DEV Community

Certera
Certera

Posted on

What is Post-Quantum Cryptography? Why Do We Need Post-Quantum Cryptography?

Image description
A Quantum computer is an advanced, super-powerful computer. They can solve complex problems and do many things that regular computers can’t. This technological advancement also creates new threats to today’s Information technologies.

It can break cryptography algorithms in minutes or seconds, whereas regular computers take thousands of years. In 2019, Google claimed that his quantum computer Sycamore solved a problem in 200 seconds that would take the best regular computers 10,000 years.

Quantum computers are improving faster than regular computers, outpacing Moore’s Law. Which says computer power doubles every two years. By 2030, experts predict quantum computers will be powerful enough to break current encryption systems.

What is Post-Quantum Cryptography (PQC)?

Post-quantum cryptography (PQC) is a set of cryptographic algorithms. It is designed to be secure against attacks from quantum computers and prevent it from cracking sensitive data.

It is also referred to as quantum-proof, quantum-safe, or quantum-resistant. The post-quantum cryptography technology is easily adaptable. The goal of PQC is to develop secure cryptographic systems against both quantum and classical computers. It can work with existing communications protocols and networks.

How does Current Cryptography Work, and How would a Quantum Computer Crack it?

Current cryptographic algorithms work like this: they select two large random prime numbers. Which are only divisible by one and themselves, and their product is an even more significant number. This enormous number is used to lock or encrypt the information.

Multiplying two prime numbers is easy for today’s computer. Still, it’s rigid and slow for a regular computer to reverse the process and find the original prime numbers (prime factors). For a considerable number, it could take billions of years for a regular computer to figure this out. But quantum computers can break it in minutes.

Instead of checking one possible answer at a time, it can check many possibilities simultaneously. This capability comes from qubits. Information is stored in either 0 or 1 bits in a regular computer.

In a quantum computer, information is stored in qubits. A qubit can be 0, 1, or both simultaneously (due to a quantum property called superposition).

Why Do We Need Post-Quantum Cryptography?

Encryption algorithms are the last defense against data breaches and cyber threats. For decades, these algorithms have been defended from cyber-attacks.

However, Quantum threats are serious issues that compromise the confidentiality and integrity of digital data.

Quantum computers can crack these RSA, Elliptic-curve cryptography (ECC), Digital Signature Standard (DSS), and Diffie–Hellman (DH) key exchange algorithms in seconds using unique methods like Shor’s Algorithm. If quantum computers become widely available, it could be a grave threat.

NIST Post-Quantum Cryptography Standards: FIPS 203, FIPS 204, and FIPS 205

In August 2024, NIST (National Institute of Standards and Technology) released FIPS 203, 204, and 205. Post-quantum cryptography standards are designed to protect against emerging quantum threats.

It is designed to protect data when powerful quantum computers become familiar or easily accessible. It could easily break traditional encryption.

FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)

This standard specifies ML-KEM. The ML-KEM is a specific type of KEM (Key-Encapsulation Mechanism) designed to be secure even against quantum threats. It is a set of algorithms that allows two parties to securely share a secret key over a public channel (Internet). The shared secret key can then be used for symmetric-key cryptography.

Some of its applications are Securing connections to web applications (HTTPS), Protecting VPNs, and Ensuring safe communication in messaging apps and email systems.

It uses a math problem called the Module Learning with Errors (MLWE) problem. This problem is so tricky that even quantum computers can’t solve it. It securely shares secret keys with adversaries who possess a quantum computer.

ML-KEM comes with three different levels of security: ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The higher the suffix number, the more secure it is, but it also becomes slower.

FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA)

This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. Digital signatures prove who sent a piece of data and ensure it hasn’t been tampered with. Future quantum computers might break traditional digital signatures, but ML-DSA is designed to stay secure from quantum computers.

The ML-DSA signature scheme consists of three core algorithms: ML-DSA.KeyGen, ML-DSA.Sign, and ML-DSA.Verify.

The ML-DSA.KeyGen algorithm generates a pair of keys: a public key and a private key.

The ML-DSA.Sign algorithm uses the private key to produce a signature for a given message.

Finally, the ML-DSA.Verify algorithm utilizes the public key to confirm the authenticity of the signature.

It is used to verify the sender’s identity (who sent it), ensure the integrity of the data (has it been changed), and provide non-repudiation, which means the sender cannot later deny that they created the signature.

It has various applications, such as verifying the sender’s identity in email communication, securing online transactions in banking, and protecting stored data from tampering.

The security of ML-DSA is based on the Module Learning with Errors (MLWE) problem and the Module Short Integer Solution (MSIS) problems.

FIPS 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA)

FIPS 205 is a NIST-published standard that specifies the method of making and verifying a digital signature over a message in a manner determined by the Stateless Hash-based Digital Signature Algorithm.

This algorithm was designed to give strong security even against an adversary with access to a quantum computer. It will be used to authenticate the signer’s identity and detect any unauthorized alteration of data.

SLH-DSA makes use of secure hash functions to generate digital signatures. Data that passes through the hash function transforms into outputs that are unique and of fixed size.

SLH-DSA is based on SPHINCS+, a highly secure cryptographic scheme adopted during NIST’s Post-Quantum Cryptography Standardization process. Here, it adopts hash functions and not the problems of mathematical puzzles, as many older digital signatures use. It employs SHA-2 and SHA-3, which are assumed to resist classical and quantum attacks.

Best Practices for Resisting Post-Quantum Attacks

Ongoing research in quantum computing suggests that quantum computers could become more widely available within a few years. The cryptography technology currently used in your organization is vulnerable to quantum threats. Here is the list of best practice strategies:

Cryptographic Assets Discovery

Identify all encryption, signature, and key exchange algorithms in your systems or organization. Determine where cryptographic components are embedded and make a report for future use.

Quantum Threat Analysis

Learn how quantum computers can break cryptographic algorithms like RSA, ECC, and Diffie-Hellman through algorithms like Shor’s Algorithm. You have to do a threat analysis. Is there any APT or threat group that uses quantum computers to exploit and attack?

You must develop the organization’s defense strategies based on their Tactics, Techniques, and Procedures (TTPs).

Transition to Post-Quantum Cryptography (PQC)

Implement NIST’s Post-Quantum Cryptography Standardization process, such as FIPS 203, FIPS 204, and FIPS 205. Combine traditional and quantum-resistant algorithms during the transition to maintain compatibility and test the new systems.

Protect Data and System based on Criticality

Implement post-quantum cryptography for highly sensitive data and highly critical systems first because it causes more loss to the organization if it is compromised by attack.

Implement Strong Key Management Practices

Transition to algorithms that employ larger keys, which are more resistant to brute force attacks. Regularly rotate cryptographic keys to minimize the risk of exposure.

Quantum-Resistant Hardware Solutions

Implement quantum-resistant hardware security (HSMs) and trusted platform modules (TPMs) that support PQC.

How to Prepare for Post-Quantum Computing Security?

  1. Assess Cryptographic Vulnerabilities
  2. Adopt Cryptographic Agility
  3. Implement Hybrid Cryptography
  4. Adopt Updated NIST Standards and Guidelines
  5. Educate Your Team
  6. Plan for Long-Term Transition
  7. Take PKI Experts Guidance and Help

Conclusion

Quantum computers are not so standard. However, it is under development, and some tech giants have achieved partial breakthroughs in that area. When it becomes routine, they may break the present-day encryption so that sensitive data stored or transmitted today gets leaked.

Image of Datadog

Create and maintain end-to-end frontend tests

Learn best practices on creating frontend tests, testing on-premise apps, integrating tests into your CI/CD pipeline, and using Datadog’s testing tunnel.

Download The Guide

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more