PQC, QKD and Crypto-Agility for Quantum Threats

Technology
October 3, 2022

As the world’s companies and governments prepare to upgrade their cybersecurity to protect against quantum computing threats, it is necessary that they become “crypto-agile,” adopting a multifaceted security strategy that incorporates a range of quantum-resistant solutions and is easily upgradable. Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) are two different but complementary approaches to quantum-safe protocols that can be used together to maintain crypto-agility.

The Quantum Threat to Cybersecurity

Currently, the majority of the world’s data in transit is protected by Public Key Cryptography (PKC), most commonly the RSA and ECC cryptosystems. However, Shor’s algorithm shows that a quantum computer will be able to break their keys and allow the data to be decrypted, putting everything from personal data and intellectual property to state secrets and critical infrastructure at risk. 

While fault-tolerant quantum computers are still some years away, the threat they pose is already here in the form of Store Now, Decrypt Later (SNDL) attacks. State-backed adversaries are harvesting encrypted data today, which they can store until a quantum computer can decrypt it. According to the Department of Homeland Security transition roadmap, that day could come as soon as 2030. In many critical use cases, encrypted data needs to stay confidential much longer than that – in some cases, forever. 

As a result, the National Institute of Standards and Technology (NIST), the US government standards body, has advised US institutions to immediately begin to upgrade their cybersecurity to protect against such attacks. The next generation of cybersecurity will require a crypto-agile approach consisting of both PQC and QKD. PQC is the most readily deployable and QKD implementation will bring further resilience against future cryptanalytic attacks.

PQC

Post-Quantum Cryptography is a set of quantum-resistant algorithms that can be utilized with existing infrastructure to create cryptographic problems that are computationally difficult to solve, even for a quantum computer. After a six-year, multinational development and vetting process, NIST announced four candidate PQC algorithms to be standardized in the next two years. In the meantime, organizations can confidently begin to plan for upgrading their cryptographic architectures with PQC. The migration process will most likely take several years to fully accomplish, so it’s important that CISOs and CIOs begin planning and budgeting for the discovery phase immediately.

In keeping with the evolving nature of quantum technology, PQC migration should take a hybrid approach, incorporating both traditional PKC and quantum-resistant algorithms into one system so that if a flaw should be identified in the newer PQC algorithms, the previous security level will still be maintained. Similarly, crypto-agile systems should be able to react to attacks in real-time by switching between algorithms if needed.

QKD

While PQC’s software approach makes it easier to deploy more widely (particularly in the near term), organizations will also want to include Quantum Key Distribution in their risk assessments and planning. 

QKD takes advantage of quantum properties to establish a secure communication channel between two parties. Any attempt to eavesdrop or intercept the exchange of encryption keys is detected, and those secret keys are discarded. Used in combination with PQC, this secure key distribution method will further bolster networks against quantum adversaries. To this end, SandboxAQ has partnered with evolutionQ, a leading QKD solutions provider, to complement its PQC Security Suite. SandboxAQ also participated in evolutionQ's Series A funding, the first investment in the Strategic Investment Program.

Currently, QKD requires a fiber optic connection and has limited distance. However, evolutionQ’s BasejumpQDN uses trusted nodes to bridge greater distances between quantum links. QKD networks can be extended even further by leveraging satellite technologies. BasejumpQDN also allows organizations to simulate quantum-safe networks to assess their security and performance before committing to purchasing QKD devices. 

As QKD continues to evolve and become easier to deploy at scale, having QKD in your cryptographic toolbox will provide additional resilience and crypto-agility. This is especially important for those with highly sensitive data and systems.

Taking Action

With SNDL attacks already occurring, it’s vital that organizations begin the migration to quantum-safe protocols today. The first step is an audit of current cybersecurity architecture. SandboxAQ and evolutionQ’s integrated ecosystem will provide a full quantum readiness assessment that will pinpoint vulnerabilities and allow CISOs and CIOs to prioritize their most crucial data, networks and communications. They can then begin upgrading their cybersecurity to be crypto-agile in order to meet the most pressing threats and those to come.

Recent posts