Quantum computing threat: NIST publishes new quantum encryption standards

Ratings agency Moody’s has recently warned that companies are “woefully unprepared” for the impact of quantum computing; in particular, its impact on security. The US government has a program to help combat this risk and last month the National Institute of Standards and Technology (NIST), a US government agency, released three draft standards for algorithms designed to withstand an attack by quantum computer. This gives us a timely reminder that now is the time for organisations to take steps to prepare for the quantum computing threat.

What is the quantum computing threat?

The release of these draft standards is part of NIST’s drive to ensure a quantum-proof future and to guard against the risk posed to common encryption methods by quantum computing. Most modern security systems depend on public-key cryptography (PKC) which hides data behind complex mathematical problems that would take classical computers thousands of years to solve. Quantum computers, on the other hand, can solve these complex mathematical problems in a fraction of the time – rendering PKC useless. Additional background to this quantum computing risk is set out in our blog “Will you be ready when quantum beaks encryption” and in our podcast series available here.

What are NIST and other government organisations doing to prepare?

To protect against this, NIST has been working on a set of standards for quantum-proof encryption. This set of standards is made up of encryption algorithms, four of which were announced last July. This summer’s release of draft standards for three of the four algorithms is the latest development in NIST’s work.

Isn’t quantum a problem for tomorrow?

Much like Schrödinger’s cat, quantum computing simultaneously does and does not pose a risk to organisations now. That is to say, commercial-scale quantum computing is not yet a reality whilst simultaneously being an inevitability. Current predictions suggest commercial-scale quantum computing could be here anywhere from 2027 onwards; however, security experts are warning that it will take time for organisations to convert data and systems to new quantum proof products and services.

The increasing focus of government and regulator attention on quantum computing should also signal to organisations the importance of taking steps now to prepare.

What should you do to prepare?

There are a number of steps organisations can take now to prepare. These include:

• Ensuring that you understand what information is currently vulnerable to ‘harvest now, decrypt later’ attacks (where encrypted data is intercepted/copied now, and will be held until it can be decrypted using quantum technologies).
• Auditing encryption use on key data assets and develop a cryptography inventory (as not all encryption is impacted).
• Identifying high priority data, systems and hardware for transition to quantum-safe systems / products / services.
• Planning for a hybrid approach during transition (where both conventional and quantum-safe cryptography may be in operation).
• Considering the supply chain and export control risks associated with this change.

Note: In addition to the resources mentioned above, see the Digital Regulation Cooperation Forum’s ‘Quantum Technologies Insights Paper’ published earlier this summer for more background on the risks and opportunities presented by quantum technologies (including quantum computing).