Op-Ed: Post-quantum cryptography algorithms are here – now what?

According to the Australian Department of Industry, Science and Resources, Australia’s quantum opportunity is immense. The nation has been recognised as a global leader, home to some of the best minds in quantum research and applied technology.

With great progress comes an even greater threat

While we haven’t fully entered the quantum era yet, technology is progressing rapidly, and it won’t be long before a quantum cyber attack becomes a real possibility. This is why leaders and researchers around the world are working on uncovering the next innovation in quantum security – and great progress is being made.

In August 2024, the National Institute of Standards and Technology (NIST) announced it had finalised the principal set of encryption algorithms. Based on post-quantum cryptography (PQC) technology, the algorithms are designed to withstand cyber attacks from a quantum computer.

This breakthrough is a big deal across the globe, including here in Australia. The algorithms will become the benchmark for the Australian Signals Directorate (ASD) to set our regional standards against a fast-emerging threat landscape.

Quantum cyber attacks outsmart today’s security

The potential threats set to come from quantum computing will be like nothing we have experienced before. Armed with quantum power to break traditional encryption algorithms, cyber criminals will be able to analyse massive amounts of data, crippling large networks in a matter of minutes. Everything we rely on today to secure our connections and transactions – keys, certificates, and data – will be at risk.

Thales’ 2024 Data Threat Report shows that almost a quarter of Australian organisations consider PQC as the greatest concern to their security program. Harvest-now-decrypt-later (HNDL) attacks are driving the most immediate worries around quantum computing as they enable criminals to collect encrypted data today with the intention of decrypting it in the future, when the capabilities become available.

VIEW ALL

Australian IT and security professionals are also heavily concerned with future encryption compromise (65 per cent), key distribution (63 per cent) and risk of network decryption (52 per cent).

Which industries are at risk?

All organisations that are data-dependent or rely heavily on digital networks are at risk, but certain industries are particularly vulnerable to quantum attacks. This is in part due to the lifespan of the data or keys, as well as the HNDPL strategy being employed by cyber criminals.

Any software requiring authentication for smart devices in IoT, confidential communications using VPN, digital identities used by governments and enterprises to validate users, as well as any keys or data with a long lifespan, such as medical devices, are particularly of concern.

A new approach to digital security

Post-quantum cryptography, also known as quantum-resistant cryptography (QRC), focuses on developing cryptographic algorithms and protocols able to stand up to quantum computing power.

These cryptographic algorithms derive their security from mathematical problems considered difficult for both classical and quantum computers. They offer a low-cost, practical path to maintaining the properties of secure communications.

PQC will soon make the encryption foundations we have relied upon for decades obsolete; this means organisations will need to completely rethink how they approach digital security.

Many Australian organisations have already started investigating PQC. Over half plan to improve cryptographic agility in the next 12 to 18 months, enabling new ciphers to be added more easily, while just under half intend to prototype or evaluate PQC algorithms.

But a lot more needs to be done.

Prepare for the post-quantum world, now

Generally, organisations take a couple of years to implement change throughout their infrastructure. Preparing for a PQC world means taking the steps now to protect data, intellectual property, and more against hackers using quantum computers.

There are three key things organisations should focus on right now:

1. Evaluate risk exposure, assess crypto inventories, and overall PQC readiness. All too often, organisations don’t know where their keys are, where encryption is being used, or which data is being protected and how.
   
   
2. Create a hybrid risk-mitigation plan that depends on both classical and quantum-safe algorithms. Businesses that wait until quantum computers become available to get their house in order face a recipe for years of theft, compromise, and a risk of non-compliance with quantum regulations.
   
   
3. Prepare for quantum-safe architecture, including support for new encryption algorithms such as those released by the NIST. This can be done by looking at all the applications that manage sensitive information: how would those applications still work if an algorithm was changed? Or what would be required to make them work?

There’s no doubt becoming quantum-ready will be a massive undertaking for organisations on a global scale; Thales has been preparing for this moment for well over a decade. While learning to harness the power of quantum computers, we must also prepare to guard against many new risks and dangers that come with it, particularly when it comes to data and identities – the core of our global digital society.