As part of this year’s International Cyber Expo, our CEO and Founder, Ali Kaafrani, gave a comprehensive overview of the current post-quantum landscape, and explained why it’s important for businesses to act now.
Here are the key takeaways:
What is post-quantum?
In a nutshell, post-quantum cryptography can run on today’s computers but protect against attacks from quantum computers. Quantum computers are based on quantum mechanics and can solve certain math problems much faster than classical computers – including the math our current cryptography is based on. Whilst quantum computers are very hard to build, the technology is advancing at a phenomenal speed.
Standardization
Cryptography is all about mitigating security risk, and new post-quantum standards are now coming through thick and fast. In July 2022, NIST announced four algorithms to be standardized, with further scrutiny of other candidates underway and more standards to follow. It is likely that from 2024 the new standards will be in force and businesses will need to comply.
What does this mean for engineers?
Secure element, chip and platform engineers should be planning for a migration to post-quantum cryptography (PQC). Likewise, application developers and product engineers should be developing a crypto-agile strategy to enable future migration to PQC that can support all chosen standards.
Mandates and compliance
Unsurprisingly, PQC is being mandated, with government agencies including NSA, GCHQ and ANSSI releasing recommendations in response to emerging standards. Suppliers need to comply to trade, with recent White House announcements highlighting the breadth of activity underway. Most recently, President Biden signed two executive orders: US to be global leader in Quantum Information Science, and directing NIST to set requirements for Federal agencies to update cryptographic systems.
Why should I care now?
Top-level: sensitive data requires long security assurance time, while certain products have long production cycles and an even longer lifespan (think semiconductors, etc.). There’s also the ever-present risk of your data succumbing to a ‘harvest now, decrypt later’ attack.
It’s worth noting that migration to PQC is not difficult but will take time. At the very least, you will need to identify your assets and create a transition map that prioritizes which parts of your ecosystems need to move to PQC first. Remember: you can’t change everything at once…