The title of the blog are not my words but those of Canadian mathematician and renowned post-quantum academic Michele Mosca. Before I explain Michele’s words let me first provide a bit of background. Late last year I’d been shooting the breeze with a colleague on post-quantum cryptography (PQC) and how it might affect us all. Out of that conversation we decided to create a podcast series that would explore topics like post-quantum from a thought leadership perspective.
The ground rules were simple: We didn’t want this to be a product sell, but rather focus on asking subject matter experts to give us their view from their informed perspective. We also decided to do it all ourselves instead of sub-contracting out the job. To kick off we recorded six podcasts – expertly hosted by my colleague, Samantha Mabey, in conversation with academic and industry experts from the world of science, cryptography, blockchain, and cloud computing.
In episode #6 Michele suggests that PQ is “like a zero-day attack….but 30 years before it happens.” For those unfamiliar, a zero-day attack is one where a hacker or bad actor figures out how to carry out an exploit or attack before software developers/organizations can find a fix. So in the context of Michele’s PQ-infused sound bite we are talking most probably about state actors and well-resourced hacking groups who have access to powerful quantum computers carrying out attacks on organizations and infrastructure that have not deployed post-quantum-resistant algorithms.
Michele’s point here is that for once we have advance notice. He has been working in the PQ field since 1994, when the quantum threat started to be understood. We know with reasonable certainty that these attacks will be possible; it is just exactly when that is indeterminate. This timing is dependent on the scientific advances in quantum computing and overcoming the hard problems that remain, but the clock on that 30-year guesstimate has been ticking down and most experts say it’s somewhere between 10-15 years from now. While that still sounds like a long time away, it is not something that should be kicked into the long grass. For organizations to discover their current classical cryptographic algorithm real estate and subsequently plan, test, and deploy PQ-safe algorithms, it is a heavy lift that could easily take 5-10 years.
As Michele also comments on the podcast, “Let’s make this about technology lifecycle management, not crisis management.”
Organizations have time to plan and do the right thing – and avoid PQ becoming a crisis situation. And the best part is that there is no downside to starting now. As Michele points out, 10+ years ago when he started evangelizing on post-quantum there was little that interested organizations could do other than stress about it. There were few if any products available to allow organizations to start planning and investigating their migration to PQ-safe algorithms.
Today, the NIST competition to find a set of quantum-resistant algorithms is well underway, with a subset of finalist algorithms recently announced by NIST – as outlined by Samantha Mabey on the Entrust blog.
Entrust has been busy in the PQ space as well. Samantha’s blog post described what we are doing around digital certificates and PKI. We also recently released the nShield Post-Quantum SDK for our hardware security modules (HSM). The software development kit supports NIST’s PQ Cryptography algorithms identified for standardization – including CRYSTALS Dilithium, FALCON, and SPHINCS+ digital signature algorithms – running inside the FIPS 140-2 Level 3 physical boundary of an nShield HSM.
Organizations who are carrying out investigative work on the NIST shortlisted PQ algorithms to discover how they might operate in their ecosystem can use an isolated, secure run time environment inside the nShield HSM called CodeSafe to generate and use quantum-resistant cryptographic keys. This allows the organization to carry out key signing, digital signature, encryption, decryption, and key exchanges in a secure environment, avoiding the “crisis management” alluded to by Michele Mosca. Organizations now have the tools at their disposal to make a positive start!
So if you have a spare 20-30 minutes, why not listen to the Entrust Engage podcasts. They are conveniently available on Apple Podcasts, Google Podcasts, Amazon Music, Spotify, et al. My kids are already complaining when I’m in the kitchen preparing a meal and I shout, “Hey Google, play Entrust Engage.” They have heard it too many times. Despite this, I encourage you to give it a go – you’ll find yourself better informed about PQ and what your organization should be doing to be ready. Enjoy!!