Navigating the quantum tide: What post-quantum cryptography (PQC) is and why it matters now

In today’s hyper-connected world, the security of our digital interactions hinges on cryptography. From online banking and secure communications to protecting critical infrastructure and sensitive government data, encryption algorithms like RSA, AES, and ECC form the bedrock of digital trust. However, a significant technological advancement is on the horizon: the development of powerful quantum computers. While holding great promise for scientific discovery, this new form of compute processing also presents a potential challenge to our current public-key cryptographic standards, necessitating a forward-thinking evolution in how we protect information. 

The need to prepare: Addressing the quantum challenge to cryptography 

For decades, people have relied on public-key cryptography based on mathematical problems considered intractable for classical computers. Factoring large numbers (the basis of RSA encryption) or computing discrete logarithms (used in ECC and Diffie-Hellman) would take traditional computers millennia to solve for the key sizes used today. This computational difficulty ensures the confidentiality and integrity of encrypted data. 

Quantum computing changes everything. Unlike classical computers that use bits representing 0s or 1s, quantum computers use qubits that can exist in multiple states simultaneously (superposition) and can be linked together (entanglement). These properties allow them to perform certain calculations exponentially faster than classical computers. Crucially, Peter Shor’s algorithm, developed in 1994, demonstrated that a sufficiently powerful quantum computer could efficiently solve the very mathematical problems underpinning RSA and ECC, rendering them insecure. 

While fault-tolerant quantum computers capable of executing Shor’s algorithm on relevant key sizes do not yet exist, the potential impact requires proactive consideration and planning. 

Enter post-quantum cryptography (PQC) 

PQC, sometimes referred to as quantum or Shor resistant cryptography, refers to the development and deployment of cryptographic algorithms thought to be secure against attacks from classical and quantum computers. 

Instead of relying on number theory problems that are vulnerable to Shor’s algorithm, PQC algorithms are based on complex mathematical problems, for which no efficient quantum or classical attack algorithm is currently known. These include problems related to: 

1. Lattice-based cryptography: Based on the difficulty of finding specific points in high-dimensional geometric structures called lattices 
2. Code-based cryptography: Relies on the difficulty of decoding random linear codes 
3. Hash-based cryptography: Uses cryptographic hash functions to build signature schemes 
4. Multivariate cryptography: Based on the difficulty of solving systems of multivariate polynomial equations 

Recognizing this technological shift, organizations like the U.S. National Institute of Standards and Technology (NIST) have undertaken a multiyear initiative to solicit, evaluate, and standardize PQC algorithms for public-key encryption, key establishment, and digital signatures. In August 2024, NIST published the following PQC standards: FIPS-203 ML-KEM, FIPS-204 ML-DSA, and FIPS-205 SLH-DSA.  

Why preparing now is prudent 

While the full realization of quantum computing’s potential impact on cryptography may seem distant, addressing the transition to PQC proactively offers significant advantages and mitigates potential risks: 

1. Managing complex transition timelines: Updating cryptographic infrastructure across an organization is a significant undertaking. It involves identifying all instances of vulnerable cryptography, assessing dependencies, testing new algorithms, and deploying updates across diverse hardware, software, and protocols. This process can take many years, especially for large or complex systems. Starting early enables a more structured and manageable migration, avoiding rushed efforts later. Similar large-scale transitions (like Y2K or IPv6 adoption) highlight the need for ample preparation time. 
2. Ensuring long-term security for durable assets: Many systems and data assets have operational lifespans spanning decades. Critical infrastructure, long-lived IoT devices, archival data, and foundational digital identities require cryptographic protection that will remain robust well into the future. Incorporating PQC into the design and planning phases for these long-term assets is essential for ensuring their continued security. 
3. Aligning with evolving standards: As NIST finalizes its PQC standards and potential mandates emerge (particularly in government and regulated sectors), organizations will need to adopt these new algorithms. Early engagement and planning facilitate alignment with upcoming requirements and reduce the potential for compliance challenges down the line. 
4. Maintaining confidence in digital interactions: The security provided by cryptography is fundamental to the trust we place in digital systems for commerce, communication, and essential services. Proactively transitioning to PQC demonstrates a commitment to security and helps maintain confidence in our digital infrastructure as technology evolves. 

Navigating the transition: preparing for a quantum-resistant future 

Transitioning to PQC is a strategic process that requires careful planning and execution. Organizations should consider starting their preparations now by taking steps such as: 

• Inventorying cryptographic usage: Identify where public-key cryptography is used within systems and applications. Understand the types of data being protected and their required security longevity. 
• Assessing risk and prioritization: Evaluate the potential impact of a cryptographic compromise on different data types and systems. Prioritize assets that require long-term confidentiality.  
• Monitoring standards and guidance: Stay informed about NIST PQC standards and guidance from relevant industry bodies and regulators. 
• Planning for crypto-agility: Design systems and protocols to be “crypto-agile,” allowing for flexible support and easy switching between different cryptographic algorithms. This adaptability is key for both the current transition and future cryptographic updates. 
• Engaging with partners and vendors: Discuss PQC roadmaps and support plans with technology vendors, hardware providers, and cloud service providers. 
• Piloting and testing: Begin experimenting with PQC algorithms in non-production environments to understand their performance characteristics and integration requirements. 

Conclusion: Proactive preparation is key 

The advancement of quantum computing presents a significant, albeit manageable, challenge to our current digital security foundations. Post-quantum cryptography provides the necessary tools to adapt to this evolving landscape. Undertaking the PQC transition requires foresight, careful planning, and investment starting today. Addressing potential long-term data security risks and preparing for the complexities of migration means that PQC is not solely a future concern, but a relevant consideration for organizations committed to protecting their data and ensuring the continued trustworthiness of their digital operations. Beginning the journey toward a quantum-resistant future is a prudent step for long-term resilience. For a deeper dive into how we’re addressing PQC as well as building agile and secure networks for the next era, explore our approach today.