Why Quantum Computing Discussions Can No Longer Be Ignored

By Martin Roesler

We are at the dawn of a new era in computing, one based on the principles of quantum mechanics. Quantum mechanics deals with the smallest particles in our universe, the building blocks of atoms, that form the materials of our physical world. These quantum particles behave in ways that often defy the rules of our macro world, leading to some fascinating effects. We already harness these effects in everyday technologies like lasers, atomic clocks, and electron microscopes.

Scientists worldwide are working to understand and exploit the unique behaviors of quantum particles, especially in computing. Quantum behavior suggests that these particles could excel at certain types of mathematical calculations, such as weather modeling and biochemical predictions. For instance, American mathematician Peter Shor developed an algorithm for factoring prime numbers that seems tailor-made for future quantum computers. If the theory holds, quantum computers could solve these tasks hundreds of thousands of times faster than today's fastest supercomputers.

Why we need post-quantum cryptography (PQC)

Modern encryption relies on the difficulty of factoring large prime numbers. Current computers would take months or even years to break these encryptions. However, quantum computers are expected to do this in seconds. This means that in about ten years, when quantum computers become commercially available, none of today's encrypted secrets will be safe. Sensitive information, like nuclear bunker plans, high-end medical device technologies, personal medical records, bank transactions, and top-secret political discussions, could all be at risk.

To make matters worse, intelligence agencies could decrypt old backups or wiretaps from today's encrypted communications once quantum computers are available. This means that not only is future communication at risk, but today's communication is already vulnerable.

To address this looming threat, the National Institute of Standards and Technology (NIST) in the US has been coordinating efforts to develop new cryptographic standards resistant to quantum computing power. This work began in 2017 and has finally yielded concrete results.

• On August 13th, 2024, NIST completed its search for a Post-Quantum Cryptography Standard.
• They recommend using three algorithms: CRYSTALS-Dilithium, CRYSTALS-KYBER, and SPHINCS.
• Details can be found at NIST's Post-Quantum Cryptography Standardization page.

The US government has already set clear requirements for implementing PQC encryption with tight timelines. From 2025 onward, systems using these new algorithms will be preferred, and achieving secure PQC status will be mandatory for critical infrastructure by 2027. The Australian government urges all vendors and suppliers to reach PQC compliance by 2030.

Impact

These new cryptographic standards will affect how organizations do business — especially with government agencies:

• Customers and suppliers working with governments will now face requests to be PQC compliant.
• PQC compliance, or at least a roadmap, will become a "must" for every government bid within the next 12-24 months.
• Governments will, or have already, rolled out recommendations for their clients to prepare and become compliant.

Recommendations

Companies need to identify where encryption is used or needed in their internal processes or products. Each case must be reviewed to determine if PQC is necessary. For example, email encryption is an obvious candidate for PQC, while TLS-based session encryption may still be sufficient in many cases.

Following this assessment, old encryption algorithms need to be replaced. However, this process comes with embedded issues that are not immediately visible. For instance, will the new encryption lead to longer payload in network packets? In embedded systems like a door camera for a treasure room, more packets could overwhelm the silicon chips or their buffers. Or will the encryption/decryption process significantly impact runtime behavior? In self-driving cars, this could have fatal consequences. Another aspect to consider is the management of encryption keys, as they will get significantly longer.

Solutions are already available for most of these scenarios, so don't panic. However, it will take time to identify and address each problem.

One also needs to consider transition and backward compatibility, for example, consider how the organization deals with archived data. This is not just a simple “replace this algorithm” R&D task; it will impact core business processes, logistics, customer communications, and even your legal department.

We've faced similar scenarios before — remember Y2K? The situation is very similar.

The difference is that with Y2K, we knew exactly when the deadline was. In the case of PQC, the due date depends on technological development — when quantum computers will be available. But governments around the globe are already providing timelines, guidance and directions.

In summary, quantum computing is not just a futuristic concept; it has real implications for our current technology landscape. Preparing for it now will save you from significant risks down the line.