Welcome to the September blog. This month we discuss quantum safe cryptography. A topic with some uncertainty on timing but with potential for a significant security impact. A cryptographically relevant quantum computer (CRQC) has the potential to break public key infrastructures which underpin many current security protocols including some key distribution and digital signature regimes. It is a complex area with significant uncertainty so let’s explore more.
Back in June, there was an excellent event, the ETSI IQC Quantum Safe Crypto Conference 2025, attended by 300 people at the in-person event. It was a great event for getting the latest updates in quantum safe cryptography (QSC) and quantum key distribution (QKD) and networking with world experts.
Interesting talking points included:
- An update on NIST’s post-quantum cryptographic (PQC) algorithm standardisation activity
- Algorithm standardisation outside of NIST’s work (eg in China and at ISO (Classic McEliece and FrodoKEM)),
- What timescale is sensible to transition to a QSC state (ranging from ‘too late’, many pointing to risk-based transition often citing 2035 (2030 for high-risk scenarios)
- Beginning to see real-world learning experiences of transition to QSC
- Some cool satellite QKD presentations
Why does it matter?
There was much debate about the timescales for transition to PQC, so this is explored further here. In large part this is impacted on the timescales within which a CRQC will become available. The security of commonly employed cryptographic algorithms, such as RSA- and elliptic curve-based public key encryption and digital signature schemes, is reliant upon the hardness of solving certain underlying mathematical problems. Security of these asymmetric protocols is founded on the assumption that a compute- or time- bounded attacker is unable to efficiently compute the prime factors of large integers or solve the discrete log problem. The advent of a CRQC fundamentally changes our assumptions regarding the compute powers available to bad actors. Shor’s algorithm, for example, enables the efficient factorisation of large integers and allows attackers to efficiently solve the discrete log problem. Importantly, Shor’s algorithm can achieve an exponential speedup, relative to known classical methods, rendering it infeasible to simply increase key sizes. Consequently, a sufficiently large fault tolerant quantum computer poses a threat to systems and protocols that utilise public key cryptography and/or digital signatures, and large-scale changes are required to retain present-day security assurances in the face of this quantum threat.
Two notable attacks can be considered for threat identification:
- immediate threat from “Store now decrypt later” where a Quantum Capable Threat Actors (QCTA) gains access to sensitive data with a long shelf life that can be accessed later once a CRQC is available; and
- future threats that originate from Quantum Capable Threat Actors (QCTA) that will have access to CRQC.
Whilst there is uncertainty on the timing for the availability of a CRQC, the recent NIST announcements with the intention to deprecate some important and widely used algorithms provides a clear priority to effect change. The proposed transition timelines for quantum-vulnerable algorithms
- 112-bit security strength – deprecated after 2030, disallowed after 2035
- 128-bit and higher security strength – disallowed after 2035
- NIST-approved symmetric primitives providing at least 128 bits of classical security continue to be approved
There is a lot of additional information on specific algorithms and key lengths and an analysis of the impact will be valuable as part on ongoing PQC transition planning.
What’s been happening?
Short answer – loads. There has been significant activity to prepare for QSC including at NIST, ETSI and IETF plus loads of national and regional activity (take a look at some of the conference presentations to get an update). NIST has released three PQC standards to start the transition to post-quantum cryptography: the Module-Lattice-Based Key-Encapsulation Mechanism [FIPS203], the Module-Lattice-Based Digital Signature Algorithm [FIPS204], and the Stateless Hash-Based Signature Algorithm [FIPS205]. There are real-world implementations of these algorithms beginning to be made available. For telecoms, GSMA’s Post Quantum Telco Networks (PQTN) Task Force has been active for several years in developing guidelines focused on telco preparedness for quantum safe security. The PQTN reports are:
- PQ.01 Post Quantum Telco Network Impact Assessment
- PQ.02 Guidelines for Quantum Risk Management for Telco
- PQ.03 Guidelines for Telecom Use Cases
- PQ.04 Post Quantum Cryptography in IoT
- PQ.05 Post-Quantum Cryptography for 5G Roaming use case
To conclude, most existing QSC migration advice sensibly points to establishing an inventory of encryption protocols in use. Other early steps include identifying critical systems and then identifying their supporting protocols, risk analysis and prioritisation, developing the transition plan and delivering it.
Practical complementary approaches can focus beyond today’s implementations and look at the planned future state of networks and systems. This can include understanding planned technology refresh, vendor product roadmaps and transformation projects. There may be little point planning a transition for a system that is due to be phased out in the near-future.
NIST’s intention to deprecate a range of crypto algorithms provides a significant change in the landscape and practical responses are urgently required. More detailed approaches are identified in the PQTN Task Force documentation. PQTN is actively developing more guidance and welcomes new contributors so get in touch if you want to link up.