The ETSI/IQC Quantum Safe Workshop returned last week after a one year hiatus, held in-person at ETSI’s headquarters in the beautiful South of France. Regarded by many as the world’s premier event in quantum-safe security, the Workshop yet again brought together a diverse blend of talent, experience, and perspectives on the growing quantum threat to information security.
The first day of the three-day event was dedicated to the business leaders and decision makers who will drive quantum readiness within their industries. With representatives from finance, telecommunications, the semiconductor industry, system and software providers, governments, academia, and more, Workshop participants got to see exactly how far the quantum-safe message has spread across economic sectors and geographical boundaries. For some, it was surely an eye-opening experience.
In past Workshops, much of the first day (the Executive Track) was spent on articulating the quantum-threat; explaining the basics of quantum computing, the state of the art, and the impact to security systems. Undoubtedly there are a great number of people who still need to hear that message, but it is evident that it has been heard, and is being taken seriously, by many. Even during the 2019 Workshop — the last time the Workshop was held in-person — there was a noticeable change in the audience’s attitude toward quantum computing, a shift from "if a large-scale, fault-tolerant, quantum computer arrives" to "when a large-scale, fault-tolerant, quantum computer arrives" (now more commonly called a Cryptographically Relevant Quantum Computer, or a CRQC). This year’s Workshop showcased a further evolution. Today’s attitude is one of action, a desire and willingness to take concrete steps towards quantum-safety.
A personal highlight from Day 1 of the Workshop was the Deployment of Quantum-Safe Solutions panel. The four panelists and moderator had an awesome discussion about the real-world difficulties of doing a quantum-safe migration, including the hidden complexities and the importance of incorporating a range of perspectives. For example, Bruno Couillard, CEO and CTO of Crypto4A, emphasized the need to consider requirements for a broader spectrum of use-cases. What might be great for an IT application can be a disaster for an OT application. This isn’t exactly a new idea for many of us, but there was something particularly impactful about him discussing the energy restrictions of pacemakers, critical, life-preserving pieces of technology, and of how we need to be seriously considering how to secure things beyond an enterprise IT ecosystem.
The remaining two days (the Technical Track) were spent looking at the on-going work around the world in quantum-safe cloud, PKI, secure communications, certification and validation, standards development, migration challenges and recommendations, cryptanalysis, and more. Again, when you take a step back and look at how broadly the issues of quantum-safe security are being taken, you can’t help but be at least a little awed. On the standards side, the presentation by NIST on the status of their PQC Standardization Process and the presentation by Matthew Campagna, Chair of ETSI’s Quantum-Safe Cryptography working group, were especially engaging.
It isn’t just due to steady progress in quantum computing development or the publication of startling cryptanalytic results. The desire for next-generation security is also spurred by the recent Quantum Computing Cybersecurity Preparedness Act, NIST’s announcement of which PQC algorithms they intend to standardize, and the NSA’s CNSA 2.0 announcement.
I’ll also add that we’re seeing more cross-industry and cross-domain collaboration. For example, a good portion of this year’s Workshop was dedicated to the intersection of PQC and QKD. In many ways these two disciplines have felt siloed from each other, and so the building of bridges between the two is welcomed. At the Workshop, the tremendous progress of QKD in places like Japan, Singapore, Europe, China, the UK, and Canada was showcased. The magnitude of work being done in both PQC and QKD right now is honestly impressive. And as further research is done into how the two approaches can be used together, it is possible we can eventually see another shift in the quantum-safe winds.
With so many different academic, government, and industry players coming together in one room, we’re bound to walk away with a broader understanding of the scale of this whole thing, and can’t help but feel a little nervous, and excited, about the amount of work that still needs to be done well-before Y2Q.