Migration Toward Post-Quantum Cryptography: A Call to Action
As advancements in quantum computing progress, the urgency for organizations to shift to post-quantum cryptographic standards is becoming increasingly apparent. Recent estimates indicate that the computational power required to break current public key encryption algorithms is dropping significantly. This has prompted a collective effort from various technology companies and organizations to encourage users to commence their migration to more secure cryptographic methods.
The Post-Quantum Cryptography Coalition’s Roadmap
To facilitate this transition, the Post-Quantum Cryptography Coalition (PQCC) has published a comprehensive migration roadmap. This document is designed to assist organizations as they navigate the stages of adopting post-quantum cryptographic standards. Wen Masters, Vice President of Cyber Technologies at MITRE, underscored the critical nature of preparing for these changes, emphasizing that organizations cannot afford to delay in their efforts to safeguard their data against potential quantum threats.
MITRE is proud to be among the coalition’s founding members, which also includes noted entities like SandboxAQ, PQShield, IBM Quantum, and Microsoft.
Recent Developments in Quantum Computing
The urgency of the roadmap’s release was compounded by the results of a recent paper authored by Craig Gidney from Google Quantum AI. This research has dramatically lowered the estimated quantum computing power needed to crack RSA-2048 encryption. Initially, a 2019 paper suggested that a quantum computer with 20 million noisy qubits could break 2048-bit RSA keys in a matter of hours. The new findings indicate that it could be achieved in under a week with less than a million qubits.
In a blog post, Gidney emphasized that the available quantum computers today have around 100 to 1,000 qubits. The National Institute of Standards and Technology (NIST) is actively working on the development of post-quantum algorithms, which are anticipated to withstand the onslaught of powerful quantum computing. Given this progress, Gidney insists that organizations should begin their migration in alignment with NIST’s advised timelines.
Urgency of Transition
In a report from November 2024, NIST highlighted the significance of beginning the transition to post-quantum cryptography today, even if full-scale quantum computers are still years away. The advisory suggests that organizations risk exposing their encrypted data if they wait too long to make this shift. NIST aims for widespread post-quantum cryptography adoption by 2035, though certain applications may require even earlier implementation.
Currently, only three standards—SSH, TLS 1.3, and IKE/IPSec—have seen some level of adoption. The PQCC has issued a standards adoption heatmap to illustrate the progress in this area.
Detailing the Migration Process
The PQCC roadmap comprises four distinct phases, designed to aid Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) in taking decisive action to protect sensitive information effectively.
1. Preparation
This initial phase focuses on defining the migration objectives, appointing a migration lead, identifying key stakeholders, and ensuring that everyone is aligned through clear strategic messaging.
2. Baseline Understanding
Organizations should inventory their data and prioritize which assets need updating. This phase requires understanding available resources and budgeting for the migration process.
3. Planning and Execution
Here, organizations need to collaborate with system vendors and internal teams to either procure or develop post-quantum solutions. Effective implementation is critical to the success of this phase.
4. Monitoring and Evaluation
The final phase calls for establishing metrics to track the migration’s progress and devising a mechanism for assessing cryptographic security as quantum capabilities advance.
The roadmap concludes by stressing the importance of strategic planning, stakeholder engagement, and ongoing monitoring. As technology evolves, organizations need to remain flexible and aware of updated guidance to ensure a successful transition to post-quantum cryptography.
Transitioning to post-quantum cryptographic standards is not just a technical upgrade; it is a vital step toward securing sensitive data in an era where quantum computing capabilities are rapidly advancing. The implications for organizations that delay this shift can be severe, making proactive steps essential in securing digital assets for the future.
