BSI Germany: the quantum age is no longer when, but now

For many of us, the prospect of a quantum computer suddenly being able to break classical encryption has seemed like a distant, future threat. The reality however, is that the quantum age is already here, and the timescale to do something about should be pushed forward.

That’s the view of many international bodies involved in security, including Germany’s Federal Office for Information Security (BSI), who in their latest research paper highlighted the need for action now. In addition, the recent publication of the first post-quantum algorithms selected by NIST for global standardisation, has crystallised the world’s attention on PQC migration as a matter of urgency. For BSI, the focus is no longer on when, but preparing the world now. In fact, in a recent market survey, carried out with KPMG, BSI reports that the threat itself is “widely underestimated”, with “worrying results”. It seems it still might be difficult to get the message across.

Despite this, progress can be made. Many organisations are already developing strategies for so-called ‘Cryptographic-Agility’ – the ability to develop cryptographic products that can be adapted in as flexible a way as possible. This adaptive approach makes the prospect of migration to post-quantum cryptography (PQC) much smoother. PQC can now be applied in combination (hybrid) with classical schemes.

BSI’s recommendation then is that PQC should only be used in hybrid, crypto-agile solutions.

Planning the migration along specified timescales is also critical. BSI points out the current threat from technology that ‘stores now, decrypts later’ jeopardising the long-term security of, for example, key signatures, which might have a long shelf-life but could be vulnerable at a future stage. It will be increasingly important to apply upgrades as part of typical technology refresh cycles, with this in mind.

Though the development of a cryptographically relevant quantum computer might be years away, it’s important to understand that the reality of the quantum era is already here, and crypto-agility with the application of hybrid solutions might just be the strategy required to defend our systems against it.

Main messages from BSI:

  • From the BSI’s point of view, the question of “if” or “when” there will be quantum computers is no longer paramount. First post-quantum algorithms have been selected by NIST for standardisation and post-quantum cryptography will be used by default. Therefore, the migration to post-quantum cryptography should be pushed forward.
  • Independently of quantum computers, progress can be made at any time in the cryptanalysis of the algorithms used. In the new and further development of crypto products, care should be taken to ensure that they can be adapted as flexibly as possible (“cryptographic agility”).
  • Post-quantum schemes should only be used in combination with classical schemes (“hybrid”) if possible. Due to the previously mentioned point, a hybrid approach (with two or more post-quantum schemes) is a possible solution even after the development of cryptographically relevant quantum computers.
  • It is primarily the key-agreement schemes that are initially threatened by quantum computers (“store now, decrypt later” as a threat to long-term security). Signatures usually only need to be secure in the short term. However, with long validity periods of signature keys, a timely change is also necessary here. In addition, migration periods must be taken into account.
  • Quantum cryptography is a complement to post-quantum cryptography that should be further researched and tested. However, it is not yet ready for widespread use today.