Domen Zavrl is a cryptography expert with experience of several fields, including commodities trading, securities lending, structured financing and real estate development. This article will look at cryptography and the activities forward-looking organisations are implementing to migrate safely to post-quantum cryptography.
Mitigating the threat posed by future quantum computers demands a global migration to post-quantum cryptography (PQC). Experts anticipate that this mass technological change could take several years to realise. In the United Kingdom, the National Cyber Security Centre (NCSC), a government taskforce, offers guidance on early-stage migration activities, setting timelines for the government, regulators and UK industry to follow, including key target dates for migration activities.
The NCSC guidelines are primarily aimed at risk owners and technical decision makers of large organisations, companies with bespoke IT and operators of critical national infrastructure. Acknowledging that its core timelines are relevant to all organisations, the NCSC acknowledges that different sectors have different states of cryptographic maturity, meaning that the weight of activities might vary. Nevertheless, the NCSC suggests that organisations should focus on its stipulated key headline dates, highlighting their importance for both investment decisions and broader security planning.
The NCSC’s key milestones are:
- By 2028: Defining migration goals, carrying out full discovery exercises and building an initial plan for migration.
- By 2031: Carrying out early, high-priority PQC migration activities and refining strategies to provide a thorough roadmap for completing the migration process.
- By 2035: Completing migration of all systems, services and products.
Future large-scale, fault-tolerant quantum computers pose a significant threat to cryptography. Experts warn that quantum computers will eventually be able to solve the challenging mathematical problems relied on by asymmetric public key cryptography (PKC) to keep data and networks secure. In order to mitigate this risk, organisations will need to migrate to PQC, a form of cryptography that is based on mathematical problems that even quantum computers cannot easily solve.
The NCSC published a white paper in November 2023, providing guidance for the next steps in preparing for PQC. The paper contained a core signal that businesses should start preparing for migration to PQC immediately, helping to ensure a smooth transition and continuance of cybersecurity protection as systems are replaced.
The NCSC points out that, in many ways, migration to PQC will follow a similar manner as the adoption of any other significant technology programme. The primary goal is for organisations to integrate PQC into their systems without increasing other cybersecurity risks. To that end, early and thorough planning is essential.
Stating that migration to PQC is an ecosystem-wide activity, the NCSC guidance urges businesses to start planning early to avoid last-minute security gaps. Ali El Kaafarani, CEO and co-founder of PQShield, explains that the NCSC timelines for the transition to PQC give clear instructions to institutions and businesses to protect the UK’s digital future. As Mr El Kaafarani points out, the NCSC timeline is aligned with the US hard stop of ensuring all services and products in the cybersecurity supply chain are protected by PQC by 2035. To meet the US government’s strict requirements, higher layers of the supply chain, such as OEMs and semiconductors, have already started planning their own transition roadmaps and have been working on these for some time.
Operating in a fundamentally different way from classical computers, quantum computers have the potential to solve mathematical problems that classical machines find difficult to solve. According to the NCSC, the threat to cryptography from quantum computers is now well understood, with the US National Institute of Standards and Technology having published its primary set of PQC standards in 2024. Today, major organisations all over the world are scrambling to integrate these PQC standards into their respective security roadmaps, recognising the need to act early to mitigate the risk to cryptography posed by future quantum computers.