Post-quantum cryptography standards highlight the need for governments to prepare for emerging quantum computing risks
Previously considered a distant concern, quantum computers may soon compromise the government’s most sensitive data. Here’s how to get ready.
In less than a decade, quantum computers have undergone one of the most impressive transformations in technological history. What began as a lone, small quantum device on the cloud running rudimentary experiments has evolved into a breakthrough tool used across industries and organizations to explore the frontiers of challenges in healthcare and life sciences, high energy physics, materials development, optimization, and sustainability. Today’s utility-scale progress has the industry on the verge of a computing revolution.
Quantum computers
Quantum computers are not just faster, better versions of the classical computers that may be able to solve certain niche problems. They offer access to an entirely new branch of computation, built on fundamentally different rules that can access and discover completely new types of results that have never previously been known. However, one of the problems quantum computers are getting closer to solving is factoring large numbers – which would make them a “cryptographically relevant” risk to many of today’s security standards.
While it’s exciting to watch countries around the world explore how quantum systems can accelerate discovery in their respective fields, the public sector remains unprepared for the security risks posed by bad actors gaining access to and taking advantage of a future cryptographically relevant quantum computer’s ability to decrypt critical data and systems.
Transition to quantum-safe cryptography
Suppose we want to avoid this cybersecurity nightmare. In that case, organizations must jumpstart their transition to quantum-safe cryptography – and adopt the U.S. Department of Commerce’s National Institute of Standards and Technology’s (NIST) published post-quantum cryptographic standards: ML-KEM (Module Lattice Key Encapsulation Method, also referred to as FIPS 203, and originally submitted as CRYSTALS-Kyber); ML-DSA (Module Lattice Digital Signature Algorithm, also referred to as FIPS-204, and originally submitted as CRYSTALS-Dilithium); and SLH-DSA (Stateless Hash Digital Signature Algorithm, also referred to as FIPS 205, and originally submitted as SPHINCS+).
Two of these standards – ML-KEM and ML-DSA – were developed by IBM researchers in collaboration with several industry and academic partners. We expect NIST to publish an additional algorithm, FN-DSA (FFT over NTRU lattice Digital Signature Algorithm, also referred to as FIPS 206, and originally submitted as FALCON), as a standard later this year.
Quantum-safe technologies
The good news? Quantum-safe technologies exist now. NIST’s published PQC standards validate that journey organizations, industries, and entire countries should already be on or starting as soon as possible. Leaders across government agencies have started making sure our sensitive data is protected against the possibility of future attacks by bad actors with access to cryptographically relevant quantum computers. For example, in 2022, the United States government released a National Security Memorandum laying its plan for securing critical systems against potential quantum risks and harnessing the benefits of this technology for all.
Looming quantum computing risks
The bad news? We may only have about a decade to apply the solutions that can respond to these impending risks – and before 2030, when the U.S. National Security Agency’s guidance requires the National Security Systems’ full PQC compliance.
These three new standard algorithms, with more on the way, are big steps forward towards securing public and private data in a post-quantum world. However, organizations will still take years – maybe decades – to make the full transition. In the short term, countries should work quickly to increase investments in cryptography research and development and accelerate the rapid deployment of post-quantum standards across government entities.
Furthermore, the public sector and organizations alike should begin identifying their most vulnerable systems and upgrading their digital infrastructure to quantum-safe cryptography as soon as possible – even ahead of their agency suggestions. Because of IBM’s expertise in cryptography and quantum computing, our leadership in developing technologies that accelerate and automate the adoption of post-quantum cryptography, and our key role in developing NIST’s standards, we’ve already started working with government agencies and industry consortia across telecommunications, finance, and more to aid this transition.
Start your quantum-safe journey now
An exciting new era of computing is upon us, but there’s no time to waste – it’s time to start your quantum-safe journey now.
For more information about the IBM Quantum Safe technology and services, visit https://www.ibm.com/quantum/quantum-safe
This piece was provided by Cristina Caballe-Fuguet and Casey Werth
