{"id":15447,"date":"2022-04-14T09:30:00","date_gmt":"2022-04-14T13:30:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=15447"},"modified":"2025-03-19T13:36:27","modified_gmt":"2025-03-19T17:36:27","slug":"quantum-resistant-encryption-why-its-critical-to-future-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/quantum-resistant-encryption-why-its-critical-to-future-cybersecurity\/","title":{"rendered":"A Look at Quantum Resistant Encryption &#038; Why It\u2019s Critical to Future Cybersecurity"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-quantum-resistant-cryptography-will-be-a-key-part-of-cybersecurity-in-the-future-here-s-what-to-know-about-how-to-protect-your-data-when-hackers-are-armed-with-quantum-computers\">Quantum resistant cryptography will be a key part of cybersecurity in the future. Here\u2019s what to know about how to protect your data when hackers are armed with quantum computers\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Quantum computing is a contentious topic that people tend to either love or hate depending on where they\u2019re seated. On one hand, it represents an incredible opportunity in terms of data processing speeds and capabilities. On the other, it\u2019s a means through which to destroy the cryptographic algorithms we now rely on to keep sensitive data secure online. This is where something known as quantum resistant encryption comes into play.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what is quantum resistant encryption? This article explores the history of quantum computing in cryptography, why it\u2019s a threat to modern online security, and what organizations can do to prepare to implement <a href=\"https:\/\/www.thesslstore.com\/blog\/quantum-safe-encryption-digicert\/\">quantum safe cryptography<\/a> within their IT environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Chrome version 116 Includes Hybrid PQC Algorithm<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\">Google <a href=\"https:\/\/www.thesslstore.com\/blog\/google-chrome-adds-support-for-a-hybrid-post-quantum-cryptographic-algorithm\/\">Chrome integrated a post quantum cryptography (PQC) algorithm<\/a> in version 116 of its browser. <\/p><\/div>\n\n\n<span style=\"--tl-form-height-m:149.594px;--tl-form-height-t:120.9844px;--tl-form-height-d:120.9844px;\" class=\"tl-placeholder-f-type-shortcode_18369 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-quantum-resistant-encryption-explaining-quantum-safe-cryptography\">What Is Quantum Resistant Encryption? Explaining Quantum Safe Cryptography<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In a nutshell, quantum resistant encryption refers to a set of algorithms that are anticipated to remain secure once quantum computing moves out of the lab and into the real world. (They will replace the <a href=\"https:\/\/www.thesslstore.com\/blog\/public-key-cryptography-key-exchange\/\">public key cryptography<\/a> algorithms currently used by billions of people around the world every day.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By the way, when people use any of the following terms, they\u2019re typically talking about the same thing (in most cases):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quantum resistant encryption<\/li>\n\n\n\n<li>Quantum resistant cryptography (QRC)<\/li>\n\n\n\n<li>Quantum safe cryptography<\/li>\n\n\n\n<li>Post-quantum cryptography (PQC)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/post-quantum-encryption\/\">Post quantum encryption<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">All of the public key encryption algorithms we currently rely on today are expected to be broken once researchers succeed in building large enough quantum computer. Once that happens, quantum resistant encryption will need to be used everywhere (both by &#8220;normal&#8221; [i.e., \u201cclassical\u201d] and quantum computers) so that attackers with quantum computers can&#8217;t break the encryption to steal data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-why-will-quantum-computers-break-current-encryption-standards\">Why Will Quantum Computers Break Current Encryption Standards?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Quantum computers are fundamentally different from the computers we use today. These devices use specialized hardware components that bring quantum physics into the equation and allows them to perform certain calculations exponentially faster than even the fastest supercomputer we currently have. (We\u2019ll speak to that more later in the article.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Current public key cryptographic algorithms rely on complex mathematics (for example, the <a href=\"https:\/\/www.thesslstore.com\/blog\/is-it-still-safe-to-use-rsa-encryption\/\">RSA encryption<\/a> algorithm relies on factoring prime numbers while Diffie-Hellman and elliptic curve cryptography, or ECC, rely on the discrete logarithm problem) to securely transmit data. This means that every time you buy an item on Amazon, your browser communicates with Amazon\u2019s web server via a mathematically derived secure communication channel based on one of these mathematical approaches.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The problem is that some quantum computers will be able to solve these mathematical problems so quickly that hackers would be able to break modern public key encryption within minutes. (Basically, rendering the encryption public key algorithms provide useless.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the <a href=\"https:\/\/www.nsa.gov\/Cybersecurity\/Post-Quantum-Cybersecurity-Resources\/\">National Security Agency<\/a> (NSA), quantum resistant cryptography should be \u201cresistant to cryptanalytic attacks from both classical and quantum computers.\u201d With this in mind, these algorithms would be something that can be used both <em>before and after <\/em>quantum computers are put to use in real-world applications. They\u2019re designed with <a href=\"https:\/\/www.thesslstore.com\/blog\/quantum-computings-threat-public-key-cryptography-need-worry\/\">quantum computing threats<\/a> in mind, but they\u2019re not limited to being used only after a cryptographically relevant quantum computer (CRQC) is created.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-modern-algorithms-vs-post-quantum-encryption-algorithms\">Modern Algorithms vs Post Quantum Encryption Algorithms<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Currently, encryption over insecure channels (e.g., the internet) relies on something known as public key cryptography. The idea behind traditional public key algorithms is that two parties (i.e., your website\u2019s server and the customer who wants to connect to it) can communicate securely using two separate but related keys: a public key that encrypts data and a private key that decrypts it. They use these keys to exchange secret information that they can use to create a secure, symmetrically encrypted communication channel. (Why symmetric encryption? Because it\u2019s faster and less resource-intensive than public key encryption.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike modern algorithms, quantum resistant encryption algorithms will replace existing public key specifications with ones that are thought to be quantum resistant. Again, this is because the modern digital signature and key establishment algorithms we rely on in public key encryption now will no longer be secure when CRQCs become a thing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">NIST says that <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2019\/01\/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals\">quantum resistant algorithms typically fall in one of three main camps<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code-based cryptography \u2014 These are algorithms that rely on \u201cerror-correcting codes.\u201d<\/li>\n\n\n\n<li>Lattice-based cryptography \u2014 These algorithms involve matrices based on geometric structures.<\/li>\n\n\n\n<li>Multivariate public key cryptosystems \u2014 These types of algorithms vary based on the type of problems they\u2019re trying to solve.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">There is a fourth category that some reference \u2014 stateful hashed-based signatures. But according to <a href=\"https:\/\/csrc.nist.gov\/Projects\/post-quantum-cryptography\/faqs\">NIST\u2019s PQC FAQs page<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cIt is expected that NIST will only approve a stateful hash-based signature standard for use in a limited range of signature applications, such as code signing, where most implementations will be able to securely deal with the requirement to keep state.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-would-be-considered-a-quantum-resistant-encryption-algorithm\">What Would Be Considered a Quantum Resistant Encryption Algorithm?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We can\u2019t give you a specific answer here because, well, nothing has really been decided yet. The National Institute of Standards and Technology (NIST) has been engaged in a large-scale cryptographic competition of sorts for the past several years. The competition is an opportunity for mathematicians, researchers, cryptographers, educators and scientists to submit algorithms for consideration as future federal standards.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The standards body announced their selection of seven candidates and eight alternate algorithm candidates from the <a href=\"https:\/\/csrc.nist.gov\/projects\/post-quantum-cryptography\/round-3-submissions\">third round of submissions<\/a>. However, no final decisions have been made regarding which algorithm(s) will be standardized:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>4 public key encryption and key-enablement algorithms (<a href=\"https:\/\/classic.mceliece.org\/\">Classic McEliece<\/a>, <a href=\"https:\/\/pq-crystals.org\/\">CRYSTALS-KIBER<\/a>, <a href=\"https:\/\/ntru.org\/\">NTRU<\/a>, <a href=\"https:\/\/www.esat.kuleuven.be\/cosic\/pqcrypto\/saber\/\">SABER<\/a>)<\/li>\n\n\n\n<li>3 digital signature algorithms (<a href=\"https:\/\/pq-crystals.org\/\">CRYSTALS-DILITHIUM<\/a>, <a href=\"https:\/\/falcon-sign.info\/\">FALCON<\/a>, <a href=\"https:\/\/www.pqcrainbow.org\/\">Rainbow<\/a>)<\/li>\n\n\n\n<li>5 alternate public key encryption and key enablement algorithms<\/li>\n\n\n\n<li>3 alternate digital signature algorithms<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-quantum-computing\">What Is Quantum Computing?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To better understand quantum resistant encryption and why it\u2019s needed, you first need to understand quantum computers and their anticipated impact on cyber security. The idea behind quantum computing is that these devices use quantum mechanics to approach problem solving \u2014 the general goal of all modern computers \u2014 in a whole new way and at exponentially faster speeds.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to <a href=\"https:\/\/arxiv.org\/pdf\/1804.00200.pdf\">research from Mavroeidis, Vishi, Zych, and J\u00f8sang<\/a> at the University of Oslo, Norway, there are two types of quantum computers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Universal quantum computers<\/strong> \u2014 As the categorical name implies, these devices are designed to perform virtually any task<\/li>\n\n\n\n<li><strong>Non-universal quantum computers<\/strong> \u2014 These machines are, essentially, designed for specific purposes to handle specific tasks. For some tasks, they aren\u2019t anticipated to be much faster than classical computers.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:905.547px;--tl-form-height-t:998.172px;--tl-form-height-d:998.172px;\" class=\"tl-placeholder-f-type-shortcode_18375 tl-preload-form\"><span><\/span><\/span>\n\n\n<p class=\"wp-block-paragraph\">At a basic level, the computers we use today (classical computers) communicate data using specific combinations of 1s and 0s (binary numbers called bits). All modern computers play by these same rules. For example, if I type the word \u201cHowdy!\u201d the computer uses this combination of bits to communicate the precise combination of keys I press: <em>01001000 01101111 01110111 01100100 01111001 00100001<\/em>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"226\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/how-messages-translate-to-binary-1024x226.png\" alt=\"An illustration of how &quot;Howdy!&quot; becomes the message &quot;01001000 01101111 01110111 01100100 01111001 00100001&quot; when translated to machine language\" class=\"wp-image-15451\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/how-messages-translate-to-binary-1024x226.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/how-messages-translate-to-binary-300x66.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/how-messages-translate-to-binary-768x170.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/how-messages-translate-to-binary.png 1394w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A basic illustration that shows the translation of individual characters and symbols of the message into binary. <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Quantum computers, on the other hand, operate on a new playing field using a different set of rules. Instead of these traditional bits (1s or 0s), it relies on quantum bits, or <a href=\"https:\/\/azure.microsoft.com\/en-us\/overview\/what-is-a-qubit\/\"><em>qubits<\/em><\/a> for short. In a nutshell, instead of looking at either 1s or 0s, quantum computers view data as existing in multiple states, meaning that it can be both 1s and 0s simultaneously (this is known as a superposition). It also uses two other quantum properties \u2014 entanglement and interference \u2014 to connect separate data elements and eliminate irrelevant guesses to solve problems more quickly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, not all qubits are the same. <a href=\"https:\/\/news.microsoft.com\/innovation-stories\/azure-quantum-majorana-topological-qubit\/\">Microsoft recently announced<\/a> that their Azure Quantum program has unlocked the first step to developing a new type of qubit called a <a href=\"https:\/\/news.microsoft.com\/features\/new-microsoft-breakthroughs-general-purpose-quantum-computing-moves-closer-reality\/\">topological qubit<\/a>. The goal is to resolve the scaling-related issues that other quantum computers face and to eventually help lead to the creation of a quantum computer capable of employing one million or more qubits. (Check out the linked article for more information on Microsoft\u2019s demonstration.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re not going to get into all of the technical aspects of the other quantum properties we mentioned here, either. If you want to learn more about superposition, entanglement and interference, check out this video that explains these concepts in a few different ways:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Quantum Computing Expert Explains One Concept in 5 Levels of Difficulty | WIRED\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/OWJCfOvochA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The takeaway we want you to have is that, on one hand, some quantum computers are poised to solve problems beyond what modern supercomputers can do \u2014 but faster and more efficiently. They also have the potential for other unimaginable capabilities to do things we haven\u2019t even thought of yet. On the other hand, some quantum computers are <a href=\"https:\/\/www.cs.virginia.edu\/~robins\/The_Limits_of_Quantum_Computers.pdf\">anticipated to be no better than classical computers for some types of tasks<\/a>. But trying to predict the future in terms of the full impact of quantum computers in the future is easier said than done.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-why-quantum-computing-is-thought-to-pose-a-threat-to-modern-cyber-security\">Why Quantum Computing Is Thought to Pose a Threat to Modern Cyber Security<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our understanding of quantum computing is largely theoretical \u2014 so far, quantum computers can only be used in laboratories due to the machines\u2019 massive resource and cooling requirements. <a href=\"https:\/\/www.zdnet.com\/article\/quantum-computing-intels-cryogenic-chip-shows-it-can-control-qubits-even-in-a-deep-freeze\/\">Quantum chips have to be kept super cold<\/a> (at -273 degrees Celsius, or what amounts to nearly <a href=\"https:\/\/cryo.gsfc.nasa.gov\/introduction\/temp_scales.html\">absolute zero<\/a>) to operate, and they can only operate for <a href=\"https:\/\/www.technologyreview.com\/2017\/11\/10\/147728\/ibm-raises-the-bar-with-a-50-qubit-quantum-computer\/\">very short bursts<\/a>. But the concern that cybersecurity and industry leaders have is that as quantum computers eventually become more mainstream, they\u2019ll make existing public key encryption algorithms \u2014 namely, RSA (Rivest Shamir Adleman) \u2014 essentially useless.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This concern is due to a concept known as <a href=\"https:\/\/quantum-computing.ibm.com\/composer\/docs\/iqx\/guide\/shors-algorithm\">Shor\u2019s Algorithm<\/a>. The basic overview of the concern about this algorithm, which was first demonstrated in 1994 by the guy who created it (mathematician Peter Shor), is that a powerful enough quantum computer would be able to crack modern public key algorithms pretty much instantly. How would it do this? By having the ability to calculate the factors of enormous numbers \u2014 i.e., the math that operates at the very heart of modern public key encryption \u2014 at faster rates than any modern devices could manage.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When you try to crack asymmetric encryption (say, RSA) using a classical computer, you\u2019re essentially trying to guess the factors of those mega-sized integers. As you can imagine, this will take a really long time using a regular computer. But with quantum properties like superposition, entanglement and interference coming into play, it can reduce the time required to make those guesses (or eliminate the need to guess some of the numbers entirely) to basically nothing. For example, while it would take upwards of millions of years for traditional computers to figure out the prime factors of 2,000+ bit numbers, a quantum computer could complete the same task within minutes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While this enhanced speed will be great for creating positive solutions to problems \u2014 such as coming up with revolutionary new treatments or cures for medical conditions \u2014 it also poses a problem if these devices fall into the wrong hands.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-look-at-the-pqc-timeline\">A Look at the PQC Timeline<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we\u2019re not telling you all of this to scare you. The truth is that the threats that quantum computing represents aren\u2019t new concepts, nor do they represent threats to your business and customers right now. The concept of quantum computing \u2014 and all of its benefits and dangers \u2014 has been around for decades and isn\u2019t expected to come to fruition yet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s an overview of the history of quantum computing and how the development of quantum resistant cryptography plays a key role in it:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"296\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-1024x296.png\" alt=\"An illustration of a timeline that moves from left to right with 15 key points on it. This illustrates important points over the last 60 years regarding quantum computing and quantum resistant encryption\" class=\"wp-image-15450\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-1024x296.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-300x87.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-768x222.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-1536x444.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-computing-quantum-resistant-encryption-timeline-graphic-2048x592.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A graphic timeline of quantum computing over the last six decades, including <\/em><a href=\"https:\/\/csrc.nist.gov\/Projects\/post-quantum-cryptography\/workshops-and-timeline\"><em>NIST\u2019s post-quantum cryptography-focused initiatives<\/em><\/a><em> (workshops, conferences and announcements).<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here are links relating to some of the points on the timeline above:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1980s: <a href=\"https:\/\/www.nature.com\/articles\/s42254-021-00410-6\">Researchers (including Richard Feynman) helped bring about the study of quantum computation<\/a><\/li>\n\n\n\n<li>1994: Peter Shor presents his paper \u201c<a href=\"https:\/\/arxiv.org\/abs\/quant-ph\/9508027\">Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer<\/a>\u201d<\/li>\n\n\n\n<li>1997: <a href=\"https:\/\/www.britannica.com\/technology\/quantum-computer\">Researchers create the first 2-bit quantum computer<\/a><\/li>\n\n\n\n<li>2016: <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/nistir\/8105\/final\">NIST Publishes IR 8105 (Report on Post Quantum Cryptography)<\/a><\/li>\n\n\n\n<li>2019: <a href=\"https:\/\/csrc.nist.gov\/News\/2019\/nist-publishes-pqc-round-1-report-nistir-8240\">PQC First Round of Candidates Announcement<\/a><\/li>\n\n\n\n<li>2020: <a href=\"https:\/\/csrc.nist.gov\/News\/2019\/pqc-standardization-process-2nd-round-candidates\">PQC Second Round Candidates Announcement<\/a><\/li>\n\n\n\n<li>2021: <a href=\"https:\/\/csrc.nist.gov\/News\/2020\/pqc-third-round-candidate-announcement\">PQC Third Round Candidates Announcement<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So, how long is all of this expected to take? The answer depends on who you ask and in what context:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The National Institute of Standards and Technology (NIST) says <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2016\/04\/nist-kicks-effort-defend-encrypted-data-quantum-computer-threat\">it can take 10-20 years<\/a> \u201cfrom deciding a cryptosystem is good until we actually get it out there as a disseminated standard in products on the market.\u201d<\/li>\n\n\n\n<li>The NSA says that \u201cnew cryptography can take 20 years or more to be fully developed to all National Security Systems.\u201d<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As you\u2019ve probably seen, change tends to be relatively slow in the cryptographic world. Let\u2019s think about it another way. When TLS 1.2 was developed, TLS versions 1.1 and 1.0 were outmoded, <a href=\"https:\/\/devblogs.microsoft.com\/devops\/deprecating-weak-cryptographic-standards-tls-1-0-and-1-1-in-azure-devops-services\/\">but they\u2019re still in use on the web<\/a> and haven\u2019t gone away completely. (We\u2019re at 14 years and counting at this point since TLS 1.2 was initially released and <a href=\"https:\/\/www.ietf.org\/blog\/tls13\/\">we now have TLS 1.3<\/a>, which came out in 2018!)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As we touched on earlier, NIST is working on finalizing the selection of the final algorithms that will become standardized. Once final PQC algorithms are selected, then the next move will be to publish PQC standards as Federal Information Processing Standards (FIPS) and move on to implementations and deployments. Once this occurs, the Cryptographic Algorithm Validation Program (CAPV) will provide certifications for approved implementations of these approved PQC algorithms.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We bring this all up now because we\u2019re drawing closer to a future when quantum computers are anticipated to become mainstream. It won\u2019t happen today, tomorrow, or likely even five years from now. But when it does, organizations will need to be able to support and use the quantum resistant encryption algorithms necessary to help keep data secure in this super-powered computer processing world to come. And things are changing now to prepare for that inevitable future.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-look-at-the-changing-landscape-surrounding-quantum-resistant-encryption\">A Look at the Changing Landscape Surrounding Quantum Resistant Encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On Jan. 19, 2022, the <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2022\/01\/19\/memorandum-on-improving-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems\/\">White House released a memorandum<\/a> specifying that agencies have 180 days to \u201cidentify any instances of encryption not in compliance with NSA-approved Quantum-Resistant Algorithms or CNSA [\u2026]\u201d and must report the following to the National Manager:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What systems are noncompliant (including those with exceptions or waivers)<\/li>\n\n\n\n<li>A timeline for how these systems will transition to compliant encryption, and<\/li>\n\n\n\n<li>Any reasons why any systems should be exempt from compliance<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">What does all of this mean at the level of your organization or company? In reality, not much right now for everyday businesses. But let\u2019s be realistic here \u2014 it\u2019s virtually impossible to be compliant with rules that haven\u2019t yet been implemented. It\u2019s kind of like playing a new sport \u2014 say, soccer \u2014 when you don\u2019t yet know the rules or how to play it. Sure, you can go through the motions and move the ball down the field. But if you don\u2019t know how you\u2019re supposed to do it or which goal to aim for specifically, no telling if you\u2019re doing it right or if you\u2019re moving in the right direction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The National Institute of Standards and Technology (NIST) was anticipating the release of its PQC Round 3 Report by the end of March or early April 2022. (There\u2019s also been talk about <a href=\"https:\/\/csrc.nist.gov\/CSRC\/media\/Presentations\/status-update-on-the-3rd-round\/images-media\/session-1-moody-nist-round-3-update.pdf\">announcing a fourth round of study<\/a> as well.) Now, in all fairness, we\u2019ve just started the month of April a week ago. But considering that agencies are expected to be compliant with quantum-resistant algorithms by basically July 2022, and the algorithms themselves haven\u2019t officially been decided upon\u2026 well, that sure makes things a lot more difficult for organizations that have to be compliant.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, once NIST decides which algorithm(s) will become the standard, then it\u2019s up to businesses and organizations to ensure that they\u2019re not using or relying upon any algorithms that may have been deprecated. The standards body is expected to have draft PQC standards available for public comment before the end of 2023 and aims to have a finalized standard ready the following year.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-although-the-sky-isn-t-falling-yet-now-s-the-time-to-prepare\">Although the Sky Isn\u2019t Falling\u2026 Yet \u2014 Now\u2019s the Time to Prepare<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"395\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-expert-opnion-camps-1024x395.png\" alt=\"An illustration of the different approaches of the two main camps when it comes to perceptions of the threat that quantum computers pose. One camp is &quot;panic-ville&quot; while the other is &quot;Chill-ville.&quot; Ideally, organizations should fall in the middle ground where they recognize the threats and are taking steps to prepare now without panicking.\" class=\"wp-image-15449\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-expert-opnion-camps-1024x395.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-expert-opnion-camps-300x116.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-expert-opnion-camps-768x296.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-expert-opnion-camps.png 1174w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">An illustration that shows that differences in perceptions about the threat of quantum computers.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019ll find that many experts typically sit in one of two camps when it comes to the topic of quantum computing and quantum resistant cryptography. On one end of the spectrum, the first camp \u2014 aptly named \u201cPanicville\u201d in the illustration above \u2014 essentially operates under the assumption that <em>the end of near! Cybersecurity as we know it is about to come crashing down around us at any moment! BEWARE!<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second camp, which we\u2019ve named \u201cChillville\u201d in the above graphic, tends to take very different approach. The perspective here is typically that quantum computing is still a long way off, that it\u2019s too impractical for real-world applications, or that it\u2019s something we likely won\u2019t have to deal with for years to come, so there\u2019s no point in worrying about it now.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Needless to say, neither of these approaches is particularly healthy or beneficial to the security of your organization and its data. Thankfully, though, other experts tend to fall somewhere in the middle \u2014 let\u2019s call it \u201cPreparationville.\u201d The purveying mindset of experts who sit within this space between the two main camps is that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quantum computing poses a serious threat to modern public key-based security (recognize the threat),<\/li>\n\n\n\n<li>It\u2019s still going to take a while for this threat to come to life in the real world (stay calm, don\u2019t panic), and<\/li>\n\n\n\n<li>Organizations should be taking steps now to start getting ready for when it does (make plans and start implementing them now).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Here at Hashed Out, we definitely fall more in the middle of the spectrum; we\u2019re not panicking about the changes to come but are strongly encouraging customers to start preparing now to the best of their abilities. The NSA shares on its Post-Quantum Cybersecurity Resources site that while it doesn\u2019t know \u201cwhen or even if\u201d a system capable of cracking public key encryption will make its debut. However, it does make it clear that preparing for an \u201ceventual transition\u201d to post-quantum cryptographic standards is a must for data security in the future.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Better to be safe than sorry, right?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-it-s-time-to-start-preparing-for-the-inevitable-by-planning-investing-in-resources-now\">It&#8217;s Time to Start Preparing for the Inevitable By Planning &amp; Investing In Resources Now<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Great. So, you\u2019re being told to prepare, but it\u2019s hard to prepare for something when you don\u2019t really know what tools you\u2019ll have at your disposal to work with. It\u2019s like trying to prepare for a disaster as a homeowner \u2014 you might not know when something bad will happen, but you\u2019re going to take steps to mitigate potential impacts as much as possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The same concept here applies with preparing for quantum cryptography. While you may not know which algorithms specifically will be standardized, or specifically when quantum resistant cryptography will need to be implemented, you know it\u2019s likely going to happen and that you should take steps now to prepare for it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-develop-your-organization-s-pqc-plan-be-sure-to-include-specific-milestone-dates\">Develop Your Organization\u2019s PQC Plan (Be Sure to Include Specific Milestone Dates)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We get it \u2014 there\u2019s definitely a strong case of \u201cyou don\u2019t know what you don\u2019t know\u201d going on here. However, you can take steps to stay ahead of the curve as much as possible by taking the time to research and plan your strategy now. Part of this planning should include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prioritizing which systems to transition first, starting with the most sensitive and at-risk resources, as well as those that are integral in terms of your organization\u2019s goals and needs<\/li>\n\n\n\n<li>Designating who is responsible for different aspects of the implementation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-audit-your-it-environment-and-cryptographic-systems\">Audit Your IT Environment and Cryptographic Systems<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We can\u2019t overstate the importance of this task as it\u2019s something you should already be doing anyhow. <a href=\"https:\/\/www.dhs.gov\/quantum\">Auditing your organization\u2019s cryptographic systems<\/a>, IT infrastructure and applications is crucial for a multitude of reasons. Furthermore, it can aid you as well with the development of your PQC planning and deciding what gets upgraded and when.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-begin-upgrading-your-it-infrastructure-and-related-resources\">Begin Upgrading Your IT Infrastructure and Related Resources<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If your organization is running on older servers and other related infrastructure, you\u2019re likely to need to upgrade before quantum cryptography makes its debut. Something to consider includes having servers with redundant distributed databases that use PQC digital signature algorithms that are connected via quantum key distributed (QKD) connections. (QKD is a concept that\u2019s been around since the 80s and involves using quantum mechanics to distribute keys between communicating parties in traditional symmetric algorithm-protected connections.) The idea here is that this may help to protect against quantum attacks and  aid in recovery from successful attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What about hardware security modules? Is your organization using one in-house? Is it relying on a third party system? Ensure that whatever HSM you\u2019re using has a roadmap to support quantum safe encryption.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We understand your hesitation and dread \u2014 updating your existing infrastructure is a massive undertaking. It involves major investments in money, time, and personnel-related resources. But this is why it\u2019s crucial to start planning for and begin implementing these upgrades <em>now<\/em>. If you roll out the upgrade to your systems over time, it means you won\u2019t have to blow all of your capital budget in a single year or two, or risk rushing implementation (which can lead to mistakes) because you decided to wait until crap hits the fan.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Essentially, you\u2019re carefully preparing for the impending storm ahead of time (as much as you can). This way, your organization will be less likely to get caught in the downpour others will get swept away in.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-upgrade-your-existing-cryptographic-security-measures\">Upgrade Your Existing Cryptographic Security Measures<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The NSA also offers the <a href=\"https:\/\/media.defense.gov\/2021\/Aug\/04\/2002821837\/-1\/-1\/1\/Quantum_FAQs_20210804.PDF\">Commercial National Security Algorithm Suite (CNSA Suite)<\/a>, which is a set of algorithms that the Committee on National Security Systems Policy 15 (CNSSP-15) has identified for protecting classified information (listed in alphabetical order):<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Algorithm<\/strong><\/td><td><strong>Key Size \/ Curve Size<\/strong><\/td><td><strong>Usage<\/strong><\/td><\/tr><tr><td>AES-256<\/td><td>256 bits<\/td><td>Confidentiality (encryption)<\/td><\/tr><tr><td>Diffie-Helman (DH)<\/td><td>3072 bits or higher<\/td><td>Key establishment<\/td><\/tr><tr><td>Elliptic Curve Diffie-Hellman (ECDH)<\/td><td>384 bits<\/td><td>Key establishment<\/td><\/tr><tr><td>ECDSA<\/td><td>384 bits<\/td><td>Digital signatures<\/td><\/tr><tr><td>Rivest Shamir Adleman (RSA)<\/td><td>3072 bits or higher<\/td><td>Key establishment and digital signatures<\/td><\/tr><tr><td>SHA-384<\/td><td>384 bits<\/td><td>Integrity protection (hashing)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Broken cryptosystems are the ugly companion of all the advancements that quantum computing has to offer. This is why major certificate authorities like DigiCert and Sectigo are working now to help prepare for a PQC world on their ends by creating PQC certificate authorities (CAs) and certificates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DigiCert, which plays a key role in multiple PQC projects, offers a <a href=\"https:\/\/docs.digicert.com\/certificate-tools\/post-quantum-cryptography\/pqc-toolkit-setup-guide\/\">PQC Toolkit<\/a> to Secure Site Pro customers. This toolkit offers hybrid RSA\/PQC certificates, which pair PQC algorithms with classical ones. The goal here is for these certificates to work on both legacy systems (to offer backwards compatibility) and quantum systems once quantum computers finally roll out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.digicert.com\/tls-ssl\/post-quantum-cryptography\">DigiCert estimates<\/a> that it would take a traditional computer \u201ca few quadrillion years\u201d to break modern 2048-bit encryption. But considering that we don\u2019t know exactly when quantum devices are going to come charging onto the scene, it\u2019s a good idea to start preparing now for when it does happen. This is why the CA also has created a resource that breaks down the <a href=\"https:\/\/www.digicert.com\/content\/dam\/digicert\/pdfs\/post-quantum-cryptography-maturity-model-whitepaper-en.pdf\">Post Quantum Cryptography Maturity Model<\/a>. You can use this to figure out how well prepared your organization is (or isn\u2019t) for what\u2019s the come.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sectigo\u2019s Senior Vice President of Product Management Lindsay Kent spoke during one of the company\u2019s Identity-First Summit 2022 presentations on certificate lifecycle management. Kent said that the certificate authority expects to have quantum safe security in place by 2026. The plan includes providing customers with a \u201cQuantum Safe Toolkit\u201d as well that aims to help companies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evaluate quantum-safe interoperability with applications<\/li>\n\n\n\n<li>Create a quantum safe certificate authority to issue certificates using quantum-safe certificate chains<\/li>\n\n\n\n<li>Issue certificates that can be installed into applications<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The goal here for both CAs is to help companies use these certificates to facilitate quantum safe application-based authentication (instead of network-based authentication) and secure communications via TLS sessions. It\u2019s also to ensure that organizations can have certificates in place that support both PQC algorithms and the traditional algorithms that we have in place now.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Wait, doesn\u2019t offering backwards compatibility mean that users on classical devices will still be connecting via protocols relying on insecure algorithms once quantum computers become mainstream? Yes. But if you want to continue providing services to customers using legacy systems, that\u2019s going to continue until they eventually make the change.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-review-and-update-your-security-procedures-and-protocol-resource-documents\">Review and Update Your Security Procedures and Protocol Resource Documents<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">An important part of the planning we talked about earlier is taking the time to review and make changes to your organization\u2019s existing internal security procedures and related documentation. Some of the things you\u2019ll want to consider is what quantum resistant secure access controls and authentication measures you\u2019ll need to implement. As you\u2019ve probably guessed, your existing controls won\u2019t cut it in a PQC world, so everything will need to be updated to be quantum resistant once NIST publishes its standards.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-final-thoughts-on-preparing-your-organization-to-support-quantum-resistant-encryption\">Final Thoughts on Preparing Your Organization to Support Quantum Resistant Encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As we talked about earlier, the widespread use of quantum computing \u2014 and, therefore, the deployment of quantum resistant cryptography \u2014 is still on the horizon but is likely at least a good decade or so away. But that\u2019s why now is the time to prepare for PQC to help your business stay ahead of the curve. You don\u2019t want to be one of the organizations caught unprepared when quantum computers make their mainstream debut.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quantum resistant cryptography will be a key part of cybersecurity in the future. Here\u2019s what to know about how to protect your data when hackers are armed with quantum computers\u2026&#8230;<\/p>\n","protected":false},"author":17,"featured_media":15448,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,10200],"tags":[241,13166],"class_list":["post-15447","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-monthly-digest","tag-post-quantum-cryptography","tag-quantum-resistant-encryption","post-with-tags"],"views":19166,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/04\/quantum-resistant-encryption-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=15447"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15447\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/15448"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=15447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=15447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=15447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}