Cybersecurity

Why the new NIST standards mean quantum cryptography may just have come of age

The new NIST standards render cyberattacks from quantum computers more difficult.

The new NIST standards render cyberattacks from quantum computers more difficult. Image: Getty Images/iStockphoto

Colin Soutar
Managing Director, Cyber Risk, Deloitte
Itan Barmes
Global Quantum Cyber Readiness Capability Lead, Deloitte
Filipe Beato
Lead, Centre for Cybersecurity, World Economic Forum
This article is part of: Centre for Cybersecurity
  • Quantum computing brings significant opportunity – and cybersecurity risks.
  • The new NIST post-quantum cryptography (PQC) standards are an important stepping stone on the transition to a quantum-secure economy.
  • Organizations working on their quantum cybersecurity must be guided by a coherent long-term strategy.

Quantum computing creates enormous economic and scientific opportunities, given its ability to significantly boost computing power. However, quantum computing – which employs quantum mechanics to solve some complex computing problems – can also render some of the current encryption algorithms obsolete, posing serious cybersecurity risks.

The current state of quantum technology overall is still nascent, but short- and long-term predictions suggest great potential for a technology that could open new opportunities in the cybersecurity area. While quantum computers are still in the development stage, experts expect that quantum computers will have encryption-breaking capabilities within the next decade, threatening the “security and privacy of individuals, organizations and entire nations”.

Discovery and use of quantum phenomena have paved the way for many technological innovations over the years such as semiconductors, lasers, and medical imaging systems. Today, quantum tends to be synonymous with three main pillars: quantum computing use cases; quantum-enabled security technologies such as quantum key distribution (QKD) and quantum random number generation (QRNG); as well as post-quantum cryptography (PQC).

Have you read?

Recently, the National Institute of Standards and Cryptography (NIST) released three highly anticipated post-quantum cryptography algorithm standards that were built to withstand cyberattacks from quantum computers. These standards can be used to “secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy”, the US Department of Commerce’s National Institute of Standards and Technology (NIST) said in a statement.

How does PQC mitigate this quantum-computing threat?

This release of the NIST standards represents a pivotal milestone and in particular an essential step to help organizations deploy a quantum-secure transition journey as quantum computing continues to develop rapidly.

PQC uses new mathematics-based public-key cryptography algorithms that are designed to be impervious to attacks by Shor’s algorithm. These standards are ideal to help update the current cryptographic algorithms to be secure against (currently known) quantum attacks and can be implemented in software-based solutions within existing infrastructure. This allows an almost direct deployment across existing infrastructure with clear, global, reviewed and recognized standards. While ideal to migrate cryptographic algorithms to a quantum-secure version, they may also pose certain present performance drawbacks and may be challenged by potential developments in classical and quantum attacks (cryptoanalysis) that might impact the security of these schemes in the future.

What role can other technologies, like QKD and QRNG, play in mitigating the quantum threat?

Multiple efforts are being developed to help mitigate the quantum threat. These technologies do not represent a silver bullet, but they can be used individually or in combination for certain applications and use cases. In addition to PQC, there are other technologies that have also been garnering some attention, and that may help mitigate the risk posed by quantum to public-key cryptography: QKD and QRNG.

QKD develops physics-based quantum techniques to generate secure communication channels that can be used to distribute encryption keys. The protocol is believed to be immune to brute-force attacks, even with infinite computing power, and uses the principle of “superposition” to ensure that an eavesdropper cannot listen in to the communication unnoticed. This protocol is designed to exchange secret keys that are afterward used to encrypt the communication using quantum-secure algorithms. Thus, QKD may help to mitigate quantum risk, and can complement PQC and other cryptographic algorithms by providing a secure key distribution method. While the security benefits may be significant, the use of QKD requires significant financial investment in specialized hardware, have distance limitations and requires a separate authentication channel.

Loading...

QRNG leverages fundamental quantum properties to generate random numbers with high entropy. Randomness is a key part of cryptography. QRNG can potentially produce better validated entropic sources than conventional processes, which may enhance security under certain conditions. The generation of random numbers plays a crucial role in cryptography, for both the generation of cryptographic keys as well as within some algorithms. While classical random number generators (RNGs) are derived from some source of entropy (e.g. thermal noise), QRNGs are inherently random. Thus, QRNGs may improve the security of cryptographic systems in general, though they don’t specifically mitigate the quantum threat. In addition, some applications require repeatability, which is not possible for QRNGs.

How can hybrid solutions establish a pathway for the future?

With the multitude of solutions, depending on their use cases, organizations adopting quantum-resistant security may leverage hybrid solutions that integrate both classical and quantum-ready approaches. The hybrid solutions (systems with both classical cryptographic and quantum-based encryption components) also require organizations enhance their crypto-agility to build ongoing capabilities to evolve cryptographic standards and solutions. This crypto-agile approach requires taking a fresh look at cryptographic governance and exploring novel ways to deploy crypto-agile software frameworks and architectures. Of utmost importance is that organizations begin their quantum cyber readiness journey today by building out a strategy and roadmap today.

A quantum-secure transition requires a coherent long-term strategy.
A quantum-secure transition requires a coherent long-term strategy. Image: World Economic Forum

Five quantum-readiness principles

While the quantum-secure solutions and the hybrid approach helps organizations embrace the quantum-secure journey, its success requires that the cyber foundations and basics are in place. The five guiding principles above provide practical guidance to help organizations understand how to start their quantum-secure transition. It can help organizations understand where they are, identify gaps in their preparations to become quantum secure, and improve their initial steps to quantum security.

Discover

How is the Forum tackling global cybersecurity challenges?

Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Cybersecurity

Share:
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
World Economic Forum logo

Forum Stories newsletter

Bringing you weekly curated insights and analysis on the global issues that matter.

Subscribe today

4 ways to advance equity in cyberspace

Kate Whiting

December 12, 2024

The top cybersecurity stories from 2024

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum