The Future of Post-Quantum Cryptography: Standards and Applications

Inside Quantum Technology, to be held June 20-22, 2023, features ISARA’s CEO Atsushi Yamada on the panel "The Future of PQC: Standards and Applications." Atsushi joins moderator Francis Bellido, Quantum eMotion and fellow panelists Michael Redding, Quantropi Inc. and Sarah McCarthy, evolutionQ. We sat down with Atsushi to ask him to share some of his insights around post-quantum cryptography (PQC):

1. What do you see as the future of post-quantum cryptography?
Atsushi Yamada:
The future of PQC is the future of public-key cryptography. Today, the distinction between classical and post-quantum cryptography is that classical algorithms are still in use and PQC algorithms are still being standardized, they are not widely deployed, and a cryptography-breaking quantum computer is not yet available. Eventually, post-quantum cryptography will just be called public-key cryptography and classical cryptography will be called obsolete. 

The future of post-quantum cryptography will involve a coordinated effort among researchers, standards organizations, industry stakeholders, and policymakers. As quantum computers advance, the need for robust post-quantum cryptographic solutions will become increasingly crucial to safeguard our digital infrastructure and protect sensitive information. The future of PQC will entail several important developments and advancements:

  • Adoption and standardization. One of the primary goals of post-quantum cryptography is the adoption of algorithms to replace current quantum-vulnerable standards. The initial selected cryptographic algorithms are currently going through a standardization process to establish a set of widely accepted and recommended algorithms based on various cryptographic primitives.
  • Integration into existing systems. The transition to post-quantum cryptography requires the integration of new cryptographic algorithms into existing systems and protocols. This will involve updates to software libraries, protocol standards, network infrastructure, and other components to support the use of quantum-resistant algorithms.
  • Hybrid approaches. In the transition period to post-quantum cryptography, hybrid approaches will be employed — such as ISARA’s Catalyst™ Crypto Agile PKI — combining classical algorithms with post-quantum algorithms. This allows for backward compatibility with existing infrastructure while providing an additional layer of security against quantum attacks.

2. What's the latest on the PQC standards front?
Atsushi Yamada: We are expecting NIST to release draft standards of the selected PQC algorithms later this calendar year. There will be a period of public review and commenting before the final standards are eventually released, probably next year some time. NIST also recently closed its call for proposals for new signature algorithms as well (they are looking to diversify their current selection), and we are looking forward to seeing those proposals.

There is a possibility that there will be material differences between the initial drafts and the final standards, and organizations would be wise to keep that in mind. However, NIST has been doing a very good job of conducting an open and engaging standardization process. There has been a tremendous amount of publicly available analysis from the community, and NIST’s thought processes have been well documented in its end-of-round reports. 

3. What can you tell me about the effects of the Quantum Computing Cybersecurity Preparedness Act on U.S. (and Canadian) government agencies? Enterprises?
Atsushi Yamada:
The signing of the act shows leadership and creates momentum for a wide-scale migration. Executive government agencies are showing that they are taking the quantum threat seriously, which signals to other elements of government and industry that quantum preparedness is to be prioritized as soon as possible. What we can expect is something of a cascading effect, where more and more agencies and enterprises follow the examples set out by the migration frontrunners.

4. What are a few of the big cryptographic risks if organizations don't take action?
Atsushi Yamada: It is more about when organizations take action. There are a lot of factors that influence when an organization begins its migration, but perhaps the most significant factor is its risk appetite. How valuable is the asset being cryptographically protected? What are the consequences of a successful attack against that asset? What are the costs of making current protections quantum-safe? These are some of the questions they need to answer. 

There are plenty of other risks as well. Being quantum-safe might be required by regulations, it could be required for certain kinds of cyber insurance or contractual agreements, etc. Not becoming quantum-safe will limit an organization’s future ability to do business. 

I want to caution against performing a rushed migration. Be methodical. Plan it out. We have time, so take time. A rushed migration will inevitably have errors, be incomplete, and will probably cause unintended and costly business disruption.

5. How do you see the quantum-safe migration evolving?
Atsushi Yamada: I see it as being a phased migration. The highest value or highest risk assets will be migrated first, with lower risk assets following suite over some period. Many in the industry are expecting that multiple migrations will be required over time, and so it makes good sense to build in crypto agile mechanisms now to ease those future migrations.

We often talk about how currently deployed cryptography is buried in the software stack and that digging it up and changing it is something of an archaeological journey. If we must migrate again in the future, why double our costs? Why not set it up now so that it is easier and cheaper to do again later?

I mentioned before that quantum-safe migrations should not be rushed. I think a distinct advantage to a phased migration approach is that it allows organizations to amortize their costs. Instead of one massive up-front expenditure, spread the cost over some number of years, limit the errors or disruptions, and reduce your overall cost.

Another thing to note about the evolution of quantum-safe migrations is that eventually the migration plans will have to be reconciled with the other roadmaps of the organization. How does the migration relate to other planned technological or architectural changes? For example, if you are migrating to a Zero Trust Architecture, how can you take advantage of your quantum-safe migration plan to optimize both migrations?