A guide to a quantum safe organisation
In July of this year, NIST announced the first set of algorithms that will inform the final standards for post-quantum cryptography. In light of the announcement, the Quantum Economic Development Consortium (QED-C) issued an update to a report initially published in December 2021: Transitioning from today’s cybersecurity to a quantum-resilient environment.
The report positions the arrival of a viable, large-scale quantum computer as a very real threat to public key cryptography protocols, both now and in the years to come.
It also points out that the timelines for transitioning cybersecurity strategies and policies can be lengthy, resulting in a period of uncertainty, during which some applications, such as key exchange, could be vulnerable to harvest now, decrypt later attacks.
The report highlights coordinated and individual efforts by government, academia and industry to develop a quantum safe infrastructure. In particular, it profiles opportunities for post-quantum cryptography (PQC) and Quantum Key Distribution (QKD). The two technologies complement each other and, where applicable, could be used together in a hybrid solution to provide an even greater level of quantum security.
QKD leverages quantum mechanics
Whilst the standards for PQC are still in development, the report recognises that other quantum technologies are already in place and are being used to provide network data security today. QKD leverages the fundamental principles of quantum mechanics to guarantee forward secrecy of key exchange and quantum random number generators (QRNG) are being used as a source of genuine entropy for the generation of encryption keys. Quantum technology is still an emerging market and the process of standardization and certification for all of these solutions is still in its infancy.
The report proposes a roadmap for migrating to a quantum-safe state, which begins with creating an inventory of all cryptographic systems in use. With a complete inventory in place it is possible not just to introduce cryptographic agility (crypto agility), but to identify any legacy solutions that will not provide a suitable degree of long-term protection and replace them with more robust solutions that will provide protection against both quantum and classical threats.
The QED-C recognise that implementing PQC will not be a simple swap-out for existing systems. Interoperability will be key concern, so time will be needed to test systems compatibility and understand if hardware will need to be replaced. Fortunately, there are a number of emerging systems that offer hybrid encryption – combining the best of today’s standards-based algorithms and the emerging NIST qualified PQC algorithms.
The report advocates vetting current and prospective cybersecurity solution providers to assess their own quantum roadmap and understand who will be responsible for which elements of the transition to quantum resilience.
For most, transitioning to a quantum safe organisation will be a matter of when, not if. Any organisation that needs to maintain compliance with FIPS, Common Criteria, or any other industry standards, is likely to find the process mandatory. Given this, it is better to start early and narrow the window of uncertainty.