The US National Institute of Standards and Technology (NIST) has announced three standards for post-quantum cryptography (PQC). But for PQC to work, all devices will need to have the technology installed. This is a massive project because some devices are difficult to access, and some may not be powerful enough to run the new algorithms. There are also questions over whether the techniques used for PQC are strong enough, as the cryptography standards use module lattice-based algorithms that some quantum researchers believe can be hacked.
In a research note looking at the broad economic impact of the PQC standards, ratings agency Moody’s noted that challenges in error correction, scalability, talent shortages and limited computing power currently mitigate the risk of quantum computing cracking strong encryption. However, many experts recommend the swift adoption of quantum-resistant algorithms, since cyber criminals could harvest data now and wait for the arrival of powerful, reliable quantum computing technology.
Karl Holmqvist, founder and CEO of Lastwall, a company specialising in quantum resilience, said: “Thirty years ago, in 1994, Peter Shor demonstrated that we would need approximately 4,100 qubits to factor 2048-bit RSA, which is the most broadly deployed asymmetric encryption algorithm. At that time, we had no quantum computers available, and people questioned if we would ever develop a functional quantum computer.”
The Moody’s report stated that by using Shor’s algorithm, a quantum algorithm specifically designed for finding the prime factors of an integer, quantum computers would be able to factor integers exponentially faster, essentially breaking asymmetric encryption (such as the widely used RSA-2048 cryptosystem) altogether.
Experts think quantum computers will be able to break asymmetric encryption in five to 30 years. The Moody’s report quoted a 2022 poll of 37 experts for the Global Risk Institute’s Quantum threat timeline report 2022, which reported that over half (54%) were optimistic that within 15 years quantum computers would be able to crack RSA-2048 encryption in 24 hours.
Holmqvist said that five years ago, KTH and Google researchers demonstrated that a 20-million-qubit system would crack 2048-bit RSA in less than eight hours. However, he pointed out that over 3,500 qubits are needed to make each stable logical qubit, since qubits are extremely error-prone. Nevertheless, quantum technology is advancing. “Time is not on our side to change to quantum-resistant ciphers. We need to address this now – it’s time to get to work and eliminate outdated cryptography,” said Holmqvist.
As big as Y2K
According to Moody’s, the ability to break asymmetric encryption could have profound repercussions on e-commerce. Pointing to the US International Trade Administration projections, Moody’s reported that global e-commerce is set to grow to $41.7tn a year by 2027.
“If there is a loss of trust in online transactions, these flows would be at risk. Air traffic systems and GPS signals could also be manipulated, risking lives. The ability to break this encryption could also imperil companies’ intellectual property as well as governments’ classified documents,” the Moody’s report warned.
Moody’s also noted that the transition to PQC is likely to take a long time and will also be extremely expensive. It estimated that implementing new cryptographic standards across devices could take 10 to 15 years due to operational challenges. While the cost of the transition is hard to estimate, it said that parallels can be drawn with the expensive, large-scale efforts required to address the Y2K bug.
Ekaterina Almasque, OpenOcean
For instance, as Moody’s pointed out, some devices are in hard-to-reach places, such as satellites in orbit, and some types of hardware, such as in cars and cash machines, are difficult to update. Its report referenced data from US officials that shows implementing a new cryptographic standard in devices widely could take 10 to 15 years.
Beyond the challenges of a wide-scale roll-out of PQC, implementing the new encryption standards may prove very difficult, as Roberta Faux, field chief technology officer at Arqit and former NSA cryptographer, explained.
“We are still in the early stages of a fast-moving industry, and unfortunately even the secure implementation of these standards will be a difficult process,” she said. “These aren’t ‘drop-in’ solutions. As we migrate systems, we will find all kinds of interoperability issues, alongside the plethora of vulnerabilities and downtime that come from making systems more complex. It’s a long-term project with a lot of uncertainty.”
However, Moody’s noted that the rapid deployment of PQC by some key technology and internet infrastructure companies would speed up protections for swathes of users.
Global adoption
Questions are also being raised over whether the UK and Europe should adopt the NIST standards. Faux said the German and French governmental cyber security agencies are shying away from endorsing the NIST post-quantum key exchange.
Ekaterina Almasque, general partner at early-stage tech venture capital firm OpenOcean, said: “Europe must take the lead in post-quantum cryptography standards, not just ride on the US’s coattails. That requires strategic thinking.”
Almasque said the US government has already communicated to companies working on sensitive projects that they may soon be required to use quantum encryption algorithms. “If Europe and the UK want to direct their own quantum funding efficiently and build public confidence in PQC, they need a clear and well-communicated strategy that reaches startups, the public sector and other key stakeholders,” she added.
“While Europe and the EU’s diversity is a strength, it could easily become a vulnerability if we don’t introduce a cohesive quantum strategy that ensures all member states are aligned in their quantum defences.”
There appears to be wide industry consensus around the new NIST PQC standards. However, as Arqit’s Faux points out, some quantum cryptography experts like Michele Mosca have raised concerns that the lattice algorithms on which NIST has based its PQC encryption standards may be broken within a decade.