Post-Quantum Cryptography Standards Set to Impact Global Industry

The U.S. National Institute of Standards and Technology (NIST) is due to announce and finalize the three post-quantum cryptography algorithms it has selected to secure encrypted data against future quantum computers in July.

Joppe Bos, technical director and cryptographer at NXP Semiconductors, co-authored one of the algorithms, CRYSTALS-Khyber. In this Q&A Bos discusses the importance and global impact of the upcoming standardization and how it would impact embedded solutions sooner rather than later.

Enter Quantum: With cryptographically relevant quantum computers still years away, how can you communicate to organizations the importance of adopting the new standards?

Joppe Bos: The name post-quantum crypto, or as IBM calls it, quantum-safe crypto is misleading because it has the word quantum in it. People immediately think we're talking about quantum computers, which in a sense, we are but of course, we're not.

These algorithms run on our classical devices, IoT devices, automotive and laptops. When we talked to many of our customers in the beginning, they were in this old mindset of just doing a risk assessment. Quantum computers may be out there in 30 or 40 years, what is the risk if our products get broken? So should we migrate now? Probably not.

Related:Post-Quantum Cryptography Gets Performance Testing Capability

We explain this is the wrong way. It's not when we think that a quantum computer is out there, because that is very vague. The best way to think about it is that in July, the standards will come out and people will need to comply with the standards and the government recommendations from the U.S., France and Germany will kick in and then suddenly you need to comply with this.

If you do business with any type of U.S. government-related products, you need to comply with CNSA 2.0, which means that if you have a new product coming out in 2025, it needs to have post-quantum crypto in there.

Suddenly then your risk assessment is not that important anymore, because you simply need to comply with the rules set out by your government. Otherwise, you cannot do business. And that is more or less how we communicated this to our customers.

How will post-quantum cryptography standards affect the international community?

Europe is following the U.S. NIST security standards but is also looking to extend the list of algorithms. The German and Swedish governments are pushing for an International Standards Organization (ISO) recognized international standard.

In reality, this is not great for industry because more standards to support means an increase in code, increase in hardware to support more code and a higher risk of bugs in software.

Related:JPMorgan Chase Implements Quantum-Secured Network

When we talk about the U.S. and Europe we’re neglecting a very large player in Asia. China has been relatively quiet, but I'm 100% sure that China will come with its own post-quantum standard. And we know for a fact that Korea is running its own standardization track which ends by the end of this year. So South Korea will get its own post-quantum crypto standard. Companies who want to do business in South Korea or China will need to extend their software and hardware offerings yet again.

What will the standards mean for IoT and embedded systems?

The lead time for when a solution needs to be embedded in hardware is much longer. One of the reasons we’re focusing on digital signature algorithms to migrate first is because if you can break digital signatures, you can push updates to embedded devices in the field or replace the secure boot in your car, which has safety implications, or in many other IoT devices.

That's why semiconductor companies and other companies who sell embedded devices are focusing much more on migrating digital signatures because if we have a secure boot and an update mechanism that are post-quantum secure, we can deploy these devices later in the field. We can just send software updates we've got because then we're good to go.

The three main areas where our customers are moving and migrating are automotive, IoT and industrial IoT, or Industry 4.0. Some companies are migrating quickly, others a bit more slowly but if they want to do business in the U.S. or Europe in the upcoming years, they need to start migrating now.