the NISQ ( noisy intermediate-scale quantum computers ) stage , as they are large enough to conduct fundamental computation and error correction operations , but still far from sophisticated enough to pose a real threat for actual cryptography . In practical terms , quantum computers are currently working with several dozens to hundreds quantum bits or qubits , but they would need around 2000 logical qubits to break RSA 1024 or EDSA / ECIES 256 . And with their inherently error-prone nature , this would translate into more than a million actual qubits to get to the necessary 2000 error-corrected qubits .
The quantum computers of today are also still unwieldy in more than the logical sense : They require massive investments and extremely sophisticated technology , e . g . for cooling the superconducting qubits down to near absolute zero . At the time of writing , any attempt to crack current encryption algorithms would be prohibitively costly and very far from worth the effort , if even technically possible .
Still , Pandora ’ s box has officially been opened , and quantum computers are constantly evolving and getting better , cheaper , and more easily available . With this prospect , the National Institute of Standards and Technology NIST and Germany ’ s Federal Office of Information Security BSI are officially recommending that the cryptographic world starts thinking about alternative options . The magic term is : Post-quantum cryptography .
Entering the PQC Arms Race NIST officially began the new game of cat and mouse in 2016 by standardizing quantum-secure algorithms . The sense of urgency in the industry meant that the complex and usually slow standardization process was accelerated beyond expectations . Candidates were screened in several rounds , a shortlist prepared , and the algorithms selected for standardization announced in 2022 .
The thinking was to prepare a set of algorithms that use different mathematical means under the hood . Should any one of them be broken by quantum computers , this would leave other options open and keep the arms race active by the simple and brute principle that underlies much of cryptography : Making it harder , costlier , and simply not worthwhile for attackers . A quantum computer might , at considerable cost in terms of money , manpower , and time , break one algorithm , but that victory would be shortlived , as others are already being put in place by the defenders .
The NIST approach offers some reassurance for the cryptographic community , although one candidate , SIKE , has indeed already been broken , not even requiring a quantum computer at all . This should remind everybody that the threat is serious , acute , and not to be ignored , and that nothing can be taken for granted .
The Hare and the Hedgehog : Speed beats Agility ?
In the fairytale of the hare and the hedgehog , the apparent loser hedgehog challenges the obvious winner hare to a race that seems a foregone conclusion . But on race day , the hare darts off , leaves the hedgehog trailing in the dust , nears the finish line – and finds himself face to face with the hedgehog waiting for him . Little did he know that it was the hedgehog ’ s wife , waiting there all along . Frustrated and hurt in his honor , the hare races back to the starting line and back again , back and forth until he dies from exhaustion .
The hedgehog can be a model for what is needed now in cryptography : Not speed – where the quantum-computer-empowered attacker has the natural advantage – but cleverness and crypto-agility .
If single cryptographic algorithms are likely to fall in the future , the crypto-agile answer would be to have in place other algorithms to take their place . Software architectures need to be designed to allow cryptographic algorithms to be replaced immediately in the case of a breech . When one quantum-safe system is revealed to be not as safe as we had hoped , migrating to another system should be an obvious and immediate option .
Crypto-agility calls for more than flexibility . It needs a new way of developing software , as new performance tradeoffs need to be made , new algorithms or entire protection systems need to be introduced that require more work in terms of protecting against side-channel attacks or all the other factors that one could consider the soft underbelly of cryptography . And as the threat still seems so far-off and unreal , developers might be wary of switching outright to real quantum-safe algorithms . Ideally , they should allow for a combination of conventional and quantum-safe cryptography to cover all possibilities .
I ’ m Already There “ I ’ m already there ”, the hedgehog ’ s wife taunted the hare . Post-quantum cryptography needs to be able to say the same : When the quantum tipping point is reached , it has to already have its house in order . Now is the right time to start preparing your organizations , your cryptographic choices , and your software architectures for the post-quantum moment .
Introduction of prime factorization theorem in Euclid ‘ s work “ Elements “ |
Publication of the RSA cryptosystem |
First cryptosystem based on multivariate polynomials |
Invention of Grover ‘ s algorithm for searching in unsorted databases on a quantum computer |
Invention of the NTRU cryptosystem |
Introduction of Learning with Errors problem |
Invention of the XMSS cryptosystem |
Invention of the SPHINCS + cryptosystem |
Invention of the NewHope post quantum secure algorithm |
Two 53-qubit quantum computers available |
First quantum computer in Germany ( IBM Ehningen , 27 qubit system ) |
NIST PQC algorithm “ SIKE ” is broken |
Most likely , quantum computer strong enough to break current cryptosystems |
300 BC |
1976 |
1977 |
1978 |
1988 |
1994 |
1996 |
1996 |
1998 |
2001 |
2005 |
2006 |
2011 |
2012 |
2015 |
2016 |
2017 |
2018 |
2019 |
2019-2022 |
2021 |
07.2022 |
08.2022 |
2022-2024 |
2035 |
|
First PKI scheme based on discrete logarithm problem
12
|
Invention of McEliece cryptosystem |
Invention of Shor ‘ s algorithm to factorize numbers on a quantum |
First lattice-based cryptosystem using Shortest Integer Solution |
Factorization of 15 = 3x5 on a quantum computer |
Launch of the PQCCrypto conference series |
Factorization of 21 = 3x7 on a quantum computer |
Call for proposals for NIST PQC standardization |
First NIST PQC standardization conference |
PQC4MED project |
NIST published the post quantum algorithms for standardization |
Draft for NIST standardization |
Picture credits ( CC license ): wikipedia . org