Post-quantum cryptography: What is it?


Unless you’ve been living under a rock the last few years, you’ve probably heard of quantum computing – powerful new computers that use quantum mechanics and things called ‘qubits’ to crunch incredibly complex numbers. In fact, we’ve covered the topic before.

And mostly, quantum computing is being heralded as a good thing, with the potential to develop everything from pharmaceuticals to cloud solutions to green-battery tech. But there’s a shadowy question mark to quantum too: if we develop highly powerful, sophisticated, error-corrected quantum computers, won’t people use them to hack stuff?

Welcome to the world of post-quantum cryptography (PQC for short).

What is post-quantum cryptography?

To fully answer that question, we first need to define quantum computing. Quantum computers are essentially next-gen thinking engines that rely on quantum mechanics and quantum processors, rather than traditional silicon chips. They work by manipulating basic units of information, called qubits, which (unlike classic computing bits) can represent both 1 and 0 simultaneously. Simultaneously being the operative word in that sentence.

It’s brain-warping stuff, and you arguably need a degree in quantum field theory to really understand the concepts, but the important takeaway is that quantum computing has the potential to revolutionize the digital world, being orders of magnitude more powerful than traditional binary computers.

Post-quantum cryptography (also known as quantum-resistant cryptography) is a cyber defense strategy aimed at protecting users from quantum computing. It makes sense: if quantum computers can crack traditional encryption methods – and the early data suggests that this could be the case – then we need cryptographic algorithms that can resist quantum attacks.

The looming threat to encryption

So how real is the threat? Well, that’s tricky to say. Quantum computing is both real and slightly theoretical, despite some high-profile claims of quantum supremacy. Most experts think that fully error-corrected, fault-tolerant quantum computers – that’s computers which mitigate the effects of errors that naturally occur in quantum systems – will be online by 2030.  

That might sound like we’ve got some time, but with the anticipation that quantum computing will render public-key cryptographic schemes like RSA and ECC obsolete, research into post-quantum cryptography is already kicking off.

Managers and organizations need to start asking themselves: when should we start preparing for quantum attacks? The answer will depend on your industry, and how vulnerable your data might be to penetration and compromise.

How does post-quantum cryptography work?

At its most basic level, post-quantum cryptography uses cryptographic algorithms to develop mathematical problems that are too complicated for computers, even quantum computers, to solve. There are a few ways to do this including:

Lattice-based cryptography. Lattice problems form the basis of many post-quantum cryptographic schemes. They use a geometric structure, called a lattice, to encode and decode information.

Hash-based cryptography. Unlike lattice-based cryptography, hash-based cryptography uses ‘hash functions’ (basically a cryptographic scrambler)  that may be resistant to quantum attacks.

Multivariate Polynomial cryptography. Based around the brain-melting difficulty of solving multivariate polynomial equations, this method uses public signatures and ‘keys’ to validate users and unlock information.

Benefits of post-quantum cryptography

The benefit of post-quantum cryptography is obvious: it’s theoretically resistant to both classical and quantum cyber-attacks. This makes PQC potentially one of the most important (and lucrative) fields in cyber security, particularly over the next 10 or 20 years. 

Quantum resistance. Traditional cryptographic methods, like RSA and ECC, are potentially vulnerable to quantum attack. Post-quantum cryptography provides a secure alternative.

Long-term security. As quantum computers advance, and the risks and vulnerabilities multiply, we’ll need post-quantum solutions that offer long-term security against quantum interference.

Data protection. Another obvious benefit. Post-quantum cryptography will (hopefully) contribute to the protection of private data and sensitive information. This is obviously crucial for all kinds of companies, from telecommunications to the financial sector.

Secure infrastructure. How can companies run critical infrastructure, like power grids and transportation systems, if they’re not 100% safe from quantum attacks? Post-quantum cryptography will help safeguard these systems.

How you can prepare

In some ways, it’s best to think of quantum computing as any other cyber threat. First, you have to understand the nature of the threat, and the scale of the risk posed to you or your organization. That’s the general first step in any cyber strategy. To do this, you’ll need to measure the value exposed to the risk – what’s at stake? What are you protecting? – and plan your reaction accordingly.

The good news is: we’re not there yet. Error-corrected quantum computers, which are believed to be the real cyber tipping point, are probably still years away. Post-quantum cryptography therefore becomes a question of timing. Risk managers will have to figure out when quantum migration becomes valuable, and therefore necessary. The trick, of course, will be not leaving things too late…