Post-Quantum Cryptography: Why Your Organization Needs to Prepare Now
In the rapidly evolving landscape of cybersecurity, a new threat looms on the horizon: quantum computing. While quantum computers promise revolutionary advances in many fields, they also pose an existential risk to our current cryptographic systems. This is particularly concerning for Public Key Infrastructure (PKI) certificates, which form the backbone of secure digital communications.
The Quantum Threat Is More Serious Than We Thought
Recent Gartner analysis shows a two-phase threat to our cryptographic systems:
- By 2029, quantum computing will advance to the point where current asymmetric cryptography systems will be considered unsafe to use
- By 2034, quantum computing capabilities could break ALL current cryptography
This timeline is more aggressive than previously estimated, making the need for action even more urgent.
Why Act Now? The "Harvest Now, Decrypt Later" Threat
You might wonder why this requires immediate attention if quantum computers aren't yet capable of breaking our current encryption. The answer lies in a sophisticated attack strategy known as "harvest now, decrypt later" (HNDL). Here’s how it works:
- Attackers collect and store encrypted data today.
- They wait until quantum computers become powerful enough.
- Once quantum computing matures, they decrypt the previously secure communications.
This threat is particularly critical for data that needs to remain confidential beyond 2029. Consider:
- Trade Secrets: Product designs and research data
- Strategic Information: Long-term business plans and M&A details
- Regulated Data: Healthcare records and financial information
- Government Information: Classified data and sensitive communications
If your organization handles any of these types of data, you need to start planning your transition now. Waiting to act could leave your sensitive data vulnerable to future decryption.
Even more concerning, there are reports of state-run HNDL programs already in operation, potentially collecting sensitive data for future decryption.
Government Recognition of the Threat
The urgency of this situation is recognized at the highest levels of government:
- The U.S. has enacted the National Quantum Initiative and the NIST Post Quantum Cryptography project
- The White House has warned that quantum computing could "jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most internet-based financial transactions"
- The World Economic Forum has established a Quantum Security Initiative
NIST’s Post-Quantum Standards
The National Institute of Standards and Technology (NIST) has published standards for post-quantum cryptographic algorithms designed to withstand quantum attacks. These include:
- ML-KEM (formerly CRYSTALS-Kyber) for general encryption
- ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures
- SLH-DSA (formerly SPHINCS+) as an alternative digital signature algorithm
Additional algorithms are under review for standardization in 2025, including BIKE, Classic McEliece, and HQC.
Important Considerations for Implementation
- No Drop-in Replacements: Unlike previous cryptographic updates, PQC algorithms are not simple replacements for existing systems. They have different characteristics:
- Larger key and ciphertext sizes
- Different encryption and decryption times
- Potential performance impacts
- Comprehensive Testing Required: Applications will need to be retested and potentially rewritten to accommodate these new characteristics.
Steps Your Organization Should Take Now
- Inventory Assessment: Conduct a comprehensive audit of your digital certificates and cryptographic assets. Understanding what you need to protect is the first step toward effective migration.
- Risk Evaluation: Identify your most critical assets, especially those requiring long-term security. Consider which data would be most valuable to attackers in the future.
- Vendor Engagement: Start discussions with your PKI and security vendors about their quantum-safe roadmaps. Don’t assume vendors are prepared — many may not recognize the need until customers push them.
- Policy Development: Create clear policies for cryptographic usage and data retention, considering the expected lifespan of your sensitive information.
- Plan for Hybrid Approaches: Consider implementing hybrid solutions that use both traditional and post-quantum algorithms during the transition period.
Timeline Considerations
When planning your transition to post-quantum cryptography, consider these timeframes:
- Data expiring before 2026: Current cryptographic protection may be sufficient
- Data needed until 2028: Consider larger classical keys as an interim measure
- Data needed beyond 2029: Plan for full PQC migration to protect against HNDL attacks
- Data needed beyond 2034: Requires urgent attention and comprehensive PQC strategy
Conclusion
The transition to post-quantum cryptography isn’t just another security update — it's a fundamental shift in how we protect digital communications. The effort required may exceed that of Y2K preparation, and the consequences of failure could be severe. While fully capable quantum computers may still be years away, the threat of "harvest now, decrypt later" attacks makes this a present-day concern.
Organizations that start preparing now will be better positioned to protect their long-term assets and maintain their security posture in the quantum era. Don’t wait until it's too late — the time to begin your post-quantum journey is now — grab a copy of HID’s whitepaper Preparing for the Post-Quantum Cryptography Era.