Migration recommended, slow Implementation – BSI and EU Partners call for Transition to Post-Quantum Cryptography:
The development of Quantum Computers marks a revolutionary technological achievement, but brings with it considerable risks for IT security. Due to their enormous computing power, Quantum Computers are able to break encryption algorithms that were previously considered secure. In particular, the concept of “harvest now, decrypt later” harbors risks for sensitive data: Attackers could intercept encrypted data today in order to decrypt it later using powerful Quantum Computers. There are already indications that some countries are systematically collecting encrypted data in order to decrypt it in the future using high-performance computers.
Sectors such as industry, critical infrastructure, and public administrations, which often process sensitive or mission-critical data, are particularly at risk. Experts estimate that today’s common public key cryptography, including RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptosystem), could be compromised by Quantum Computers as early as the 2030s. This underlines the urgency of switching to quantum-safe cryptography as soon as possible to minimize future security risks.
In view of this growing threat, the Bundesamt für Sicherheit in der Informationstechnik (BSI), together with partner organizations from 17 EU member states, has developed measures for the transition to Post-Quantum Cryptography (PQC). The partners include i.e. the Secure Information Technology Center Austria, the French National Agency for the Security of Information Systems and the National Cybersecurity Agency Italy. The aim is to switch completely to quantum-safe cryptography by the end of 2030 at the latest. However, despite the growing threat posed by Quantum Computers, German companies are performing poorly in the transition, as a survey conducted by the BSI and management consultants KPMG revealed last April. According to the Deutschen Gesellschaft für Auswärtige Politik (DGAP), only 28 of the 150 questionnaires sent out were answered, and the results are clear: although 97% of the participating companies rated the security risk posed by quantum computing as at least high, only a quarter had the topic on their agenda at all.
A recently published analysis by DGAP shows that the urgently needed transition to quantum-resistant cryptography is still a long way off. It concludes that the private sector in particular is lagging far behind in the development and implementation of quantum-resistant security solutions and is still inadequately prepared for the post-quantum age. Against the backdrop of “harvest now, decrypt later” attacks, this poses a considerable risk – both for the German economy and for national security. However, the Bundeswehr and its IT service provider BWI GmbH are already actively working on possibilities for quantum-resistant communication.
In order to pave the way for quantum-resistant cryptography, concrete recommendations for action are required, such as those already published by the BSI. After all, timely implementation is only realistic if companies know how to proceed. On the other hand, the DGAP believes that standardization can also promote the transition. In view of the growing threat posed by Quantum Computers to the confidentiality and integrity of digital communication, the US National Institute of Standards and Technology (NIST) has been investigating the security of numerous quantum-resistant PQC algorithms in a multi-stage process since 2017. After intensive testing, the first final PQC standards, FIPS 203, FIPS 204 and FIPS 205, which describe algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+, were published in mid-August 2024. These standards could promote acceptance and drive the introduction of quantum-resistant encryption strategies. One thing is clear: despite all efforts, time is running out to switch to quantum-resistant solutions as quickly as possible in view of the ongoing developments in the field of Quantum Computing and to ensure security for the communication of the future.
Source reference: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241127_PQC-Joint-Statement.html; https://background.tagesspiegel.de/it-und-cybersicherheit/briefing/weckruf-fuer-die-deutsche-wirtschaft