with these new standards we can chart a roadmap and timeline to move forward in replacing the vulnerable encryption and adopt PQC.
What’s next for post quantum cryptography
Now is not the time for complacency. The global post quantum cryptography community has worked tirelessly to establish these new schemes and standards, but the focus now must turn on adopting them within its cybersecurity infrastructure imminently.
These new standards also represent the beginning of the journey towards actualising a quantum secure future. Just as businesses and governments need to stay alert to adapt to the growing and changing threats, so does the cryptography industry which needs to continuously innovate to stay ahead of looming risks.
NIST is already leveraging the momentum gathered with the announcement of the new standards with additional algorithms under consideration for inclusion in a fourth round. Since the beginning of NIST’s effort there has been a recognition that various systems and processes use different approaches to encryption. In order to develop and cater for all the variations, further security scrutiny by cryptographers and mathematicians is crucial to protect us. Cryptography is a never-ending field and requires constant innovation to keep ahead of current and future threats.
Still, as the process to find more tools goes on, CISOs and cybersecurity leaders need to be adding the adoption of these standards to their objectives for the coming years. We must include quantum security in new products being developed, PQC guarantees in vendor contracts and upgrades to legacy infrastructure must include installing PQC components. Current encryption has permeated every aspect of business and life making the adoption of post-quantum cryptography the biggest cybersecurity challenge in decades.
About the author
Dr Ali El Kaafarani is the founder and CEO of PQShield, a British cybersecurity startup specialising in quantum-secure solutions. A University of Oxford spin-out, PQShield is pioneering the commercial roll-out of a new generation of cryptography that’s fit for the quantum challenge, yet integrates with companies’ legacy technology systems to protect them from the biggest threats of today and tomorrow. Dr El Kaafarani is a research fellow at Oxford’s Mathematical Institute and a former engineer at Hewlett-Packard Labs, with over a decade of academic and industrial experience. He is also a leading authority in the cryptography community.