The point at which quantum computers will be capable of breaking existing cryptographic algorithms — known as “Q-Day” — is approaching. It’s a juncture that’s been discussed for years, but with advancements in computing power, post-quantum threats are becoming very real. Some security experts believe Q-Day will occur within the next decade, potentially leaving all digital information vulnerable under current encryption protocols.
Post-quantum cryptography (PQC) is therefore high on the agenda as the security community works to understand, build, and implement cryptographic encryption that can withstand post-quantum threats and attacks of the future.
“PQC migration provides an opportunity to re-evaluate the larger cybersecurity landscape,” Dylan Ruddy, a lead scientist within Booz Allen’s quantum sciences team, tells CSO. By integrating new PQC algorithms into a zero-trust architecture, cybersecurity infrastructure can be redesigned into a new crypto agility framework, he says.
“A redesign to these new agile security principals would allow system stakeholders to respond to new threats introduced by emerging technologies by investigating existing cryptographic assets, identifying new cryptographic threat surfaces, and integrating new cryptographic solutions.”
Here are 11 notable initiatives, programs, standards, and resources launched this year to help the creation/development of and migration to PQC.
IETF launches working group to coordinate quantum-resistant cryptographic protocols
In January, the Internet Engineering Task Force (IETF) launched the Post-Quantum Use In Protocols (PQUIP) working group to coordinate the use of cryptographic protocols that are not susceptible to large quantum computers. “The idea of the working group is to be a standing venue to discuss PQC from an operational and engineering side,” said Sofia Celi, co-chair of PQUI. “It is also a venue of last resort to discuss PQC-related issues in IETF protocols that have no associated maintenance on other working groups that the IETF has.”
The IESG said the working group has been set up on an experimental basis, and in two years, it intends to review it for rechartering to continue or else closure. In August, the group published the Post-Quantum Cryptography for Engineers paper to provide an overview of the current threat landscape and the relevant algorithms designed to help prevent those threats.
UK publishes National Quantum Strategy to steer technical standards
In March, the UK government published a new National Quantum Strategy detailing its 10-year plan for leading a quantum-enabled economy, recognizing the importance of quantum technologies for the UK’s security.
The UK will work with relevant global bodies to ensure that global quantum technical standards promote its prosperity and security interests, including accelerating the commercialization of quantum technologies and supporting the sector in the UK, outlined the strategy.
The UK will also work with key partners to scope and identify the best approach to coordinating national engagement in priority areas of quantum technical standards development. Relevant industry and academia will be engaged in these efforts to track priority standards activity, raise stakeholder awareness, and develop roadmaps to support UK engagement with quantum standards development, it added.
“There are a number of early quantum standardization activities taking place globally with significant focus on quantum-safe cryptography and quantum key distribution (QKD), with UK leadership in these areas,” the strategy read.
QuSecure pioneers live satellite quantum-resilient cryptographic communications link through space
In March, quantum security vendor QuSecure claimed to have accomplished the first known live, end-to-end quantum-resilient cryptographic communications satellite link through space. It marked the first time US satellite data transmissions had been protected from classical and quantum decryption attacks using PQC, according to the company. The quantum-secure communication to space and back to Earth was made through a Starlink satellite working with a leading global system integrator (GSI) and security provider.
This is significant because data shared between satellites and ground stations travels through the air and traditionally has been vulnerable to theft, leaving satellite communications even more accessible than typical internet communications, the vendor said.
QuSecure, Accenture achieve successful multi-orbit data communications test secured with PQC
Later in the same month, QuSecure announced it had collaborated with Accenture to accomplish the first successful multi-orbit data communications test secured with PQC. This demonstrated that crypto-agility, successfully rotating to a less vulnerable algorithm, is real and possible, achieved through an Accenture-facilitated low earth orbit (LEO) data transmission, the vendor said.
Prior to this advancement, data from multi-orbit satellites could be collected and potentially broken by classical means and quantum computers with enough power, QuSecure added. The transmission included a switch over from LEO to a geosynchronous orbit (GEO) satellite and back down to earth, as a model for redundancy in the event of a breach, failure, or threat to satellites in a single orbit.
“As more organizations are increasingly relying on space technology to provide solutions, resiliency and more relevant information, security of those systems and the data is paramount,” commented Paul Thomas, space innovation lead for technology innovation at Accenture.
NCCoE addresses preparing for the adoption of new PQC algorithms
In April, the US National Cybersecurity Council of Excellence (NCCoE), a collaboration of cybersecurity experts from the public and private sectors, released a draft publication addressing preparation for adopting new PQC algorithms. Migration to Post-Quantum Cryptography extended the typical message of urgency to plan for migration seen in federal mandates to members of the private sector.
NCCoE said it would be engaging with industry collaborators, regulated industry sectors, and the US government to bring awareness to the issues involved in migrating to post-quantum algorithms and to prepare the crypto community for migration.
PQShield supports PQC migration, advanced side-channel secured implementations
In May, PQC standards company PQShield signed a Memorandum of Understanding (MoU) with Tata Consultancy Services (TCS), a leading IT Services, consulting, and business solutions organization, to help clients transition to quantum-secure solutions. It also announced a collaboration with eShard, a side-channel analysis and testing tools provider, to further accelerate advanced side-channel secured implementations of PQC that are critical for high-security standards across industries.
“Quantum computers pose a particular threat to large organizations given the sprawling nature of their cryptographic infrastructure and their reliance on secure communications,” said Ali El Kaafarani, CEO and founder of PQShield. “We’re seeing a significant shift in the commercial landscape as more of these businesses wake up to the urgency of the problem and seek out a solution.”
X9 announces initiative to create PQC assessment guidelines
In June, the Accredited Standards Committee X9 Inc. (X9) announced a new initiative to create PQC assessment guidelines to act as a roadmap for PQC transitions. It invited participants to take part in the effort. When completed, the X9 guidelines might be used by an organization as a self-assessment tool, as an informal assessment of a third-party service provider, or as an independent assessment by a qualified information security professional, X9 said. An auditor or regulator might also refer to the assessment guidelines which could form a foundation for crypto agility standardization, it added.
“It will be important to have PQC assessment guidelines available before transitions are underway, for consistency to make the process as smooth as possible and the outcomes optimal,” said Michael Talley, chair of the X9F1 Cryptographic Tools working group.
Google readies Chrome for future attacks with quantum-resistant encryption
In August, Google announced it was taking a major step in making web browsing safe from future quantum computers by adding Chrome support for quantum-resistant encryption. Dubbed X25519Kyber768, the new quantum-resistant cryptography will be a hybrid mechanism that combines the output of two cryptographic algorithms to encrypt Transport Layer Security (TLS) sessions.
These are X25519, an elliptic curve algorithm widely used for key agreement in TLS today, and Kyber-768, a quantum-resistant Key Encapsulation Method (KEM). The new hybrid encryption has been made available in Chrome 116, and behind a flag in Chrome 115.
“Google’s announcement of shielding encryption keys in Chrome from quantum computers is very forward-looking,” said Pareekh Jain, chief analyst at Pareekh Consulting. “Quantum computers’ serious adoption is a few years away, but messages have a risk of getting stored now and decrypting later.”
NIST publishes draft PQC standards for global framework
In August, the US National Institute of Standards and Technology (NIST) published draft PQC standards designed to form a future global framework to help organizations protect themselves from quantum-enabled cyberattacks.
The standards were selected by NIST following a seven-year process which began when the agency issued a public call for submissions to the PQC Standardization Process. NIST called for public feedback on three draft Federal Information Processing Standards (FIPS), which are based upon previously selected encryption algorithms.
The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+. It is intended that these algorithms will be capable of protecting sensitive US government information well into the foreseeable future, including after the advent of quantum computers, incorporated into three FIPS: FIPS 203, FIPS 204, and FIPS 205, NIST said.
CISA, NSA, NIST issue PQC migration resource
In August, the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and NIST published a factsheet on the impacts of quantum capabilities. It urged all organizations, especially those that support critical infrastructure, to begin early planning for migration to PQC standards by developing their own quantum-readiness roadmap.
Quantum-Readiness: Migration to Post-Quantum Cryptography outlined how organizations can prepare a cryptographic inventory, engage with technology vendors, and assess their supply chain reliance on quantum-vulnerable cryptography in systems and assets. The factsheet also provides recommendations for technology vendors whose products support the use of quantum-vulnerable cryptography.
“PQC is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, director of NSA cybersecurity. “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”
Tech community launches PQC Coalition to drive understanding, adoption
In September, a community of technologists, researchers, and expert practitioners launched the PQC Coalition to drive progress toward broader understanding and public adoption of PQC algorithms. Founding coalition members include IBM Quantum, Microsoft, MITRE, PQShield, SandboxAQ, and the University of Waterloo.
The PQC Coalition will apply its collective technical expertise and influence to facilitate global adoption of PQC in commercial and open-source technologies. Coalition members will contribute their expertise to motivate and advance interoperable standards and technical approaches and step forward as knowledgeable experts in providing critical outreach and education.
The coalition will initially focus on four workstreams:
- Advancing standards relevant to PQC migration.
- Creating technical materials to support education and workforce development.
- Producing and verifying open-source, production-quality code, and implementing side-channel resistant code for industry verticals.
- Ensuring cryptographic agility.