Post-Quantum Cryptography: The Future of Secure Communications and the Role of Standards

Digital security has long relied on cryptographic systems that use complex mathematical problems (also known as algorithms) to keep sensitive data and transactions safe from unauthorized access. These algorithms were designed to be nearly impossible for classical computers to solve, ensuring robust protection and encryption for online activities like email communication, secure banking, and more. However, recent advancements in quantum computing are challenging this security foundation. Unlike classical computers, which process data in binary form (0s and 1s), quantum computers use qubits that can exist in multiple states simultaneously, a property known as superposition. This capability allows quantum computers to solve complex algorithms much faster, potentially breaking the cryptographic systems that have protected data and internet transactions for decades.

The Quantum Threat to Digital Security

Quantum computers pose a big threat to digital security because they may soon break the encryption methods that protect our online communications today. Encryption methods like RSA and ECC rely on problems that are hard for regular computers to solve, but quantum computers can solve these problems much faster using special algorithms. This means quantum computers could crack the keys to access sensitive data, such as personal details, financial transactions, and government secrets, putting privacy and security at risk.

As quantum computing technology advances, it’s becoming more urgent to address this issue. Encryption methods that are secure now might not be safe in the future, making it crucial to develop Post-Quantum Cryptography (PQC). PQC aims to create new encryption methods that can protect against both classical and quantum attacks, ensuring data remains secure. NIST has recently approved a set of PQC encryption algorithms that are designed to protect digital systems from quantum threats and keep our digital security intact.

The Emergence of Post-Quantum Cryptography (PQC)

What is PQC?

Post-quantum cryptography (PQC) refers to a new set of cryptographic algorithms that are considered “quantum resistant,” meaning they are expected to remain secure even against powerful quantum computers.

The goal of PQC is to provide protection not only against future quantum computers, but also to work smoothly with current protocols and network systems. Effective PQC solutions will integrate with existing systems to protect data from all types of attacks, both current and future, regardless of the computing technology used.

Although quantum computers are still in the early stages of development, cybersecurity experts have already developed PQC algorithms, which NIST has now standardized, that can defend against potential quantum-based attacks. These security measures are designed to evolve alongside advancements in quantum computing, ensuring they stay ahead of quantum threats when properly implemented.

How does PQC work?

Post-Quantum Cryptography (PQC) is about changing the mathematical problems that are the foundation of cryptographic algorithms. Future quantum computers, using Shor’s algorithm, will be able to easily solve problems like factorization and discrete logarithms, which would make current algorithms like RSA, DSA, DH, and ECDH insecure. PQC uses different mathematical problems that are believed to be difficult for both classical and quantum computers to solve.

PQC itself is a traditional approach, meaning it does not rely on quantum networks or quantum states. The term “post-quantum” refers to its goal of providing a security solution that cannot be broken by quantum computers.

Set up your own quantum-safe PKI hierarchy and begin your PQC journey today.

The Need for Standard Bodies and Regulations

The adoption of Post-Quantum Cryptography (PQC) requires standard bodies and regulations to ensure that organizations worldwide follow a unified approach to securing digital information in the face of quantum threats. Without clear standards, different entities might adopt varying methods, leading to inconsistencies and potential vulnerabilities in data protection.

Standard bodies, such as NIST, play a critical role by evaluating, selecting, and recommending PQC algorithms that are proven to be secure and effective. These standards help industries and governments adapt to quantum threats in a coordinated way. Regulations enforce these standards, ensuring that organizations follow best practices and secure sensitive data before quantum computers become powerful enough to break existing encryption methods. Together, these standards and regulations create a strong framework for protecting digital security across the globe.

Standard Bodies and Recent Developments

While NIST is leading the development of post-quantum cryptography (PQC) standards, other international organizations are also working on this. Groups like the International Telecommunication Union (ITU), ISO, and ETSI in Europe are creating additional PQC frameworks. They understand the urgency of preparing for the impact of quantum computing.

One of the main challenges is to update current standards without causing compatibility issues or disrupting existing systems. These organizations must also consider the specific needs of important sectors, such as finance, healthcare, and defense, which handle highly sensitive information. It is crucial to develop standards that ensure strong security for these industries while transitioning smoothly to quantum-resistant solutions.

Key reasons why the transition to PQC requires regulatory and standard changes

Future-Proofing Security: Current cryptographic standards, like RSA and ECC, are vulnerable to quantum attacks. PQC algorithms are designed to resist these threats. Regulatory updates are needed to mandate the adoption of PQC, ensuring long-term security.

Compliance and Certification: Many industries are bound by strict compliance requirements. As PQC becomes the new standard, regulations must evolve to incorporate these algorithms into compliance frameworks, so organizations remain certified and legally protected.

Interoperability: New PQC standards must ensure that systems can still communicate securely with existing infrastructure during the transition. Regulatory bodies need to set guidelines for this interoperability to avoid disruptions in communication and data exchange.

Risk Management: As organizations transition to PQC, there will be a mix of traditional and quantum-resistant algorithms in use. Regulatory changes are needed to guide this transition, manage the associated risks, and avoid security gaps.

Global Consistency: Different countries may adopt PQC at varying paces. To avoid fragmentation and ensure global security, international regulatory bodies must harmonize standards, ensuring consistency in PQC adoption worldwide.

AppViewX can help you implement crypto-agility and start preparing today for Post-Quantum Cryptography

Country specific PQC efforts are ongoing

United States

The US is leading the way in adopting Post-Quantum Cryptography (PQC) to protect against future quantum threats. The National Institute of Standards and Technology (NIST) has already selected several PQC algorithms for encryption and digital signatures. Federal agencies are required to start implementing these standards to ensure national security and protect economic interests. Transitioning to PQC will help the US maintain its lead in quantum technology and secure its digital infrastructure.

France

France is actively working on PQC by funding research and supporting NIST’s standardization efforts. French agencies are also implementing PQC in their systems and encouraging private companies to adopt quantum-safe algorithms.

Germany

Germany recognizes the importance of PQC and has begun its implementation to prepare for quantum computing threats. The government has allocated resources for research and is working with international partners to speed up the deployment of PQC algorithms. Both government agencies and private companies in Germany are being urged to adopt PQC.

United Kingdom

The UK is involved in developing and adopting PQC. The National Cyber Security Centre (NCSC) has advised organizations to start planning for PQC and has funded various research projects. The UK is also participating in international collaborations to advance PQC adoption.

Taipei

At the “PQC Standardization and Migration Workshop” in Taipei, experts emphasized the need to prepare for quantum computing’s impact on cybersecurity. They discussed the importance of global standards and the challenges of implementing quantum-safe solutions. The consensus was that transitioning to PQC is essential for future data security.

Australia

The Australian Signals Directorate (ASD) highlights the importance of PQC in protecting communications from future quantum threats. Thales, a key player in this field, views NIST’s PQC standards as a significant development. They urge companies to adopt quantum-safe methods soon to avoid risks like “Harvest Now, Decrypt Later” attacks. Thales is actively developing quantum technologies and solutions to help organizations transition to PQC smoothly.

China

China is a global leader in Quantum Key Distribution (QKD) and has heavily invested in QKD and quantum computing technologies. Unlike the US, which focuses on PQC, China prioritizes QKD in its quantum strategy. China aims to establish global quantum-safe network coverage using QKD systems on satellites, with plans to launch its first quantum satellite in 2026. It has already built a QKD-secured network between Beijing and Shanghai and is working with Russia on a quantum communication system.

India

India, now the world’s most populous country, is making significant strides in quantum technology, including QKD. The National Quantum Mission launched in 2023 aims to develop quantum-secure networks and reduce reliance on foreign technology. India plans to expand its QKD network and establish a nationwide quantum communication network. The government is also encouraging private companies to invest in QKD research and development.

Japan

Japan is integrating PQC across various industries to protect against quantum computing risks. Government and defense sectors, banks, healthcare providers, telecom companies, and retail businesses are all adopting PQC to secure data and comply with regulations. Japan’s PQC market is expected to grow, driven by technological advancements and increasing awareness of quantum threats.

Malaysia

Following NIST’s release of PQC algorithms, Malaysia has been proactive in advancing PQC. The country hosted the South-East Asia Post-Quantum Cryptography (SEA-PQC) Summit during Malaysia Cryptology Week 2024 to promote regional collaboration and accelerate the development of quantum-safe solutions. Malaysia is committed to aligning with global PQC standards and strengthening regional cybersecurity.

Standard bodies involved in PQC advancement

U.S. National Institute of Standards and Technology (NIST)

NIST has already published a set of standard PQC encryption algorithms that can stand up to the risks quantum computing brings. As part of this work, NIST has set standards for several post-quantum cryptographic algorithms. They focus on two key jobs: general encryption, which keeps safe the info shared on public networks, and digital signatures, which check people’s identities.

The new post-quantum encryption standards are based on three encryption algorithms engineered to withstand cyberattacks from a quantum computer:

Federal Information Processing Standard (FIPS) 203:

Algorithm: CRYSTALS-Kyber (now called ML-KEM, Module-Lattice-Based Key-Encapsulation Mechanism).

Purpose: A standard to encrypt general data known for its compact encryption keys and quick operation.

FIPS 204:

Algorithm: CRYSTALS-Dilithium (now called ML-DSA, Module-Lattice-Based Digital Signature Algorithm).

Purpose: The main standard to safeguard digital signatures.

FIPS 205:

Algorithm: SPHINCS+ (now called SLH-DSA, Stateless Hash-Based Digital Signature Algorithm).

Purpose: A digital signature standard that uses a different math approach as a backup to ML-DSA.

These standards represent a key step forward in the shift to quantum-proof encryption. They make sure that robust coding methods will keep on safeguarding data when quantum computers become a reality.

National Security Agency (NSA)

The NSA highlights the importance of preparing for a shift to PQC due to the risks quantum computing poses to current encryption. The NSA, alongside CISA and NIST, has released a roadmap for organizations, especially those in critical infrastructure, to start migrating toward PQC standards. They stress the need for proactive measures now to stay ahead of quantum threats, emphasizing that government and industry collaboration will be essential in addressing these vulnerabilities.

Cybersecurity and Infrastructure Security Agency (CISA)

CISA underscores the need for immediate preparation for PQC migration. Together with the NSA and NIST, CISA has issued guidance urging critical infrastructure sectors to create quantum-readiness plans, inventory their cryptographic systems, and work with vendors. They warn that quantum computing could soon threaten current cryptographic standards, making it vital to begin planning now to protect sensitive data from future risks.

National Cyber Security Centre (NCSC)

The UK’s NCSC stresses the urgency of preparing for PQC. Future quantum computers could break current encryption methods, so they recommend starting migration efforts now. Organizations should identify critical assets and determine where vulnerable cryptographic algorithms are used. The NCSC supports adopting the standard quantum-safe algorithms approved by NIST and encourages a phased approach to ensure national infrastructure and sensitive data remain secure.

European Union Agency for Cybersecurity (ENISA)

ENISA emphasizes the need for immediate implementation of PQC protocols to address the potential threat quantum computing poses to current encryption methods. They advocate for integrating post-quantum systems into existing protocols, using hybrid approaches that combine both pre-quantum and post-quantum cryptography to enhance security during the transition.

PQC Worldwide: NIST’s Standards and Global Reactions

  • Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, highlighted the importance of preparing for quantum computing threats. She emphasized the need to protect sensitive data that could be vulnerable to quantum decryption within the next decade. This is particularly crucial for the intelligence community and the Department of Defense. https://www.internetandtechnologylaw.com/encryption-employment-quantum-computing-ai/
  • Celia Merzbacher, Executive Director of the Quantum Economic Development Consortium (QED-C), emphasized that the new Post-Quantum Cryptography (PQC) standards are crucial for strengthening cybersecurity across all businesses. Quantum computers, which could eventually break current encryption, pose a risk not only in the future but also today through methods like “harvest now, decrypt later.” QED-C strongly recommends the rapid adoption of PQC standards, especially in critical sectors like transportation, energy, and finance. https://www.hpcwire.com/2024/08/13/nist-issues-post-quantum-cryptography-standards-and-calls-for-their-adoption/
  • Google shared tips on managing the transition to Post-Quantum Cryptography (PQC). They noted that moving to new encryption methods can be slow, even when existing systems have known flaws. This delay often occurs due to the practical challenges organizations face in adopting new technologies. For instance, NIST began phasing out SHA-1 hash functions in 2011, and they recommend a full transition by 2030. https://security.googleblog.com/2024/08/post-quantum-cryptography-standards.html
  • Palo Alto Networks announced that all their Next-Generation Firewall (NGFW) products running the latest PAN-OS now support three new PQC standard algorithms, along with additional non-standard PQC algorithms. This allows customers to prepare for future encryption needs with greater flexibility.

The release of the first set of PQC standards is a significant achievement, following an eight-year global effort led by the U.S. National Institute of Standards and Technology (NIST). However, this milestone also signals the beginning of preparations for quantum computing. The recent announcement triggers new U.S. policy deadlines under National Security Memorandum-10, which mandates that federal agencies begin testing and transition to PQC by 2035. https://www.paloaltonetworks.com/blog/2024/08/white-house-post-quantum-announcement/

  • Duncan Jones, head of cybersecurity at Quantinuum, highlighted the importance of NIST’s standardization of post-quantum cryptography (PQC) algorithms. He views this as a crucial step in safeguarding data against emerging quantum threats. Jones encouraged CISOs to adopt these new standards, noting the rapid development of quantum technology. With governments increasing investments in quantum research and quantum hardware advancing quickly, the arrival of powerful quantum computers may be sooner than expected. Jones also emphasized the need for a layered cybersecurity approach that combines PQC with quantum-based solutions, such as quantum randomness for encryption. https://thequantuminsider.com/2024/08/13/nist-officially-announces-release-of-first-3-finalized-post-quantum-encryption-standards-plus-quantum-community-reaction/
  • The National Institute of Standards and Technology (NIST) has released a second draft of its “Digital Identity Guidelines” after receiving over 4,000 comments on the first draft from December 2022. This updated version aims to strengthen digital identity security and prevent fraud by incorporating new technologies such as online passkeys and mobile driver’s licenses. The guidelines reflect the Biden administration’s focus on enhancing cybersecurity while ensuring digital services are accessible to all. NIST highlights the importance of using both modern digital methods and traditional approaches for secure online access, with a focus on reliable biometric systems and strong performance standards to combat fraud. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.2pd.pdf

Post-Quantum Cryptography (PQC) is becoming a critical requirement for securing digital systems as quantum computing advances. The quantum threat is real, and taking steps now is vital. Standards bodies and governments are pushing for the adoption of PQC in existing cryptographic systems. By updating regulations and integrating PQC alongside current methods, these organizations are emphasizing the importance of strong encryption to protect against future quantum risks. PQC is essential for ensuring long-term security in the face of these new threats.

To learn more about preparing for PQC, read this white paper: Crypto-Agility and Preparing for Post-Quantum Cryptography

Tags

  • crypto-agility
  • cryptographic algorithms
  • Cybersecurity
  • digital signature
  • Infrastructure Security
  • Post-quantum cryptography (PQC)
  • PQC adoption
  • PQC standards

About the Author

Ganesh Gopalan

Vice President - Product Management

More From the Author →

Related Articles

AI in Cybersecurity – “Moving forward Together” and Amping Up the Remediation Game

| 6 Min Read

Practical Advice for PQC Migration for TLS 1.3

| 12 Min Read

What You Need to Know About “Harvest-Now, Decrypt-Later” Attacks

| 6 Min Read