2024: A quantum leap year for Cybersecurity
New standards will inaugurate a new era for cybersecurity
If you are into cybersecurity and don’t have any “quantum safe” item in your 2024 tasklist, read on.
Time for a quantum leap
The year 2024 will be unusual by having one more day, February 29th, and thus being a leap year.
More importantly though, 2024 will see a pivotal turning point in cryptography, with the anticipated approval of new standards for “quantum-safe” (a.k.a. “post-quantum”) public-key cryptography algorithm by the US National Institute of Standards and Technology (NIST) [see the project webpage here]. This will kick-start a process to replace some obscure algorithms few people know about — but that truly define how data and communications are secured in the digital economy.
The significance of this transition lies not so much in the creation of new standards but, critically, in the (future) revocation of some of the existing algorithms, including the venerable RSA and elliptic curves, most directly impacted by the threat of Shor’s algorithm and quantum computers. This phasing out will become inevitable as the arrival of cryptographically relevant quantum computers (CRQCs) looms closer on the horizon, likely around 2035 White House dixit.
We thus have to envision a transition process where new “quantum safe” standards are progressively required to comply with industry best practices, e.g., in the Payments Card Industry, while simultaneously today’s standards become obsolete. The full timeline is not yet clear — there are important open questions, e.g., about certifications of software implementations of the new algorithms and standardization of hardware — but current position papers suggest that one should envision a “quantum safe”-only world from 2030, cf. Quantum-Readiness Best Practices by Quantum Safe Canada. At any rate, given the long lifetime of many cryptographic artifacts, like certificates, it is imperative for organizations to start to prepare for this migration.
Crypto-agility as a new paradigm
Given the pervasive nature of cryptography in our internet-centric era, businesses and institutions must get up to speed and devise migration strategies to ensure operational continuity. In this context, the concept of crypto-agility emerges as an essential paradigm for future-proof cybersecurity.
Unlike the rigidity of current solutions, crypto-agility is an organization's ability to quickly and smoothly adapt its cryptographic solutions to respond to emerging cryptographic threats, e.g., the discovery of a fundamental vulnerability in an encryption algorithm. Embedding this principle into cybersecurity policies and protocols will be vital to keep an organization’s data and communications safe and secure against emerging threats.
Therefore, as 2024 heralds a new era in cryptography, the discontinuation of existing algorithms is not merely a technical measure; it is a call to action to embrace crypto-agility as a key element to stay safe as quantum computers keep making big strides towards in defence against the growing quantum threats.