Skip to main content

Quantum-Safe Identities for the PQ Era

Jan

31

2025

Time to read

Read so far

Written by: 

Jenn Markey

Time to read

Written by: 

People walking down a spiral staircase

Quantum computers exploit quantum mechanical properties to solve computational problems that are effectively impossible for today’s conventional computers. For example, Google’s new Willow quantum computing chip is able to complete tasks in 5 minutes that would take today’s fastest conventional computers 10 septillion (10,000,000,000,000,000,000,000,000) years to complete!

With such power, quantum computing promises to revolutionize industries across the spectrum, while also injecting new cybersecurity risks – just like AI. With early quantum computers available and “Harvest Now, Decrypt Later” style attacks that target long-life data and long-life devices, we’re basically already in the post-quantum (PQ) era. When the day comes that commercially viable quantum computers arrive, sometimes referred to as Q-Day, quantum computing will be able to break the conventional encryption methods (RSA and ECC) that safeguard most of our digital universe today.

Quantum Threat to Identity

Imagine bad actors having access to your Social Security number, banking information, medical history, and much more. Then consider cyber criminals being able to tap into the myriad of devices that control and protect our power grid, water treatment plants, transportation networks, and other critical infrastructure that is essential to a country’s economy and daily functioning. This is the quantum threat to identity – human and device.

Decrypted personally identifiable information (PII) easily accessible by cybercriminals would leave individuals very susceptible to identity theft, fraud, extortion, and other threats, while unsecured critical infrastructure would leave an entire nation and its citizens vulnerable to cyberattack.

Post-Quantum Vulnerabilities of Digital Identities

In the PQ world, RSA and ECC encryption are no longer effective, leaving our modern digital identity infrastructure vulnerable, including:

  • Tokens – OIDC, verifiable credentials, and other identity standards depend on tokens, which in turn rely upon encrypted digital signatures. And in the PQ era, signatures that rely on conventional encryption are vulnerable to the quantum threat.
  • Certificates and Transport Layer Security (TLS) – Digital identities often employ digital certificates like TLS and code signing certificates that are also susceptible to compromise in the PQ era.
  • Hardware Security Modules (HSMs) – HSMs secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates. With conventional encryption, the HSM key-generation algorithm is also vulnerable to the quantum threat.

Payments are a specific digital identity use case, so it’s imperative that financial institutions, central banks, and regulators around the globe address these same vulnerabilities to realize quantum-safe payments.

Post-Quantum Cryptography for Quantum-Safe Identities

Post-quantum cryptography (PQC) refers to new encryption algorithms that can withstand an attack from a quantum computer. Because RSA and ECC encryption are no longer effective, migrating to PQC is essential to keep individuals, infrastructure, organizations, and nations safe.

NIST published the first three PQC standards in August 2024, followed by the approval of 14 new digital signing algorithms for PQC standardization in October 2024. And it would be unwise to wait for Q-Day before starting PQC migration given the prevalence of “Harvest Now, Decrypt Later” style attacks that target long-life PII and critical infrastructure, as well as the amount of time this transition will take.

PQC and Quantum-Safe Identity Preparedness

The U.S. leads in PQ preparedness, however, there is still much work to be done. Results from the 2024 PKI and Post-Quantum Trends Study by Ponemon Institute show that close to half of U.S. organizations (48%) were actively preparing for PQ in 2024, seven percentage points higher than the global average. And among those not preparing for PQ, most in the U.S. said they were at least aware of the potential impact of PQ. Only 12% of U.S. organizations had not even considered the potential PQ threat vs. 27% of organizations globally.

2025 needs to be the year for organizations of all shapes and sizes around the globe to move beyond PQC learning and prototyping and start deploying these PQC algorithms into their public key infrastructure (PKI).

Framework for Quantum-Safe Identities

The catalyst for PQC migration by organizations and governments around the world is the realization of quantum-safe human and device identities that are essential to individual and national security and stability in the PQ era. And while differences to PQC migration can be expected across sectors and geographies, the following best-practices framework for attaining quantum-safe identities has emerged:

  • Get started now – CISA, NSA, and NIST are all urging organizations to prepare now, with other jurisdictions not far behind.
  • Designate a lead – This helps ensure the orchestrated, organization-wide collection of cryptographic information related to digital identities and beyond.
  • Develop a quantum-safe readiness roadmap – Once a lead has been designated, CISA encourages organizations to establish a quantum-readiness project team to plan and scope the transition to PQC, including quantum-safe identities.
  • Perform a cryptographic inventory – With a clear roadmap in place, the first task of the quantum-readiness project team is the proactive discovery of all cryptographic assets and systems, including the identification of those that are quantum vulnerable. Whether ensuring you have the right technology in place to support the requirements of PQC or ensuring visibility into all your cryptographic assets (keys, certificates, etc.), this will likely be one of the more challenging and time-consuming tasks. It will also help determine if your organization is crypto-agile, which will be critical when it comes to implementing PQC.
  • Engage your identity ecosystem partners – Ensure your identity ecosystem partners have a PQ-readiness roadmap of their own, including migration. This should include everything from new products having PQC built in, to legacy products having a timeline for PQC upgrades.

The quantum threat facing digital identity is real and immediate – don’t leave your organization unnecessarily exposed. Assess your organization’s PQ preparedness today with this self-assessment tool and explore our post-quantum cryptography solutions.

jenn-markey-headshot
Jenn Markey
Advisor, Entrust Cybersecurity Institute
Jenn Markey is a content advisor and thought leader with the Entrust Cybersecurity Institute. Her previous roles with Entrust include VP Product Marketing for the Payments and Identity portfolio and Director Product Marketing for the company’s Identity and Access Management (IAM) business. Jenn brings 25+ years of high tech product management, business development, and marketing experience to the Entrust Cybersecurity Institute with significant expertise in content development and curation.
View all of Jenn's Posts
Facebook