In recent years, post-quantum cryptography has transitioned from a niche topic discussed at security conferences to a significant focus for major organizations worldwide. The urgency to adapt has been underscored by recent developments, including Western Digital’s incorporation of post-quantum cryptography into its products, a CNN feature highlighting the quantum threat, and the U.S. government’s substantial investment in quantum computing projects.
Significant Developments in Post-Quantum Cryptography
This week marked a turning point with multiple significant events underscoring the increasing importance of post-quantum cryptography (PQC). Notably, the U.S. government has allocated approximately two billion dollars towards quantum computing. Additionally, Apple has endorsed NIST-approved post-quantum algorithms for iMessage security.
These developments signify a collective move towards PQC by companies and governments. The focus is now on building, deploying, and integrating these technologies into existing systems.
Understanding Current Threats Without Quantum Computers
A common misconception in PQC strategy is the belief that threats will only emerge once quantum computers become operational. However, two threats—’Harvest Now, Decrypt Later’ (HNDL) and ‘Trust Now, Forge Later’ (TNFL)—are already active. HNDL involves adversaries storing encrypted data now, intending to decrypt it in the future with quantum computers.
TNFL threatens the integrity of digital signatures, which could be forged once quantum computing capabilities are realized. The urgency in adopting PQC is driven by the need to mitigate these immediate threats before quantum computing becomes mainstream.
Challenges in Implementing Post-Quantum Solutions
Implementing PQC is not without challenges. Often, organizations encounter visibility issues when starting their PQC programs. Cryptography exists across various layers of enterprise infrastructure, including application, infrastructure, cloud, and more, making it difficult to inventory and manage.
Developing a Cryptography Bill of Materials (CBOM) is essential for a comprehensive inventory of cryptographic assets, enabling organizations to effectively transition to PQC through enhanced crypto-agility and prioritization strategies.
NIST’s finalization of PQC standards in August 2024, including ML-KEM and ML-DSA, has shifted PQC from theoretical research to practical application. Major tech companies have already begun deploying these standards, setting a precedent for others to follow.
The Path Forward for Organizations
As post-quantum cryptography becomes increasingly integrated into security protocols, organizations face pivotal decisions. They can start foundational work now, establishing a CBOM and engaging in vendor discussions, or delay and risk increased pressure as deadlines approach.
The technology and standards are ready, and early adoption will facilitate smoother transitions. Organizations must assess their current paths and take immediate steps to ensure they are not left behind in this crucial technological shift.
For more information on how to implement a CBOM and develop a robust cryptographic posture, visit Encryption Consulting’s website or reach out directly.
