{"id":28041,"date":"2025-08-28T05:13:19","date_gmt":"2025-08-28T05:13:19","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/28041\/"},"modified":"2025-08-28T05:13:19","modified_gmt":"2025-08-28T05:13:19","slug":"the-urgency-of-post-quantum-cryptography-adoption","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/28041\/","title":{"rendered":"The Urgency of Post Quantum Cryptography Adoption"},"content":{"rendered":"

A year ago today, the National Institute of Standards and Technology (NIST<\/a>) published<\/a> the first-ever official standard for post-quantum cryptography<\/a> (PQC) algorithms<\/a>. The standard was a result of a 2022 memorandum<\/a> from the Biden administration that requires federal agencies to transition to PQC-based security by 2035.<\/p>\n

Cryptography<\/a> relies on math problems that are nearly impossible to solve, but easy to check if a solution is correct. Armed with such math problems, only the holder of a secret key can check their solution and get access to the secret data. Today, most online cryptography relies on one of two such algorithms: either RSA<\/a> or elliptic-curve cryptography<\/a>.<\/p>\n

The cause for concern is that quantum computers<\/a>, if a large enough one is ever built, would make easy work of the \u201chard\u201d problems underlying current cryptographic methods. Luckily, there are other math problems that appear to be equally hard for quantum computers and their existing classical counterparts. That\u2019s the basis of post-quantum cryptography<\/a>: cryptography that\u2019s secure against hypothetical quantum computers.<\/p>\n

With the mathematics<\/a> behind PQC ironed out, and standards in hand, the work of adoption is now underway. This is no easy feat: every computer, laptop, smartphone, self-driving car, or IoT<\/a> device will have to fundamentally change the way they run cryptography.<\/p>\n

Ali El Kaafarani<\/a> is a research fellow at the Oxford Mathematical Institute who contributed to the development of NIST\u2019s PQC standards. He also founded a company, PQShield<\/a>, to help bring post-quantum cryptography into the real world by assisting original equipment manufacturers in implementing the new protocols. He spoke with IEEE Spectrum about how adoption is going and whether the new standards will be implemented in time to beat the looming threat of quantum computers.<\/p>\n

What has changed in the industry since the NIST PQC standards came out?<\/strong><\/p>\n

\"Portrait Ali El KaafaraniPQShield<\/p>\n

Ali El Kaafarani<\/strong>:<\/strong> Before the standards came out, a lot of people were not talking about it at all, in the spirit of \u201cIf it\u2019s working, don\u2019t touch it.\u201d Once the standards were published, the whole story changed, because now it\u2019s not hypothetical quantum hype, it\u2019s a compliance issue. There are standards published by the U.S. government. There are deadlines for the adoption. And the 2035 [deadline] came together with the publication from [the National Security<\/a> Agency] and was adopted in formal legislation<\/a> that passed Congress, and therefore there is no way around it. Now it\u2019s a compliance issue.<\/p>\n

Before, people used to ask us, \u201cWhen do you think we\u2019re going to have a quantum computer?\u201d I don\u2019t know when we\u2019re going to have a quantum computer. But that\u2019s the issue, because we\u2019re talking about a risk that can materialize any time. Some other, more intelligent people who have access to a wider range of information decided in 2015 to categorize quantum computing<\/a> as a real threat. So this year was a transformational year, because the question went from \u201cWhy do we need it?\u201d to \u201cHow are we going to use it?\u201d And the whole supply chain<\/a> started looking into who\u2019s going to do what, from chip design<\/a> to the network security<\/a> layer, to the critical national infrastructure, to build up a post-quantum-enabled network security kit.<\/p>\n

Challenges in PQC Implementation<\/p>\n

What are some of the difficulties of implementing the NIST standards?<\/strong><\/p>\n

El Kaafarani:<\/strong> You have the beautiful math, you have the algorithms from NIST, but you also have the wild west of cybersecurity<\/a>. That infrastructure goes from the smallest sensors and car keys, etc., to the largest server sitting there and trying to crunch hundreds of thousands of transactions per second, each with different security requirements, each with different energy consumption requirements. Now that is a different problem. That\u2019s not a mathematical problem, that\u2019s an implementation problem. This is where you need a company like PQShield, where we gather hardware engineers, and firmware<\/a> engineers, and software engineers<\/a>, and mathematicians, and everyone else around them to actually say, \u201cWhat can we do with this particular use case?\u201d<\/p>\n

Cryptography is the backbone of cybersecurity infrastructure, and worse than that, it\u2019s the invisible piece that nobody cares about until it breaks. If it\u2019s working, nobody touches it. They only talk about it when there\u2019s a breach, and then they try to fix things. In the end, they usually put Band-Aids on it. That\u2019s normal, because enterprises can\u2019t sell the security feature to the customers. They were just using it when governments force them, like when there\u2019s a compliance issue. And now it\u2019s a much bigger problem, as someone is telling them, \u201cYou know what, all the cryptography that you\u2019ve been using for the past 15 years, 20 years, you need to change it, actually.\u201d<\/p>\n

Are there security concerns for the PQC algorithm implementations?<\/strong><\/p>\n

El Kaafarani:<\/strong> Well, we haven\u2019t done it before. It hasn\u2019t been battle-tested. And now what we\u2019re saying is, \u201cHey, AMD<\/a> and the rest of the hardware or semiconductor world, go and put all those new algorithms in hardware, and trust us, they\u2019re going to work fine, and then nobody\u2019s going to be able to hack them and extract the key.\u201d That\u2019s not easy, right? Nobody has the guts to say this.<\/p>\n

That\u2019s why, at PQShield, we have vulnerability teams that are trying to break our own designs, separately from those teams who are designing things. You have to do this. You need to be one step ahead of attackers. That\u2019s all you need to do, and that\u2019s all you can do, because you can\u2019t say, \u201cOkay, I\u2019ve got something that is secure. Nobody can break it.\u201d If you say that, you\u2019re going to eat a humble pie in 10 years\u2019 time, because maybe someone will come up with a way to break it. You need to just do this continuous innovation and continuous security testing for your products.<\/p>\n

Because PQC is new, we still haven\u2019t seen all the creativity of attackers trying to bypass the beautiful mathematics and come up with those creative and nasty side-channel attacks<\/a> that just laugh at the mathematics. For example, some attacks look at the energy consumption the algorithm is taking on your laptop, and they extract the key from the differences in energy consumption. Or there are timing attacks that look at how long it takes for you to encrypt the same message 100 times and how that\u2019s changing, and they can actually extract the key. So there are different ways to attack algorithms there, and that\u2019s not new. We just don\u2019t have billions of these devices in our hands now that have post-quantum cryptography that people have tested.<\/p>\n

Progress in PQC Adoption<\/p>\n

How would you say adoption has been going so far?<\/strong><\/p>\n

El Kaafarani:<\/strong> The fact that a lot of companies only started when the standards were published, it puts us in a position where there are some that are well advanced in their thoughts and their processes and their adoption, and there are others that are totally new to it because they were not paying attention, and they were just kicking the can down the road. The majority of those who were kicking the can down the road are the ones that don\u2019t sit high up in the supply chain, because they felt like it\u2019s someone else\u2019s responsibility. But they didn\u2019t understand that they had to influence their suppliers when it comes to their requirements and timelines and integration and so many things that they have to prepare. This is what\u2019s going on now: A lot of them are doing a lot of work.<\/p>\n

Now, those who sit high up in the supply chain, quite a few of them have made great progress and started embedding post-quantum cryptography designs into new products and are trying to work out a way to upgrade products that are already on the ground.<\/p>\n

I don\u2019t think that we\u2019re in a great place, where everyone is doing what they\u2019re supposed to be doing. That\u2019s not the case. But I think that from last year, when many people were asking \u201cWhen do you think we\u2019re going to have a quantum computer?\u201d and are now asking \u201cHow can I be compliant? Where do you think I should start? And how can I evaluate where the infrastructure to understand where the most valuable assets are, and how can I protect them? What influence can I exercise on my suppliers?\u201d I think huge progress has been made.<\/p>\n

Is it enough? It\u2019s never enough in security. Security is damn difficult. It\u2019s a multidisciplinary topic. There are two types of people: those who love to build security products, and those who would love to break them. We\u2019re trying to get most of those who love to break them onto the right side of history so that they can make products stronger rather than actually making existing ones vulnerable for exploitation.<\/p>\n

Do you think we\u2019re going to make it by 2035?<\/strong><\/p>\n

El Kaafarani:<\/strong> I think that the majority of our infrastructure should be post-quantum secure by 2035, and that\u2019s a good thing. That\u2019s a good thought to have. Now, what happens if quantum computers happen to become reality before that? That\u2019s a good topic for a TV series or for a movie. What happens when most secrets are readable? People are not thinking hard enough about it. I don\u2019t think that anyone has an answer for that. <\/p>\n

From Your Site Articles<\/p>\n

Related Articles Around the Web<\/p>\n","protected":false},"excerpt":{"rendered":"A year ago today, the National Institute of Standards and Technology (NIST) published the first-ever official standard for…\n","protected":false},"author":2,"featured_media":28042,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[262],"tags":[314,22654,18,19,17,22655,8084,5022,751,82],"class_list":{"0":"post-28041","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-computing","8":"tag-computing","9":"tag-cryptography","10":"tag-eire","11":"tag-ie","12":"tag-ireland","13":"tag-nist","14":"tag-post-quantum-cryptography","15":"tag-quantum-computers","16":"tag-quantum-computing","17":"tag-technology"},"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/28041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/comments?post=28041"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/28041\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media\/28042"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media?parent=28041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/categories?post=28041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/tags?post=28041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}