Post-quantum cryptography: the migration challenge

On November 30th, 2022, the French diplomatic service sent its first quantum-secure telegram using a post-quantum cryptography solution developed by CryptoNext Security, a spin-off from INRIA, CNRS and Sorbonne University. The message sent to Paris by the French embassy in the United States contained a memorandum backing cooperation projects between France and its American partner in the field of quantum computing.

A strategic challenge

“In the near future, a sufficiently powerful quantum computer will be able to break all encryption algorithms and decrypt our messages. To counter this threat, developing post-quantum encryption technologies is a strategic challenge. And we’re already there!”, Emmanuel Macron tweeted.

Hackers are already preparing for this. According to the European Union Agency for Cybersecurity (ENISA), “attackers will be able to decrypt any encrypted communication they intercept today as soon as they have access to a large quantum computer, whether this happens in five, 10- or 20-years’ time.” To protect themselves against this threat, ENISA is recommending that organisations start preparing now and migrate to post-quantum cryptography with zero downtime, by upgrading their hardware, software, and services.

The French National Cyber Security Agency (ANSSI) defines post-quantum cryptography as “a family of cryptographic algorithms including key establishment and digital signatures that provides conjectured security (for which no effective quantum attack exists today) against the quantum threat, in addition to their traditional security”.

These post-quantum algorithms can, nevertheless, be readily deployed in advance on existing infrastructure and communications channels without any major hardware changes. And they can be run on conventional devices and computers.

To successfully migrate existing cryptographic assets and algorithms to post-quantum cryptography that is resistant to quantum computer attacks, modern businesses and organisations need to start integrating post-quantum cryptography into their communications systems and technologies today.

The migration solution

To achieve this, ANSSI recommends a three-phase transition before the switch to autonomous post-quantum cryptography around 2030, with the United States National Security Agency (NSA) expecting this in 2035. Florent Grosmaître, CEO of Cryptonext Security, sees the threat as systemic, and all organisations will have to migrate their IT infrastructure, applications, and embedded systems to quantum-resistant solutions: “Waiting until sufficiently powerful quantum computers emerge before worrying about this threat is not the answer.”

To avert the threat, this transition to post-quantum technology must also, in his view, consider three time-related factors. Firstly, the lifespan of the data: “According to the principle of ‘steal/harvest now, decrypt later’, our communications can be captured today, stored and then decrypted in the future when a sufficiently powerful quantum computer becomes available.”

Secondly, the time needed to migrate. According to Grosmaître, cryptography underpins a wide range of infrastructure and applications. And for large organisations such as banks, the migration process will take several years, anywhere between five and 10 years, or more: “This is because they will have to carry out an inventory of their public key cryptography and map out how critical their data is. They will then need to set priorities and migrate to these post-quantum solutions, while paying careful attention to issues like consistency and interoperability between systems, so they work together seamlessly, end to end.”

Lastly, the product life cycle. In some situations, this can be a very important concept to consider when planning a migration. “In certain use cases, connected objects like those use in industrial IoT can be deployed in the field for periods of 20 to 30 years, sometimes more, with no way of updating the underlying cryptography,” explains Grosmaître.

“It’s the most expensive migration in history,” says Vasco Gomes, CTO of cybersecurity products at Eviden (Atos’s cybersecurity arm). “The project will be cumbersome, complex, and time-consuming. And I’m not sure whether the market and all its customers are aware of this at the moment. They must avoid making the mistake of thinking that they still have 10 or 15 years to prepare for it,” he adds.

“Threat not so serious”

Jean-Jacques Quisquater, a cryptography expert and professor at the Louvain School of Engineering, believes that “the threat is not as serious as all that”. “It will probably be 30 years before a quantum computer capable of such a feat exists. And given the cost, not everyone will be able to afford one,” he says. But he does agree that businesses should start migrating now: “Wake up, educate yourself, because it’s high time you go started!”, he urges.

A survey conducted by Deloitte in the United States found that 50.2% of professionals in US organisations that see benefits in quantum computing say their organisations are at risk from “harvest now, decrypt later” cybersecurity attacks. Almost half of respondents (45%) say their organisations expect to complete their quantum risk assessments within the next 12 months, if not sooner. Another 16.2% expect to complete this work within the next two to five years.

Other organisations seem to be taking a wait-and-see approach, and some respondents (27.7%) believe that their organisations will most likely step-up efforts to manage the risks of quantum computing as a result of regulatory pressure. In Europe, however, Quisquater believes that management will go through a denial phase: “They will cite the complexity of the technology, along with the many changes and major investment that the transition requires.”

On top of this, the new algorithms are proving to be far more complicated than the old ones: “We’re talking about very high-level IT implementation here, and not at all about line-by-line code development. Very few computer scientists – apart from those with PhDs in maths or theoretical computer science – will be able to understand the post-quantum crypto solutions that they will have to implement and test,” says Quisquater.