5 Steps to Take Today: A Quick-start Guide to Post-quantum Cryptography

Post-quantum cryptography. It sounds like something out of a science fiction film. And unless you are highly technical and working directly in this advancing field, it’s a term you’ve probably heard, but shuffled to the back of your mind. It’s a problem for later… a future concern, right? The fact is, the need for quantum-safe security is coming at us full-speed, and we all need to be ready.

This blog is a quick-start guide to post-quantum cryptography, along with an explanation of why we need to start paying attention now and five steps you can take today to get ahead.

What is Post-quantum Cryptography?

Cryptography is the practice of hiding information in secret codes so that only the intended recipient can read it. Nearly every organization, application, and platform relies on some form of cryptography to keep sensitive information safe. Your typical encryption methods, including Rivest-Shamir-Adleman (RSA), Elliptic Curve Cryptography (ECC), and Diffie-Hellman (DH) rely on prime-number-factoring and logarithmic equations that when used with recommended key lengths would take today’s computers millions, if not trillions of years to crack.

Quantum computers, however, enable use of new algorithms such as “Shor’s Algorithm” or “Grover’s Algorithm” that make determining encryption keys easier. They use quantum concepts of superposition, entanglement, and interference to factor those same large integers and compute discrete logarithms much faster. We estimate that within a few years, adversaries could break standard encryption in minutes… seconds, even. The speed of these new processors and their underlying algorithms could essentially render our existing digital locks useless.

In quantum-safe security, cryptography takes on a new face. It uses lattice-based or hash-based equations that are so complex that they stump all processors, new and old. Post-quantum cryptography serves to protect organizations from the extreme leap in processing power that we’ll face when these revolutionary systems go mainstream.

Want a deepr dive? Read our EduCenter page: What is Post-quantum Cryptography.

Why Does it Matter Now?

Let’s take a look at a recent technology that went from curiosity to security imperative seemingly overnight: artificial intelligence (AI). Remember when AI was a fun tool we used to generate images of ourselves? We laughed when it got the fingers wrong, and didn’t think much more about it. But before we knew it, we moved from AI-as-novelty to AI-as-professional-necessity. Now, many organizations feel the pressure to wrap security and governance around AI as it barrels out of control.

We don’t want to make the same mistake with quantum computing. While it may still be a few years away, several vendors already have schedulable quantum compute access. Though these systems are heavily protected, the potential threats are already presenting themselves, if you know where to look. Additionally, governing agencies and industry experts are pushing to get ahead of the threat.

Here are a few pointed examples:

• Evidence of Harvest Now, Decrypt Later (HNDL)Movements: Threat actors are in the process of stealing and storing traditionally encrypted data sets. They’re simply waiting for the day that a quantum computer can unlock them. Health records, military secrets, financial data, the keys to critical infrastructure systems are all at risk for exploitation.
• Compliance Mandates and Best Practices are Already Rolling Out: National authorities like the National Institute of Standards and Technology (NIST) and user’s groups, including the Cloud Security Alliance (CSA), have finalized initial standards and defined best practices. In fact, NIST has been working toward post-quantum cryptography standards since 2016. Additionally, many industries are already treating post-quantum resilience as a mandatory compliance milestone. The trend is particularly seen in industries with heavily vested interests in protecting sensitive data, including finance, healthcare, and government,
• The Reality of Slow Change vs. Motivated Threat Actors: Given the sheer number of systems running outdated operating systems, and the fact that we still have mainframes out there, it should come as no surprise that the rollout of quantum computers won’t happen overnight. Across any given industry, IT upgrades require budget approvals and careful architecture reviews. Rollouts start with proofs of concept, then expand based on business needs. Threat actors have no such limitations. Once quantum computers become widely available, you can bet they’ll be in the hands of nation-state actors first, then by any other cyber criminal with the money to spare.

Five Steps You Can Take to Get Ahead in the Post-quantum Cryptography Race

1. Start Your Cryptography Inventory: Create a comprehensive inventory of where and how your organization uses cryptography. Document all systems, applications, and data that rely on current cryptographic protocols. This inventory will be crucial for prioritizing your quantum-safe migration strategy.
2. Assess Your Risk Profile: Evaluate which of your data assets would be most valuable to HNDL attackers. Consider both the immediate and long-term sensitivity of your data. Information that seems mundane today might become critically important in 5-10 years, and vice-versa.
3. Begin Education and Awareness: Start training your technical teams on post-quantum cryptography concepts. Ensure your security architects and developers understand the implications of quantum computing on current security measures. Make post-quantum readiness a regular topic in security planning meetings.
4. Implement Crypto-Agility: Design your systems with the ability to quickly swap out cryptographic algorithms without major system overhauls. This flexibility will be crucial when transitioning to quantum-safe algorithms. Consider implementing hybrid approaches that use both traditional and post-quantum algorithms during the transition period.
5. Engage with Standards Boards and User Groups: Stay informed about NIST’s standardization process and begin discussions with your security vendors about their quantum-safe roadmaps. Join industry movements like the CSA Quantum-safe Security working group to learn from peers and contribute to the development of best practices.

Remember, the goal isn’t to completely transform your cryptographic infrastructure overnight. Instead, focus on building awareness, understanding your current state, and creating a flexible foundation that can adapt as quantum-safe standards mature.

Get Started Today

Need help inventorying and measuring your post-quantum risks? GuidePoint Security can help. Our experts can help you determine where you are and design for a future with quantum-safe security in mind.

Contact us >