Post quantum cryptography

Navigating the policy challenges

Hey there!

Welcome to The Year of Quantum. Do you know the most immediate impact of quantum computing is not utility but threat. One of the first possibilities? Breaking of the encryption that secures nearly all of our digital world today. The reason is straightforward: quantum computers can do certain calculations in minutes for which classical supercomputers might take a millennia. There are multiple responses to mitigate this threat, and one possible solution is Post Quantum Cryptography (PQC). In this issue of The Quantum Vibe, I will talk about what leads to the threat, how serious it is, possible solution- PQC and policy related challenges.

The encryption threat

The encryption framework can be broadly classified into symmetric encryption (SE) and asymmetric encryption (AE):

• Symmetric Encryption (SE): Think of a strong lock with a single key shared by the sender and receiver. It's efficient and commonly used for secure messaging, like WhatsApp’s end-to-end encryption.

• Asymmetric Encryption (AE): Imagine two keys—one public for locking and one private for unlocking. It’s more complex but essential for tasks like secure key exchanges, HTTPS protocols, and digital signatures.

In quantum computing, Shor’s algorithm directly targets AE systems, making them highly vulnerable. While Grover’s algorithm theoretically threatens SE, its impact is less immediate and could take decades to manifest (as referenced in ETSI GR QSC 006 V1.1.1.)

The current encryption system works by making it computationally impractical to factorize large numbers or solve complex equations. The quantum computers have been predicted to solve these problems efficiently, and advancing capabilities of quantum computers can soon render these protections obsolete. Now a plausible question, why does this threat over utility scenario happened. This is because the path to utility requires dealing with realistic situations, structured and unstructured data for which quantum computers have only little understanding as of now. However, the abstract mathematical problems guiding the data are under the radar, given the quantum supremacy against such problems.

How serious is the threat?

The quantum threat isn't a distant possibility—it’s a present concern. A major reason? Harvest now, decrypt later. Malicious actors could collect encrypted data today and decrypt it in the future when quantum computers are powerful enough, exposing sensitive information regardless of how advanced encryption becomes. This scenario has already prompted preemptive action, e.g., Executive Order 14028 by the White House.

A possible solution - Post Quantum Crptography

PQC refers to cryptographic algorithms designed to be secure against both classical and quantum computers. It does not rely on the principle of quantum mechanics but aims to develop problems which are hard for quantum computers, e.g.,mapping problems on a lattice. The disadvantage is that it is not a permanent solution against the quantum machinery but it has the advantage of enabling a transition to higher security with high execution success. For example, Delinea recently showed that they could use PQC alternatives for SE with negligible impact on response time and secret data storage. National Institute of Standards and Technology (NIST) has been spearheading a global effort to standardize PQC. In 2022, it announced several candidate algorithms for standardization, including CRYSTALS-Kyber (for encryption) and CRYSTALS-Dilithium (for digital signatures).

Examples in Practice:

• Financial Institutions: Banks are testing PQC to secure transactions and protect sensitive customer data against future threats.

• Government Agencies: Agencies like the National Security Agency (NSA) are preparing for a quantum-resistant world by evaluating PQC standards.

• Tech Companies: Organizations like Google and IBM are experimenting with hybrid encryption, combining classical and post-quantum systems to ensure robust security during the transition.

Policy Challenges in the Quantum Era

As promising as PQC is, transitioning to a quantum-secure future is not without challenges. Policymakers must address several critical issues:

1. Standardization and Interoperability

   • Ensuring global consensus on PQC standards is crucial to avoid fragmentation in cybersecurity practices across borders. Organizations like NIST and the International Telecommunication Union (ITU) are working to build frameworks that ensure compatibility and widespread adoption. However, geopolitical tensions and differing priorities among nations can complicate these efforts. In the European Union, for instance, regulatory frameworks like the General Data Protection Regulation (GDPR) could interact with PQC policies, requiring additional considerations for compliance and data protection.

2. Implementation Strategies

   • Transitioning to PQC will require significant investment in upgrading software, hardware, and infrastructure. For example, financial institutions and healthcare systems, which handle sensitive data, will need to overhaul their encryption protocols. Governments can play a critical role by offering tax incentives, grants, or subsidies to encourage early adoption, particularly among small businesses and resource-constrained sectors.

3. Data Longevity Risks

   • Sensitive information being encrypted today might still be valuable decades later. Policies must encourage proactive encryption updates to protect long-term data. For instance, classified government documents, intellectual property, and patient medical records are examples of data that could face serious risks if not protected preemptively.

4. International Collaboration

   • Sharing best practices, funding joint research, and developing universal guidelines can help ensure equitable access to quantum-safe technologies. Additionally, regulatory considerations, such as GDPR in the EU, may necessitate careful negotiation to harmonize global standards with regional laws.

5. Ethics and Privacy

   • While implementing PQC does not mean someone can access our data, its deployment might still face challenges from privacy laws and ethical considerations. Given the direct control over data, will it be easier for Chinese government? Can things delayed in Europe due to GDPR?

Preparing for the Quantum Leap

Post-Quantum Cryptography isn't just a technological upgrade; it’s a societal safeguard for the digital age. Governments, industries, and individuals must collaborate to address technical and policy challenges in unison. By understanding the urgency of the quantum threat and preparing policies that guide the transition to PQC, we can ensure a secure digital future that withstands both classical and quantum challenges. The quantum era is upon us—let's navigate it wisely.

That’s that from this issue. Until next time, stay curious!