What is post-quantum cryptography?
Although quantum computing promises are phenomenal (low-carbon technologies, healthcare, safe autonomous driving, artificial intelligence…), it also poses a serious threat to digital security.
Indeed, when those computers will achieve enough power (mainly, enough quality qubits), they will be able to solve, in a humanly significant time (a few hours), the mathematical problems that are the basis of conventional asymmetric cryptography. We call those future computers, cryptographically relevant quantum computers (CRQC).
Those mathematical problems currently take several millions of years to be solved by classical computers, even if we gather all worldwide available computing power. This resistance is the basis of security and trust in our digital life: financial transactions validation, secure Internet browsing, connected devices identity proofing, data protection, and other key features.
In clear, CRQC put our entire digital world at stake. Therefore, organizations and businesses need to start preparing for the migration to post-quantum cryptography (PQC), which are new algorithms, based on different mathematical problems, which withstand quantum computer attacks.
For more insights, read our “Introduction to Post-Quantum Cryptography” whitepaper.
When should you start your migration?
One of the main challenges in PQC migration is to assess when to start. Indeed, in one hand, previous cryptography migrations, which where simpler by orders of magnitude (3DES to AES; SHA-1 to SHA-2), have shown that it can be long and painful. But, in the other hand, the threat of CRQC might seem very far away in time.
When to start, depends on several factors such as:
- the availability of PQC standards (the starting point)
- when will the CRQC be a reality; (the deadline)
- the time to migrate (the duration)
- as well as how long your data should be protected (the risk exposure)
Thankfully, the first of them is clearer now, as the US NIST (National Institute of Standards and Technology) selected four PQC algorithms mid 2022 to be standardized by early 2024.
So, we will all be able to start early 2024. But should we?
To clarify how the 3 other factors play, we can use the Mosca theorem. It states that if the sum of the security shelf life of the data (X) and the migration time (Y) is greater than the collapse time of the conventional cryptography (Z), then “one should worry now”. X, Y and Z represent the 3 remaining, unknown factors :
- X is the duration for which the data needs to be protected,
- Y is the time required to switch your application to use PQC,
- Z is when CRQC will be available.
Figure 1 – The Mosca Theorem
This theorem helps prioritize the applications to migrate first, according to their security shelf life X and migration complexity Y. For example, if the data has a short shelf life of a few days, such as secure website access, then the migration can be postponed until closer to collapse time Z. However, for data having several years of shelf life, as R&D secrets or healthcare data, then migration should start ASAP. Indeed, attackers could be storing data now to decrypt it later, a type of attack called “Harvest Now, Decrypt Later”.
Figure 2 – Harvest Now , Decrypt Later
Any idea on X, Y, Z?
Y will largely depend on your organization’s capabilities, speed and investment but the Cloud Security Alliance (CSA), in its “Practical Preparations for the Post-Quantum World” provides general, high-level estimated timelines of major project tasks for a small to mid-size organization, with an overall Y of 8 to 9 years.
Figure 3 – Cloud Security Alliance. Practical Preparations for the Post-Quantum World
Some of aspects like availability of PQC-ready software and hardware, and the contractual and regulatory constraints can largely impact the migration time.
Z is, of course, uncertain as it depends on scientific and technological progress, their impasses and/or breakthrough. Quantum experts might provide very different predictions, from “maybe 5 years time” to, even, “never ever”, for when a CRQC will be usable. However, some reputable organizations have established some timelines, like 2035 for the US National Security Agency (NSA), 2033 for the German Federal Office for Information Security (BSI) and April the 14th, 2030 for the CSA (they even have a live Countdown to Y2Q clock 😊).
But, I particularly like the Quantum Threat Timeline Report. Amongst other useuful infromation, it surveys 40 international quantum computing leading experts on the likelihood of realizing a quantum computer able to break RSA-2048 in less than 24 hours (pretty good characterization of a CRQC) within the next 5, 10, 15, 20, and 30 years. In the latest edition, December 2022, more than half of them gave a likelihood of at least 50% for this to happen within 15 years, so a Z by 2037.
Figure 4 – Quantum Threat Timeline Report 2022
X is obviously business/application and use case dependent, according to your organization’s strategy. JSON Web Tokens, used largely in Web Single Sign On and authorizations claims, have a very short security shelf life time. Given proper implementation, after a few days, they are worthless.
But, a very sensitive information like ongoing negotiations to sell part of the company in the next 2 years, obviously has a security shelf life time of… 2 years. After the selling, this is not a secret anymore.
Personal data or strategic infromation like R&D, might have much longer security shelf life times though.
What can happen?
Based on the above projections that Z (collapse time) might be around 12 to 14 years (2035 – 2037) and Y (migration time) take 8 years for a small to mid-size organization, it means that, early 2024, any business data having a X (security shelf life time) greater than 4 years is already exposed, maybe even lower for a larger enterprise with more complex migration.
For those data, your business might already be at risk, if its protection depends on conventional cryptography. Indeed, any third party getting a copy of your data encrypted today with conventional cryptography (because they store it now, or because one copy, at least, is forgotten to be PQC re-encrypted when the migration happens) will be able to decrypt it once a CRQC is available (Z) and get access to valuable information or break one of your valuable business processes.
Figure 5 – Copy missed during PQC re-encryption process
My crypto inventory
You should at least, and as soon as possible, understand where you have such data (long X protected by conventional cryptography) and prioritize the migration of the corresponding applications, and their underlying technical layers (software, operating system, network…). You have no control over Z, but you work on X and Y, although the former, X, might sometimes be set in stone.
You need to build a Crypto inventory, (“kind of” CMDB, using C for Cryptography 😉) providing you with a comprehensive view of your current cryptographic business landscape and risk exposure.
A cryptographic inventory must at least include for all applications that use cryptography:
- internally developped or externally provided
- If internal: software code documentation quality, developers skills availability
- If external: contract details, vendor plan to provide a PQC-ready version in due time
- cryptographic information
- algorithms and standards they employ
- are they hard coded, or relying on a central encryption engine
- exposure to quantum computers (symmetric cryptography is not as exposed as asymmetric)
- keys management architecture (ad-hoc, Public Key Infrastructure – PKI, Key Management Server – KMS, Certificate Lifecycle ManagementKI – CLM…)
- data security shelf life time (X)
- data sensitivity
- security properties : confidentiality, integrity, availability, authenticity, non-depudiation…
- by business process/app feature
- PQC-readiness status : PQC-ready, PQC-agile, PQC-readiness plan, PQC-option, or PQC-unsuitable
This will lead you to build your migration plan, affecting to every of the above applications:
- its migration priority, dates and times (Y),
- assessing its PQC adoption impact (as PQC are slower and use longer keys)
- and considering potentially, its decommissioning or replacement by another application.
Figure 6 – Illustration of a portion of a potential crypto inventory
Hybridization and crypto agility?
As you understood, we are facing a complex and potentially long migration, comparable to the most difficult ones of the still young IT industry.
But, several cybersecurity agencies and standardization institutes (ANSSI in France, BSI in Germany, ENISA and ETSI in EU) advise protecting your data with a hybrid approach first, which consists of combining conventional and PQC algorithms. The main purpose is “to buy time” for science to further improve the security of PQC algorithms. It would indeed defeat the purpose if we migrate to a new algorithm which can be broken by conventional computers. To illustrate this risk, early August 2022, two researchers, Castryck and Decru, from the KU Leuven University in Belgium, demonstrated how to break SIKE, a former PQC candidate, in a few minutes with an old single core laptop.
To manage that complexity you need crypto agility. The idea is that if the chosen PQC algorithm is defeated, you can swap out for a different one without significant change to the application and its system infrastructure. It will also help adopt first hybridization (PQC + conventional algorithm) then switch to standalone PQC according to cybersecurity agencies advisories.
“It’s time to plan wisely”
As Matthew Scholl, US NIST Computer Security Division chief, said: “It’s no time to panic. It’s time to plan wisely…“. While it could seem complex, there are several resources and guides to help you, made available from different sources, such as academic institutions, standards bodies, industry associations, and cybersecurity vendors.
For instance, at Eviden, an Atos business, we have published a comprehensive PQC migration guide that covers the essentials of PQC migration and adressing all aspects I’ve mentioned in this article. We also have trained our Cybersecurity services teams to provide consulting and help in integration. Further, we provided clear short term roadmaps for our owned developed relevant products (1).
The key takeaways from the reading are:
- Yes, a CRQC can be 10 or 20 years away
- But, the quantum threat it poses is already there, now. It is due to several ways in which the data encrypted by conventional cryptography, now and in the future, can be made available to CRQC in future and if the protected data still has value by then.
To understand if you are already exposed to that quantum threat you need to assess it and, starting by building, if you don’t have one already, a cryptographic inventory, might be a good idea.
By the way, it won’t serve only for PQC migration as it is a major asset for demonstrating compliance to several existing regulations.
(1) – https://atos.net/en/2023/press-release_2023_04_05/eviden-supports-post-quantum-algorithms-with-its-trustway-proteccio-hsm
About the author
Global CTO Cybersecurity Products & Digital Security Offering Technology Lead
Vasco Gomes is Global CTO Cybersecurity Products & Digital Security Offering Technology Lead
Ever since his Master of Science in Computer Science at Polytech Paris Saclay, Vasco has been helping customers balance operational constraints with acceptable business risks. With 23 years of rich experience, he has recently expanded his role to influence Eviden cybersecurity services and products roadmaps, partnerships, mergers, and acquisitions. He shares his passion for cybersecurity innovation as a keynote speaker at international events and at customers’ innovation workshops, helping them anticipate the future of cybersecurity and maximize sovereignty over their most critical data.
Vasco lives with his partner in London and in his spare time, he likes to hike and play football or read and learn about astrophysics and new technologies, besides cybersecurity. Convinced that in a world with limited resources, there is no possible forever exponential growth, he advocates for frugal and responsible technology choices: it’s not about could we but should we.