Google has set a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration. For more from the tech firm, see their blog.
As the firm says, future quantum computer can break current encryption. Quantum computers will pose a threat to cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant given store-now-decrypt-later attacks, whereby data is taken to decrypt thanks to quantum computing.
Comments
Failure to take immediate action is the biggest threat, comments Roberta Faux, US head of cryptography at Arqit. She says: “With many organisations maintaining exposure to legacy cryptography, the growing threat of HNDL attacks, and malicious actors utilising AI to automate parts of their attacker toolkit, quantum migration cannot be seen as tomorrowโs problem.
โHowever, organisations cannot begin PQC migration without an extensive understanding of their cryptographic dependencies, particularly for businesses that rely on third-party infrastructure. If you do not know what you have, you cannot prioritise what to fix, what to replace, what data has a long enough life to be targeted now, or what to protect first. Organisations need visibility and control to plan migration strategies – minimising cost and disruption while maintaining compliance with emerging regulations. And alongside this, they must ensure data is protected against today’s quantum threat.”
And Simon Pamplin, CTO at Certes,ย described it as a significant wake-up call; but for many, the most dangerous window isn’t when quantum computers arrive, it’s right now., he said: “Adversaries are already running Harvest Now, Decrypt Later campaigns: exfiltrating encrypted data today with the intention of unlocking it once a cryptographically relevant quantum computer exists. If your organisation is still relying on RSA, TLS, or standard PKI to protect sensitive data in transit, that data is already at risk, regardless of whether Q-Day lands in 2029 or 2035.ย With data flowing across legacy systems, multi-cloud environments, AI and the edge, the potential risk organisations face today is very real, and extremely serious if left unchecked.
“Organisations should focus on when the threat arrives, but what deserves equal attention is the question of what happens to the data being harvested right now. Post-quantum migration is a multi-year project for most organisations, and with Gartner predicting a cryptographically relevant quantum computer could arrive by 2029, the gap between where most businesses are and where they need to be is closing fast.
“Challenges such as with legacy systems that may not be able to be natively upgraded to PQC, multi-cloud environments creating security confusion due to different security models and no consistent data security policy and the end user / edge being the most vulnerable part of any organisation’s data security posture, mean that firms need to look at end-to-end PQC solutions that are able to protect data across any app, any infrastructure, anywhere.ย Specifically, solutions that enforce sovereign, crypto-agile PQC protection (where only the data owners controls the keys) from server to edge, and ones where protection persists with the data, not infrastructure. Quantum readiness isn’t about predicting a date. It’s about eliminating a long-term exposure before that date becomes irrelevant.โ
Background
In the United States, the federal NIST post-quantum cryptography process has defined standards for algorithms that will help manage the threat to cryptography from quantum computing. In the UK, the official NCSC (National Cyber Security Centre) last year set out a three-phase timeline for organisations to transition to quantum-resistant encryption methods by 2035.
