Post-Quantum Cryptography- The breakthroughs in post-quantum computing are coming at a lightning pace and are about to transform technology, but they also represent a deep threat to the security framework that supports our digital universe. Cryptographic techniques now protecting everything from internet banking to state secrets can be easily broken by powerful computers once they become quantum.
This new reality has pushed the worldwide cybersecurity community to rapidly investigate PQC, a next-generation set of cryptographic techniques aimed at withstanding the power of quantum computers. How prepared are we for this quantum leap? What are the challenges in front of us, and what are governments and organizations doing to prepare themselves with PQC solutions?
Based on the most recent advice from leading bodies like the UK’s National Cyber Security Centre (NCSC), this article discusses the world of PQC and what it is likely to mean for companies, governments, and regular users.
The Quantum Threat: Why Current Cryptography is at Risk
Public key cryptography (PKC) algorithms such as RSA, Elliptic Curve Digital Signature Algorithm (ECDSA), and Diffie-Hellman key exchange form the basis of today’s digital security. These algorithms are based on mathematical problems that are computationally infeasible to solve for traditional computers, and they form the basis for secure communication, digital signatures, and authentication.
However, quantum computers work by different quantum mechanical principles to process information, and they can do tasks that traditional computers cannot. Specifically, Shor’s algorithm allows for an appropriately powerful quantum computer to be able to very easily break the integer factorization and discrete logarithm problems that are the foundation of existing PKC algorithms.
As the UK’s NCSC emphasizes in its August 2024 guidance, a cryptographically-relevant quantum computer (CRQC) — a machine that could break these crypto schemes — is still a technical problem; however, an inevitable prospect if the current, rapid development of quantum research carries on.
This incurs two significant issues:
• Harvest Now, Decrypt Later: Sensitive data encrypted today and stored by adversaries may be decrypted in the future when quantum computers are powerful enough. This is especially dangerous for organizations that defend high-value, long-lived secrets, highlighting the imperative to adopt PQC
• Digital Signature Forgery: A CRQC can create forgeries of digital signatures, enabling attackers to impersonate, tamper with data integrity, and compromise trust systems, thereby making post-quantum cryptography solutions imperative.
What is Post-Quantum Cryptography (PQC)?
In anticipation of this impending threat, PQC seeks to create algorithms resistant to both classical and quantum attacks. In contrast to conventional PKC, PQC is founded on mathematical problems that are conjectured to be intractable for quantum computers, e.g., lattice-based cryptography.
The NCSC emphasizes that post-quantum cryptography algorithms are not plug-and-play replacements. Their integration demands thoughtful system redesign, testing, and gradual migration, requiring organizations to prepare well in advance for a post-quantum cryptography future.
Key Insights and Recommendations from the NCSC
The UK’s National Cyber Security Centre, a leading authority on cyber defense, issued in-depth guidance. The following are some key highlights:
1. Begin Planning Early
Every system owner—governmental, critical infrastructure, or commercial must promptly inventory cryptographic assets and plan migration strategies toward solutions. Upgrades can be added during regular IT refreshing periods to reduce the chaos caused by system updates.
2. Adopt NIST-Standardized Algorithms
In August 2024, NIST updated its post-quantum cryptography standards by adding new algorithms to strengthen future-proof digital security systems.
• Key construction: ML-KEM (CRYSTALS-Kyber)
• Digital Signatures: ML-DSA (CRYSTALS-Dilithium)
• Specialized signing (e.g., firmware): SLH-DSA (SPHINCS+)
The NCSC recommends parameter sets like ML-KEM-768 and ML-DSA-65 for balancing security with operational efficiency across most applications in post-quantum cryptography.
3. Use Hybrid PQ/T Schemes Temporarily
As the transition step, the integration of classical PKC with post-quantum offers a smooth transition to post-quantum cryptography. The hybrids cancel backward compatibility but are complicated and only employed as a transitional measure.
4. Communicate with Suppliers and Vendors
Organizations must go to their cryptographic and IT product providers to determine their strategy for post-quantum cryptography support. In the case of custom or legacy systems, more tailored planning is required to implement post-quantum cryptography successfully.
5. Keep Software and Devices Updated
For general users, post-quantum cryptography adoption will be largely transparent through software updates. The NCSC recommends keeping devices and software up to date to implement post-quantum cryptography capabilities in good time.
Challenges Ahead: Complexity and Standards
PQC is not without its complexities. The NCSC outlines numerous challenges:
Resource Demands Are Higher: Post-quantum cryptography algorithms typically require larger keys and signatures, increasing bandwidth and processing needs.
Protocol Updates Underway: Organizations like the Internet Engineering Task Force (IETF) are actively revising TLS, IPsec, and other protocols to support PQC.
Key Handling Requires Precision: Some PQC signature schemes demand careful state management to avoid vulnerabilities, especially in firmware signing.
Implementations Still Evolving: Despite established standards, fully interoperable and production-ready PQC implementations are still in progress. NCSC recommends applying only finalized standards-based post-quantum cryptography implementations to operational security.
Global Coordination and the Road Ahead
The NCSC aligns with NIST, ETSI, and others, showing a global push to secure digital infrastructure using post-quantum cryptography.
For businesses, it’s a race against time—quantum computing advances rapidly, while post-quantum migration demands complex, multi-year planning and execution.
Conclusion: Are We Ready?
The short answer is: We must get ready — and soon.
Though a full CRQC is years away, today’s encrypted data may be decrypted later, making post-quantum cryptography an urgent priority. The UK’s National Cyber Security Centre and global standards bodies offer guidance and algorithms to support a smooth post-quantum transition.
Organizations must act now by auditing systems, coordinating with vendors, planning phased migrations, and using hybrid cryptography only as bridge.
Post-quantum cryptography provides the long-term solution needed to secure digital systems once quantum computers break today’s cryptographic protections.. PQC holds the solution for this future.
References
National Institute of Standards and Technology (NIST). PQC Standardization Process.
National Cyber Security Centre (NCSC). “Next steps in preparing for post-quantum cryptography
About the Author
