Quantum computers are set to become a reality. In addition to solving complex problems that we cannot solve in our current computing landscape, they’re also capable of breaking forms of encryption that are widely used today.

A survey collected the opinions of over 30 experts in the field, resulting in a Quantum Threat Timeline Report. According to this report, there’s a chance that in the next few years, it might take less than a day to break encryption with a quantum computer.

What needs to be done, though? What should leaders be doing now?

Defining public key cryptography and post-quantum cryptography

Before we get to that, let’s first define public key cryptography (PKC) and post-quantum cryptography (PQC).

PKC refers to most of the encryption that secures our digital interactions. Various quantum algorithms (such as Shor’s) have proven that PKC is vulnerable to quantum computers.

Post-quantum cryptography (PQC) refers to the encryption that both conventional and quantum computers will not be able to get past.

Why does my organization need to care?

If your response to the quantum threat is that you aren’t troubled by the thought of an “evil state actor with a quantum computer” getting access to your transaction data and quarterly sales reports from five years ago, that might seem reasonable.

However, just about all of society’s infrastructure — internet communications, e-commerce, healthcare, transport, energy, government and even national security — relies on well-functioning, reliable encryption. Here are three reasons why post-quantum cryptography matters.

Some PKC schemes are being deprecated

National Institute of Standards and Technology (NIST), the US agency that promotes standards and measurement, recommends deprecating some cryptographic schemes by 2030 and disallowing them by 2035. This means that PKC that uses these schemes to secure cloud, email, networks, applications, etc., will be flagged as insecure; it will no longer be trusted.

Whether a powerful enough quantum computer is available by then or not becomes slightly less relevant, given the depreciation of these standards.

Harvest now, decrypt later attacks

It’s possible that attackers are collecting encrypted data now and storing it to decrypt it with a quantum computer in the future. This means that if your organization has data that needs to be kept secret in the long-term, it’s at risk now. Examples of such data include medical records, intellectual property or personally identifiable data.

Migrating to PQC

NIST has developed a set of quantum-safe encryption schemes that will replace PKC. These standards have been put together as part of a long process that began in 2016 to evaluate various cryptographic schemes.

NIST’s new PQC standards

This is the list of NIST-approved schemes — some of which will be used to encrypt data and some to protect digital signatures. These algorithms have been proven to be quantum safe.

CRYSTALS - Kyber

CRYSTALS - Dilithium

Sphincs+

Falcon

HQC

Three steps to becoming quantum-secure