PQC in Focus

Migra­ti­on recom­men­ded, slow Imple­men­ta­ti­on – BSI and EU Part­ners call for Tran­si­ti­on to Post-Quan­tum Cryp­to­gra­phy:

The deve­lo­p­ment of Quan­tum Com­pu­ters marks a revo­lu­tio­na­ry tech­no­lo­gi­cal achie­ve­ment, but brings with it con­sidera­ble risks for IT secu­ri­ty. Due to their enorm­ous com­pu­ting power, Quan­tum Com­pu­ters are able to break encryp­ti­on algo­rith­ms that were pre­vious­ly con­side­red secu­re. In par­ti­cu­lar, the con­cept of “har­ve­st now, decrypt later” har­bors risks for sen­si­ti­ve data: Atta­ckers could inter­cept encrypt­ed data today in order to decrypt it later using powerful Quan­tum Com­pu­ters. The­re are alre­a­dy indi­ca­ti­ons that some count­ries are sys­te­ma­ti­cal­ly coll­ec­ting encrypt­ed data in order to decrypt it in the future using high-per­for­mance com­pu­ters.
Sec­tors such as indus­try, cri­ti­cal infra­struc­tu­re, and public admi­nis­tra­ti­ons, which often pro­cess sen­si­ti­ve or mis­si­on-cri­ti­cal data, are par­ti­cu­lar­ly at risk. Experts esti­ma­te that today’s com­mon public key cryp­to­gra­phy, inclu­ding RSA (Rive­st-Shamir-Adle­man) and ECC (Ellip­tic Cur­ve Cryp­to­sys­tem), could be com­pro­mi­sed by Quan­tum Com­pu­ters as ear­ly as the 2030s. This under­lines the urgen­cy of swit­ching to quan­tum-safe cryp­to­gra­phy as soon as pos­si­ble to mini­mi­ze future secu­ri­ty risks.

In view of this gro­wing thre­at, the Bun­des­amt für Sicher­heit in der Infor­ma­ti­ons­tech­nik (BSI), tog­e­ther with part­ner orga­niza­ti­ons from 17 EU mem­ber sta­tes, has deve­lo­ped mea­su­res for the tran­si­ti­on to Post-Quan­tum Cryp­to­gra­phy (PQC). The part­ners include i.e. the Secu­re Infor­ma­ti­on Tech­no­lo­gy Cen­ter Aus­tria, the French Natio­nal Agen­cy for the Secu­ri­ty of Infor­ma­ti­on Sys­tems and the Natio­nal Cyber­se­cu­ri­ty Agen­cy Ita­ly. The aim is to switch com­ple­te­ly to quan­tum-safe cryp­to­gra­phy by the end of 2030 at the latest. Howe­ver, despi­te the gro­wing thre­at posed by Quan­tum Com­pu­ters, Ger­man com­pa­nies are per­forming poor­ly in the tran­si­ti­on, as a sur­vey con­duc­ted by the BSI and manage­ment con­sul­tants KPMG reve­a­led last April. Accor­ding to the Deut­schen Gesell­schaft für Aus­wär­ti­ge Poli­tik (DGAP), only 28 of the 150 ques­ti­on­n­aires sent out were ans­we­red, and the results are clear: alt­hough 97% of the par­ti­ci­pa­ting com­pa­nies rated the secu­ri­ty risk posed by quan­tum com­pu­ting as at least high, only a quar­ter had the topic on their agen­da at all.

A recent­ly published ana­ly­sis by DGAP shows that the urgen­tly nee­ded tran­si­ti­on to quan­tum-resistant cryp­to­gra­phy is still a long way off. It con­cludes that the pri­va­te sec­tor in par­ti­cu­lar is lag­ging far behind in the deve­lo­p­ment and imple­men­ta­ti­on of quan­tum-resistant secu­ri­ty solu­ti­ons and is still ina­de­qua­te­ly pre­pared for the post-quan­tum age. Against the back­drop of “har­ve­st now, decrypt later” attacks, this poses a con­sidera­ble risk – both for the Ger­man eco­no­my and for natio­nal secu­ri­ty. Howe­ver, the Bun­des­wehr and its IT ser­vice pro­vi­der BWI GmbH are alre­a­dy actively working on pos­si­bi­li­ties for quan­tum-resistant com­mu­ni­ca­ti­on.

In order to pave the way for quan­tum-resistant cryp­to­gra­phy, con­cre­te recom­men­da­ti­ons for action are requi­red, such as tho­se alre­a­dy published by the BSI. After all, time­ly imple­men­ta­ti­on is only rea­li­stic if com­pa­nies know how to pro­ceed. On the other hand, the DGAP belie­ves that stan­dar­diza­ti­on can also pro­mo­te the tran­si­ti­on. In view of the gro­wing thre­at posed by Quan­tum Com­pu­ters to the con­fi­den­tia­li­ty and inte­gri­ty of digi­tal com­mu­ni­ca­ti­on, the US Natio­nal Insti­tu­te of Stan­dards and Tech­no­lo­gy (NIST) has been inves­ti­ga­ting the secu­ri­ty of num­e­rous quan­tum-resistant PQC algo­rith­ms in a mul­ti-stage pro­cess sin­ce 2017. After inten­si­ve test­ing, the first final PQC stan­dards, FIPS 203, FIPS 204 and FIPS 205, which descri­be algo­rith­ms deri­ved from CRYS­TALS-Dili­thi­um, CRYSTALS-KYBER and SPHINCS+, were published in mid-August 2024. The­se stan­dards could pro­mo­te accep­tance and dri­ve the intro­duc­tion of quan­tum-resistant encryp­ti­on stra­te­gies. One thing is clear: despi­te all efforts, time is run­ning out to switch to quan­tum-resistant solu­ti­ons as quick­ly as pos­si­ble in view of the ongo­ing deve­lo­p­ments in the field of Quan­tum Com­pu­ting and to ensu­re secu­ri­ty for the com­mu­ni­ca­ti­on of the future.

Source refe­rence: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241127_PQC-Joint-Statement.htmlhttps://background.tagesspiegel.de/it-und-cybersicherheit/briefing/weckruf-fuer-die-deutsche-wirtschaft