Post-Quantum Security: What companies need to know now

Since the 1980s, the concept of quantum computers and their applications has been known. For a long time, this concept remained theoretical. Over the past decade, however, computer and technology companies have been supported by governments and research organizations around the world, leading to enormous progress in the development of quantum computers. Although quantum computers do not solve everyday tasks better than classical computers, they can solve specific problems much more efficiently. Quantum computers will achieve significantly better results than classical computers, particularly in the areas of optimization, simulation, and machine learning.

This technology of quantum computing poses a particular threat because some mathematical problems can be solved efficiently—problems that are currently believed to be nearly impossible to solve with classical computers. For example, quantum computers can efficiently factor large numbers. This ability threatens the security of many currently used cryptographic methods, especially those based on mathematical problems like factorization and discrete logarithms. Encryption methods such as RSA and ECC, which are widely used today to secure our data, could be broken in a very short time by powerful quantum computers. Likewise, digital signatures such as DSA, key exchange methods like DH or ECDH(E), and hash function codes are at risk.

Due to this fundamental threat to modern cryptographic methods, the cybersecurity industry has been transforming for years, as well as the development of methods that are secure against both classical and quantum computers. Such quantum-resistant algorithms are called post-quantum secure algorithms and belong to the domain of post-quantum cryptography (PQC).

Classical Cryptography, PQC, and Quantum Cryptography

To understand how companies can protect themselves against the threat of quantum computers, it is important to categorize cryptographic methods into three distinct fields of cryptography:

• Classical Cryptography (C): This includes currently used encryption methods such as RSA, ECC, and AES. The security of asymmetric methods is based on mathematical problems that are difficult to solve with classical computers. Their security properties can be broken or severely compromised by quantum computers.
• Post-Quantum Cryptography (PQC): PQC refers to cryptographic algorithms that are resistant to attacks by both classical and quantum computers but can be executed on classical computers. These algorithms are secure because they are based on different mathematical problems that are hard for quantum computers to solve, such as lattice problems or code-based problems.
• Quantum Cryptography (QC): A completely different concept, quantum cryptography uses the principles of quantum mechanics to create secure algorithms and protocols. Well-known examples include Quantum Key Distribution (QKD) and the generation of random numbers (RNG). Here, security is not based on mathematical problems but on the physical properties of the quantum theory. In contrast to PQC algorithms, which can run on existing hardware, quantum cryptographic methods are currently impractical because they require quantum computers to execute.
  

‍Why PQC Is Relevant Now

Even though quantum computers capable of breaking modern cryptography do not yet exist, companies must begin preparing for the transition to PQC now. No one knows exactly when powerful quantum computers will become available, and it is conceivable that some organizations (e.g., intelligence agencies) could keep their capabilities secret for a long time.

As part of the standardization process for PQC algorithms by the National Institute of Standards and Technology (NIST), the first standards have already been published. Additional post-quantum methods that will be included in the standard have already been selected. However, the full implementation and migration to new cryptographic algorithms could still take many more years or even decades. Past experiences, such as the TLS migration, have proven this. Therefore, companies should not wait any longer and should begin now to assess their security infrastructure and plan strategies for gradually transitioning from classical to PQC algorithms.
‍

Another urgent risk is the so-called “store-now, decrypt-later” attack. In this scenario, attackers intercept encrypted data to decrypt it later using a quantum computer. This poses a significant risk, especially for sensitive data with a long lifespan.

How Companies Can Prepare for PQC

To adequately counter the threat, companies must act today to secure their data and communication channels for the future. For companies looking to prepare for the threat of quantum computers, the following steps are particularly important:

• Risk Assessment: Identify which data and systems are most vulnerable to attacks by quantum computers.
• Migration Planning: It is advisable to develop a plan to gradually integrate PQC into existing security systems, e.g., by defining corresponding requirements and incorporating them into specifications. This also includes working with vendors to ensure that future software updates support PQC.
• Monitoring Standards: Companies should closely follow developments and standards in the PQC space, especially the NIST standards.
  

Preparing for PQC is a long-term process that requires careful planning and ongoing adaptation. Companies that begin preparation today will be better protected against future threats and can ensure that their data remains secure even in a world with quantum computers.

If you have questions about post-quantum cryptography or need support in transitioning your company, the experts at FortIT AG are here to help. With workshops and consulting, we accompany you on the path to post-quantum secure digital business processes.

‍