CISOs urged to prepare now for post-quantum cryptography

After eight years of review and development, the US National Institute of Standards and Technology (NIST) has chosen three encryption algorithms as the basis for its post-quantum cryptography (PQC).

The three new algorithms collectively cover general encryption — used to protect information exchanged across a public network — and digital signatures. For general encryption, NIST has approved ML-KEM, formerly known as CRYSTALS-Kyber and short for Module-Lattice-Based Key-Encapsulation Mechanism. ML-DSA (Module-Lattice-Based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) have been given to go-ahead as standard for digital signatures. ML-DSA and SL-DSA were previously known as CRYSTALS-Dilithium and Sphincs+, respectively.

More algorithms, some based on other mathematical concepts, are still going through the evaluation process, but both NIST and independent security experts are encouraging computer system administrators to begin transitioning to the new standards as soon as possible.

“There is no need to wait for future standards,” said NIST mathematician Dustin Moody, who heads the PQC standardization project, in last week’s announcement. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”

Classical encryption at risk from quantum computers

Post-quantum cryptography algorithms, such as ML-KEM, which is based on the mathematical properties of structured lattices, are able to withstand attacks from both classical and quantum computers.

Quantum computers leverage quantum physics principles to perform certain calculations exponentially faster than classical computers. This massive increase in processing speed allows them to solve some complex mathematical problems, like factoring large numbers, much more quickly.

Many widely used encryption protocols, particularly public-key systems such as RSA, rely on the computational difficulty of factoring the products of large prime numbers, leaving them weak in the face of assault from future quantum computers.

Sufficiently powerful quantum computers using Shor’s algorithm could theoretically break classical encryption algorithms in minutes. Although experts predict sufficiently powerful quantum computers are still up to 10 years away, the upgrade process is far from trivial, so CISOs are being urged to launch projects, starting with a risk assessment and putting together an inventory of systems.

Kevin Curran, IEEE senior member and professor of cyber security at Ulster University, told CSO: “All known current quantum computers are too limited to attack any real cryptographic algorithm, but cryptographers are creating new algorithms to prepare for a time when quantum computing becomes a threat.”

Curran added: “To break current cryptosystems, quantum computers must have around 500 and 2000 qubits, yet existing quantum computers operate with less than 15 qubits at present.”

How urgently should CISOs move

Those facts may reduce the sense of urgency to launch PQC projects, but there are twists, including deployment challenges and anticipated attack techniques that suggest starting now on PQC is vital.

Asymmetric encryption algorithms are the most at risk from quantum computers, hence the effort to develop PQC algorithms that are more resistant to attack. Symmetric encryption and hash functions are less affected but would require larger key sizes to maintain current security levels in the face of attacks by future quantum computers.

Hardware and software packages with long lifespans that rely on potentially vulnerable encryption schemes are thus early candidates for upgrades.

Post-quantum algorithms often require larger key sizes and more computational resources compared to classical cryptographic algorithms, a challenge for embedded systems, in particular. During the transition period, systems will need to support both classical and post-quantum algorithms to support interoperability with legacy systems.

Deidre Connolly, cryptography standardization research engineer at SandboxAQ, explained: “New cryptography generally takes time to deploy and get right, so we want to have enough lead time before quantum threats are here to have protection in place.”

Connolly added: “Particularly for encrypted communications and storage, that material can be collected now and stored for a future date when a sufficient quantum attack is feasible, known as a ‘Store Now, Decrypt Later’ attack: upgrading our systems with quantum-resistant key establishment protects our present-day data against upcoming quantum attackers.”

Standards bodies, hardware and software manufacturers, and ultimately businesses across the globe will have to implement new cryptography across all aspects of their computing systems.

Work is already under way, with vendors such as BT (which is trialling a quantum-secured metro network in London), Google, and Cloudflare among the early adopters.

Andersen Cheng, founder and chairman of PQC specialist Post-Quantum, said: “We are now moving from maths to engineering and implementation, which is still a complex endeavour, but one where organizations like IETF and the National Cybersecurity Center of Excellence [NCCoE] now play an integral role.”

Cheng continued: “We’ve already seen Google and Cloudflare adopt some of the draft proposals, but it will now be down to IETF to include support for the Kyber family in protocols such as Transport Layer Security [TLS] if the whole of the public Internet is to become quantum-safe.”

CISOs need to develop a ‘cryptographic agility strategy’

Standards and products already exist for technologies such as quantum-safe virtual private networks, enabling migration to start immediately rather than waiting for updated Internet protocols like TLS, of which the timeline remains uncertain.

Samantha Mabey, director of digital security solutions at Entrust, commented: “Now that NIST has finalized three quantum-resistant security algorithms, it becomes increasingly crucial for CISOs to prepare for the quantum computing era. The shift to post-quantum cryptography is more than a technical update; it’s a vital step in protecting sensitive information, and promises to be more complex and time-consuming than anything we’ve seen before.”

Mabey explained: “To prepare effectively, CISOs need to quickly develop a comprehensive cryptographic agility strategy. This means identifying where their most sensitive data is stored, understanding the current cryptographic protections in place, and ensuring they can switch to quantum-resistant algorithms without major disruptions.”

Jamie Boote, associate principal consultant at the Synopsis software Integrity Group, told CSO: “These new NIST standards are all about future proofing the next generation of products. While it’s not likely that quantum computers capable of breaking current encryption algorithms will be common within the next decade, it is very likely that hardware and software with long lifespans may operate in future environments where not running post-quantum encryption algorithms is a real vulnerability.”

“Another consideration is that NIST released post-quantum standards around hashing and signatures — the methods that are used to verify the integrity of software that companies run, and long-lived software such as compilers that target specific architectures may see use for years after their last release,” Boote added.