This summer’s post-quantum news: what you need to know
This summer marks a major breakthrough in cybersecurity with the publication of the NIST standards for post-quantum cryptography. This publication is the culmination of many years of work, the standardisation process having begun in 2016, while the mathematical research has lasted decades.
This news has been eagerly awaited by the cyber community, because the threat is so real: a sufficiently powerful quantum computer would render all current asymmetric cryptography obsolete. This would mean the impossibility of exchanging encryption keys, as well as the possibility of digitally signing documents. In short, it would mean the end of confidentiality and integrity guarantees for communications.
It’s difficult to describe the extent of the consequences, with secure communications on the Internet becoming near enough impossible.
To counter this, 3 new cryptographic standards have been identified:
- ML-KEM (CRYSTALS-Kyber), the new main standard for encryption and therefore key exchange
- ML-DSA (CRYSTALS-Dilithium), the new main standard for digital signatures
- SLH-DSA (Sphincs+), the backup solution for backup signatures should ML-DSA prove vulnerable.
Note that a “backup” solution for encryption, FN-DSA (FALCON), will be released in the near future.
The standards are published, but the post-quantum efforts are not over – quite the contrary!
Integrations begin: editors and developers in action
Publication of the standards means that the next stage in the post-quantum security process can begin: integration of the algorithms by the major players and developers of technological solutions.
This work has already begun, of course, and includes the integration of post-quantum algorithms into the development roadmap of Tink1, Google’s well-known cryptographic library. Also worthy of mention is the partnership between IBM and Thales2 for complete post-quantum security, from VPN to TLS to digital document signing. Finally, Microsoft3 has also indicated that efforts are now underway for a post-quantum transition of their services, from cloud to on-premise. Even Apple4 in the consumer sphere has launched the migration of iMessage to post-quantum algorithms.
But beware, post-quantum security is not suddenly a reality. It is and will be a long process which relies, in particular, on the efforts of all IT service providers. It’s encouraging to see that market leaders are taking this subject seriously.
It’s up to large organisations to act!
Post-quantum security doesn’t just concern GAFAM: all major organisations need to start transitioning to this new paradigm. We recommend that you start thinking about and adopting a post-quantum security strategy now, as US agencies are obliged to do so under the Quantum Computing Cybersecurity Preparedness Act (2022).
There are many major stages in this migration strategy, and it obviously has to cover conventional IT systems. But we mustn’t forget industrial systems and embedded systems (vehicles, trains, connected objects, remote systems, etc.). For each of these areas, the following elements need to be consolidated:
- An inventory of data and its security shelf-life, particularly for long-lived data, in order to prioritise safeguards.
- An inventory of cryptographic solutions used in-house, to identify their origins and responsibilities (in-house, open-source, suppliers, etc.).
- Each use of asymmetric cryptography must be the subject of a transition plan, including a POC. Note that symmetrical AES cryptography does not require any transition, with the exception of the move to AES256 for ultra-critical data (sensitive over several decades). For legacy systems, beyond the migration of encryption systems, it may be necessary to re-encrypt part of the stored data.
- The entire cryptographic chain will obviously have to evolve, from PKI to certificates, via the various encryption and signature systems. We’ll also need to pay close attention to performance issues, particularly in embedded environments.
- New projects must take post-quantum security into account right from the design stage:
- With the inclusion of post-quantum security criteria in the evaluation of service providers.
- All in-house projects must include the use of post-quantum asymmetric cryptography, requirements equivalent to AES256 for symmetric cryptography, and guarantees equivalent to SHA512 for hashing.
Given the scale of the task, a complete ecosystem of suppliers is emerging to support inventorying, risk assessment (via library or source code scanning) and action plan follow-up. This is the case at Thales, IBM and Sandbox AQ.
But beyond the tools, it will be necessary to embark on a real transformation programme, mobilising IT teams, the business lines concerned, and also purchasing if the supplier stakes are high.
This migration is also an opportunity to think more deeply about the management of “crypto agility”, because let’s face it, these algorithms are fairly “new”, and it’s not impossible that flaws will be discovered that will require upgrades. The transformation programme should not lead to a “one-off” migration, but rather to the mastery of agile cryptography within the organisation.
History shows that it takes 3 to 4 years to initiate and complete this type of migration. And it won’t be easy to make headway on this issue, so invisible is it to the business world. Let’s hope that regulations, particularly in Europe, will bring the subject into the spotlight!
Risks and timelines: when to act?
Estimates vary as to when a quantum computer will be able to “break” state-of-the-art RSA encryption. Most place it between 2030 and 2040, with a concentration of estimates around 2033-2035. The NSA requires exclusively post-quantum cryptography from its software, firmware and network equipment suppliers as early as 2030, from 2033 for certain others (e.g. O.S.) and 2035 for all its suppliers. Post-quantum cryptography should be available as early as 2025 in certain cases.
Even if nobody knows exactly when quantum computers will be sufficiently sophisticated, not being ready by 2033 means accepting risks that will have a serious impact on the most sensitive data.
However, another threat exists today. We are all now exposed to the risk of “Harvest Now, Decrypt Later”, which consists in the large-scale storage of Internet communications for future decryption with a quantum computer (or when encryption keys are leaked). This risk obviously concerns entities with very specific capabilities, namely state agencies or groups of attackers backed by them. Only those organisations whose data is of strategic interest to these agencies are most at risk. It’s this particularity that has prompted migrations for some specific players.
But for all of them, given the efforts required and the risk zone by 2030, it’s in the 2025 action plan that the first phases of assessment and construction of the project plan must be planned!