This summer marks a major breakthrough in cybersecurity with the publication of the NIST standards for post-quantum cryptography. This publication is the culmination of many years of work, the standardisation process having begun in 2016, while the mathematical research has lasted decades.<\/span>\u00a0<\/span><\/p>\n This news has been eagerly awaited by the cyber community, because the threat is so real: a sufficiently powerful quantum computer would render all current asymmetric cryptography obsolete. This would mean the impossibility of exchanging encryption keys, as well as the possibility of digitally signing documents. In short, it would mean the end of confidentiality and integrity guarantees for communications.<\/span>\u00a0<\/span><\/p>\n It’s difficult to describe the extent of the consequences, with secure communications on the Internet becoming near enough impossible.<\/span>\u00a0<\/span><\/p>\n To counter this, 3 new cryptographic standards have been identified:<\/span>\u00a0<\/span><\/p>\n Note that a \u201cbackup\u201d solution for encryption, FN-DSA (FALCON), will be released in the near future.\u00a0<\/span><\/p>\n The standards are published, but the post-quantum efforts are not over – quite the contrary!<\/span>\u00a0<\/span><\/p>\n Publication of the standards means that the next stage in the post-quantum security process can begin: integration of the algorithms by the major players and developers of technological solutions.\u00a0<\/span>\u00a0<\/span><\/p>\n This work has already begun, of course, and includes the integration of post-quantum algorithms into the development roadmap of Tink<\/span>1<\/span>, Google’s well-known cryptographic library. Also worthy of mention is the partnership between IBM and Thales<\/span>2<\/span> for complete post-quantum security, from VPN to TLS to digital document signing. Finally, Microsoft<\/span>3<\/span> has also indicated that efforts are now underway for a post-quantum transition of their services, from cloud to on-premise. Even Apple<\/span>4<\/span> in the consumer sphere has launched the migration of iMessage to post-quantum algorithms.<\/span>\u00a0<\/span><\/p>\n But beware, post-quantum security is not suddenly a reality. It is and will be a long process which relies, in particular, on the efforts of all IT service providers. It’s encouraging to see that market leaders are taking this subject seriously.<\/span>\u00a0<\/span><\/p>\n Post-quantum security doesn’t just concern GAFAM: all major organisations need to start transitioning to this new paradigm. We recommend that you start thinking about and adopting a post-quantum security strategy now, as US agencies are obliged to do so under the <\/span>Quantum Computing Cybersecurity Preparedness Act<\/span><\/i> (2022).\u00a0<\/span>\u00a0<\/span><\/p>\n There are many major stages in this migration strategy, and it obviously has to cover conventional IT systems. But we mustn’t forget industrial systems and embedded systems (vehicles, trains, connected objects, remote systems, etc.). For each of these areas, the following elements need to be consolidated:<\/span>\u00a0<\/span><\/p>\n Given the scale of the task, a complete ecosystem of suppliers is emerging to support inventorying, risk assessment (via library or source code scanning) and action plan follow-up. This is the case at Thales, IBM and Sandbox AQ.\u00a0<\/span>\u00a0<\/span><\/p>\n But beyond the tools, it will be necessary to embark on a real transformation programme, mobilising IT teams, the business lines concerned, and also purchasing if the supplier stakes are high.\u00a0<\/span>\u00a0<\/span><\/p>\n This migration is also an opportunity to think more deeply about the management of \u201ccrypto agility\u201d, because let’s face it, these algorithms are fairly \u201cnew\u201d, and it’s not impossible that flaws will be discovered that will require upgrades. The transformation programme should not lead to a \u201cone-off\u201d migration, but rather to the mastery of agile cryptography within the organisation.\u00a0<\/span>\u00a0<\/span><\/p>\n History shows that it takes 3 to 4 years to initiate and complete this type of migration. And it won’t be easy to make headway on this issue, so invisible is it to the business world. Let’s hope that regulations, particularly in Europe, will bring the subject into the spotlight!<\/span>\u00a0<\/span><\/p>\n Estimates vary as to when a quantum computer will be able to \u201cbreak\u201d state-of-the-art RSA encryption. Most place it between 2030 and 2040, with a concentration of estimates around 2033-2035. The NSA requires exclusively post-quantum cryptography from its software, firmware and network equipment suppliers as early as 2030, from 2033 for certain others (e.g. O.S.) and 2035 for all its suppliers<\/span>. Post-quantum cryptography should be available as early as 2025 in certain cases.<\/span>\u00a0<\/span><\/p>\n Even if nobody knows exactly when quantum computers will be sufficiently sophisticated, not being ready by 2033 means accepting risks that will have a serious impact on the most sensitive data.<\/span>\u00a0<\/span><\/p>\n However, another threat exists today. We are all now exposed to the risk of \u201cHarvest Now, Decrypt Later\u201d, which consists in the large-scale storage of Internet communications for future decryption with a quantum computer (or when encryption keys are leaked). This risk obviously concerns entities with very specific capabilities, namely state agencies or groups of attackers backed by them. Only those organisations whose data is of strategic interest to these agencies are most at risk. It’s this particularity that has prompted migrations for some specific players.\u00a0<\/span>\u00a0<\/span><\/p>\n But for all of them, given the efforts required and the risk zone by 2030, it’s in the 2025 action plan that the first phases of assessment and construction of the project plan must be planned!<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" This summer’s post-quantum news: what you need to know\u00a0 This summer marks a major breakthrough in cybersecurity with the publication of the NIST standards for post-quantum cryptography. This publication is the culmination of many years of work, the standardisation process…<\/p>\n","protected":false},"author":15,"featured_media":23955,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3270,2777],"tags":[],"coauthors":[837,4477,4502],"class_list":["post-23956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberrisk-management-strategy-en","category-cybersecurity-digital-trust"],"acf":[],"yoast_head":"\n\n
Integrations begin: editors and developers in action\u00a0<\/h1>\n
It’s up to large organisations to act!\u00a0<\/span>\u00a0<\/span><\/h1>\n
\n
\n
Risks and timelines: when to act?\u00a0<\/span>\u00a0<\/span><\/h1>\n