Why the Rise of Post-Quantum Cryptography Is Important

At this year’s IBM Think Event the potential of quantum computing was a major subject, with predictions of computing power previously unheard of arriving within the next five to 10 years. However, in the world of technology, five to 10 years is a long way off and planning for the impact of those technologies often proves to be folly when the arrival is so far in the future. Nevertheless, there’s one critical area in which quantum computing may have a definitive impact and should be thought about today: encryption.

The National Institute of Standards (NIST) predicts that within the next 20 or so years, sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. NIST further illustrates the importance of establishing post-quantum cryptography (PQC) now with the statement “Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.” To that end, the NIST has been requesting submissions for PQC standards and working with industry leaders to come up with a methodology to address the future threats posed by quantum computing powered attacks.

Numerous vendors are working together to develop new public key infrastructure (PKI) solutions to address the threats posed. Yet, several challenges still remain, such as backward compatibility with existing PKI and certificate solutions, as well as performance and other concerns.

Certificate authority and cybersecurity solutions company DigiCert aims to address those concerns by partnering with cybersecurity vendor Utimaco and Microsoft to develop a next generation PKI that should prove to be resistant to Quantum Computer based attacks. At the Digicert Summit 2019, the trifecta of companies held interviews and made announcements around PQC.

DigiCert’s Avesta Hojjati

“DigiCert, Microsoft Research and Utimaco are collaborating today to solve tomorrow’s problem of defending connected devices and their networks against the new security threats that the implementation of quantum computers will unleash,” said Avesta Hojjati, head of DigiCert Labs, the company’s R&D unit. “Together, we are leading the market with development of hybrid certificates that inject quantum-resistant algorithms alongside RSA and ECC to ensure long-term protection.”

The certificates are issued by DigiCert using the Picnic quantum-safe digital signature algorithm developed by Microsoft Research. To implement this algorithm and issue certificates, DigiCert has used an Utimaco hardware security module. The full solution, in development, would provide quantum-safe digital certificate issuance and secure key management, helping companies future-proof their IoT deployments.

“DigiCert, Utimaco and Microsoft’s successful test implementation provides a fundamental building block for the implementation of quantum-safe solutions,” said Dr. Thorsten Grötker, CTO, Utimaco. “Using these solutions, IoT manufacturers and other large organizations can innovate and develop products that are well prepared against coming quantum threats.”

For managed service providers, the rise of PQC may spell out significant change for an industry trying to keep up with the latest threats.

“Protecting our client’s data is of the most critical importance. If PQC can improve that protection then it is a technology we must embrace.” said Raj Mehta, president and CEO of Infosys International, a Plainview, New York-based IT services provider. “The real challenge will be one of deploying PQC, but only after it is ratified by NIST.” added Mehta.