Post-quantum cryptography algorithms are emerging as a critical tool in modern cybersecurity as cryptography experts and policymakers worldwide look to combat the threat of malicious cyberattacks. As the danger rises, organisations increasingly seek to better defend themselves against the risk of future cyberattacks by leveraging new tools such as post-quantum cryptography and using quantum-sourced and monitorable random number generation to strengthen existing encryption algorithms.
Importance of post-quantum cryptography
Although still in its infancy, quantum computing represents a new and potentially transformative field of computation expected to have applications across several key industries. From drug discovery and materials science to finance, defence, space industries, and governmental services, quantum computers offer the prospect of accelerated speeds and a novel approach to computation that relies on the dynamics of quantum physics to solve problems and analyse data.
However, such significant innovations typically come with a hidden threat. The other side of the quantum coin is its danger to current cryptography, as new devices and algorithms emerge with the power to break some of today’s most widely used encryption schemes, potentially rendering organisations vulnerable.
Are Quantum Computing Threats Putting Your Security at Risk?
The threat posed by quantum computing stems from how we currently protect sensitive information in digital form, from emails and personal data to telecommunications and financial transactions. Public key encryption techniques employ maths problems that are easy to perform in one direction (encryption) but computationally hard in the reverse direction (decryption).
This process gives cryptographic algorithms like RSA and ECC their level of security since the computational power needed to decrypt and solve given algorithmic problems is so large that it is practically impossible.
But while this may be true for classical computers—including even the most powerful supercomputers—experts fear this won’t be true for quantum computers. When developed to sufficient reliability, size, and computational strength, quantum computers are expected to have the power to crack most of today’s commonly used encryption mechanisms.
However, outlooks differ on how far we are from having quantum computers capable of breaking today’s cryptographic codes. There is much variability for when this day (colloquially known as “Q-Day”) will occur, with estimations covering a wide range, from as little as two to up to twenty years or more.
But even without a clear timeline, companies and governments are already taking preliminary action by researching alternative cryptographic algorithms, which, by construction, would be hard to crack for both classical and quantum computers.
One such exploration spearheaded by the National Institute of Standards and Technology (NIST), a US agency, resulted in so-called post-quantum cryptography algorithms. These algorithms are believed to be both computationally challenging and quantum-resistant, and they are called to substitute the current cryptographic standards to safeguard us against quantum cyber threats.
Exploring Post-Quantum Cryptography Algorithms
Post-quantum cryptographic algorithms are still based on classical computing schemes. However, these schemes and protocols are purposefully designed against the prospective advances of quantum computers. While not yet available, the emergence of such computers is predicted, and it is thought that adversaries are already stockpiling encrypted information in wait for Q-Day: a tactic known as ‘harvest now, decrypt later.’
The concept of “harvest now, decrypt later” occurs when attackers use existing technology to capture encrypted data while it is in transit, store it, and then decrypt it at a later point in time when they can access computing resources that are powerful enough to break the encryption algorithm. In this way, attackers can access data with a long shelf life, which is protected by an encryption mechanism that is considered secure at the harvesting but not during the decryption phase taking place years later.
The potential magnitude of information disclosure will be immense, posing a significant threat to everyone, especially defence and military communication systems. The technique of “steal now, decrypt later” is heavily utilised by unlawful organisations, some state-backed, to capture encrypted traffic of competitor countries and companies and decrypt the traffic once a quantum computer is built.
With this scenario indicating a threat, all current institutions must be prepared to adopt new, quantum-safe cryptography solutions to withstand these attacks, mainly when operating in critically essential sectors such as finance, healthcare, telecommunications, defence, space industries, and governmental services.
Approaches to Post-Quantum Cryptography Algorithms
Some approaches are currently being researched for their use in post-quantum encryption.
- Hash-based cryptography takes an input or message and produces a fixed-size output, often called the hash value or hash digest. These functions are designed to be fast, deterministic, and resistant to reverse engineering and are aimed at addressing security goals such as data integrity, digital signatures, and password storage.
- Lattice-based cryptography relies on the difficulty of solving specific problems related to lattice structures in mathematics, such as the ‘Shortest Vector Problem’ and ‘Learning with Errors’.
- Code-based cryptography focuses on the hardness of decoding certain types of linear error-correcting codes. The difficulty in solving code-based cryptography involves attempting to recover an error-free message from a received codeword that may contain errors due to noise or intentional interference.
- Multivariate polynomial cryptography is based on the hardness of solving equations involving algebraic expressions with multiple variables. Experts believe these problems are sufficient candidates for post-quantum cryptographic algorithms.
All these algorithms require random numbers to work, making random number generation a pivotal element in post-quantum cryptography. When two parties want to communicate securely, they need to establish a shared secret key, one that can be used to encrypt and decrypt messages.
However, the system’s security could be compromised if the random numbers employed in those keys are predictable or biased. Thus, having access to quality random number generation is also crucial for companies looking to strengthen their encryption protocols using post-quantum algorithms.
Since its inception, cryptography has been searching for a truly random source for key generation. Quside’s quantum random number generators provide this by tapping into the randomness of quantum phenomena whose states are not deterministically predictable. Quside’s QRNGs provide the foundation businesses need to protect their information, delivering high-quality, fast, measurable randomness.
Moreover, assessing the quality of the randomness used in the key generation becomes a pivotal aspect of monitoring to ensure that security is not compromised because of the predictability or bias of the random numbers obtained from the entropy source. Quside is a pioneer in this crucial aspect, and all Quside’s QRNGs include Entropy Monitoring by default.
NIST Post-Quantum Cryptography Standardisation project
A key feature of post-quantum cryptography will be developing a set of standardised, quantum-resistant algorithms that can be widely adopted across different industries and applications. To that end, institutions are currently searching for and testing various candidate algorithms to address the problem before it occurs and orchestrating a coordinated transition into the coming post-quantum reality.
One of the main actors in this process worldwide is the US Department of Commerce’s National Institute of Standards and Technology (NIST), which in 2016 launched a “Post-Quantum Cryptography (PQC) Standardization” program and competition, calling on cryptographers to submit candidate algorithms for testing. The program has completed four successive rounds of collecting and sending out prospective algorithms for analysis and testing in the wider cryptographic community.
In July 2022, NIST chose four candidate quantum-resistant algorithms, expecting more to follow in the coming years. The project hit a rough patch when, only a month later, researchers announced they had broken one of the four encryption protocols, taking only an hour and a single-core classical computer.
More recently, in August 2023, NIST released draft standards for three of the four algorithms it selected in 2022 and said that the fourth draft would be released in the following year. NIST has since been collecting public comment and feedback on the three and says they will be ready for use in 2024.
Parallel with the increasing computational complexity of these algorithms, the demand for quality random number generation is only increasing as security systems continue to suffer from decreasing entropy and rising predictability of encryption keys.
That’s where Quside’s novel approach to using quantum mechanics to bolster existing cybersecurity systems comes in. Working for over a decade to advance the science of quantum entropy sources, Quside now has high-quality, scalable, and fast QRNG solutions that deliver superior quantum entropy sources to strengthen cryptography algorithms and meet the challenges of today’s and tomorrow’s encryption.
To learn more about NIST’s post-quantum cryptography in Quside’s free report and find out about Quside’s proprietary QRNG technology.
Applications for Post-Quantum Cryptographic Algorithms
The challenges in developing and implementing quantum-safe encryption are mounting. Beyond the testing and analysis of candidate algorithms, thousands of internet-enabled devices within organisations comprising the wider infosec system act as potential gateways for a maligned cyberattack and disruption of Operational Technologies (OT). Thus, transitioning and migrating to wholly new PQC algorithms is a tough sell for organisations.
A critical application for PQC algorithms is securing communications channels through quantum-resistant encryption. Financial institutions, for example, will need to leverage PQC to protect sensitive transactions and data and ensure the confidentiality and integrity of information. The same applies to healthcare organisations regarding patient and medical data and government agencies regarding everything from citizen records to defence and national security.
Cloud computing services, intellectual property, and proprietary data also need to be protected. The proliferation of connected devices is another big area of concern, as the reliability of IoT found in systems such as smart grids and connected vehicles will need to be safeguarded through PQC.
The worldwide transition to a functional and practical set of PQC algorithms won’t be easy, nor will it happen overnight. But QRNG technology can meet this challenge with a disruption of its own: increased security through quantum mechanics. Companies can future-proof their cybersecurity with scalable QRNG that monitors entropy generation, enables more frequent key updates, and delivers a more crypto-agile infosec system for your business.
Challenges in the field of Post-Quantum Cryptography
The sheer number of systems to be converted to post-quantum cryptography is a significant challenge, as is the backward compatibility of the new PQC algorithms and their integration into existing systems and protocols.
The complexity of post-quantum cryptographic algorithms presents an issue. Quantum-resistant algorithms are typically more computationally intensive, with larger key sizes, for instance, and more complex mathematical structures. Thus, PQC will raise the trade-offs between security and computational efficiency.
Another aspect to take into account is the implementation’s compliance. States, standards bodies, and policymakers request compliance with specific regulations and requirements. PQC algorithms are still maturing, so stakeholders are requesting hybrid schemas that combine classical and PQC algorithms, to avoid pitfalls from either. This extra effort elevates the complexity of the implementations and deployments and puts pressure on the required resources.
Rooted randomisation in the algorithms is also poised to be of potential primary concern. Current cryptographic systems rely heavily on random number generators (RNGs) to generate cryptographic keys vital to PQC systems.
Random number generators are still paramount even in the prospective cyber threat from quantum computers. And sourcing random numbers–entropy–from quantum mechanics will inherently produce true random numbers.
Are you interested in discovering how quantum random number generation (QRNG) can secure your organisation? Quside’s dynamic monitorable QRNG can improve your cybersecurity today while preparing for a prospective quantum tomorrow.
Conclusion
Maintaining strong cryptographic security has always been a prime concern for businesses and governments. Still, post-quantum cryptography represents a fundamental and dramatic change in securing information and communication as we advance. Companies will need to prepare for the transition to a post-quantum world, and that will entail equipping themselves with the necessary cryptographic solutions, which could mean implementing QRNG into your infosec system today.
Find out how Quside can help you build a strong and secure foundation and future-proof your business against ever-evolving cyber threats. Contact Quside here.
