The astonishing processing power and speed of quantum computing poses a significant threat to traditional cryptographic algorithms, particularly those based on asymmetric encryption. Nirupam Samanta, CISSP, CCSP, shares his views on post-quantum cryptography (PQC), focusing on developing cryptographic algorithms resistant to quantum attacks.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
The National Institute of Standards and Technology (NIST) has published its recommendations for post-quantum encryption algorithms, including solutions designed to resist attacks from quantum computers while being efficient and compatible with current systems. However, transitioning to post-quantum cryptographic systems is a complex, phased process. I have explored the three most pressing challenges, offering my perspective on the practical realities of implementation
Regulatory Uncertainty and Rapid Quantum Advancements
Governments and critical industries such as financial services, cloud providers and healthcare lead the adoption of PQC standards. However, the lack of unified regulatory frameworks and the unpredictable pace of quantum advancements complicate planning and implementation.
My view is that a coordinated, global effort is essential. Governments, academia, and industry leaders must collaborate to establish clear regulatory guidelines and share insights into quantum computing advancements. This will help organizations align their strategies with emerging threats. Establishing high-level frameworks for collaboration is relatively straightforward, as many stakeholders already recognize the urgency of the quantum threat. Initiatives like NIST’s PQC standardization process provide a solid foundation.
I think that achieving global consensus on regulations and ensuring compliance across diverse jurisdictions will be challenging. The rapid pace of quantum advancements may also mean regulations may quickly become outdated, requiring continuous updates and flexibility.
Technical and Operational Hurdles
Updating hardware, software, and protocols (e.g., TLS, VPNs) to support PQC requires significant investment and effort. Organizations must conduct cryptographic inventories, assess vulnerabilities and implement quantum-resistant solutions incrementally.
For me, the solution is for organizations to adopt a crypto-agile strategy, enabling them to quickly adapt to new cryptographic standards. Investing in modular systems that facilitate seamless upgrades will reduce disruptions during the transition.
Conducting cryptographic inventories and identifying vulnerable systems is a manageable first step. In my experience, many organizations already have tools and processes in place for asset management and vulnerability assessment. Retrofitting legacy systems to support PQC will be a significant challenge: many older systems were not designed with crypto-agility in mind and upgrading them could require substantial time and resources. Additionally, I predict that ensuring interoperability between classical and quantum-resistant systems will be complex, particularly in large, heterogeneous environments.
“Harvest Now, Decrypt Later” Threats
Attackers are already collecting encrypted data with the intent of decrypting it in the future, once quantum computers become powerful enough and available, making the need for quantum-resistant systems urgent.
My priority, then, will be to secure the most sensitive data and to deploy hybrid cryptographic solutions that combine classical and quantum-safe algorithms, an approach that provides a robust defense during the transition period.
Implementing hybrid cryptographic solutions is relatively straightforward, as it allows organizations to maintain compatibility with existing systems while adding an additional layer of quantum resistance. But identifying and prioritizing the most sensitive data for immediate protection can be more challenging, especially for organizations with vast amounts of stored information. Additionally, the long-term storage of encrypted data requires careful planning, as I believe even hybrid solutions may eventually become vulnerable to future quantum advancements.
The Future Outlook
Quantum computing’s potential to revolutionize technology is immense, but its impact on cryptography necessitates urgent action. Organizations must act now to assess their cryptographic inventories, develop phased migration strategies, and implement quantum-resistant solutions.
Based on my experience in cybersecurity, I believe that the key to success lies in proactive planning and continuous adaptation, against a backdrop of robust post-quantum cryptographic algorithms and global collaboration. Together, these elements are critical for mitigating the risks posed by quantum computing. There is no doubt the quantum era is coming soon, so the time to prepare is now.
Nirupam Samanta, CISSP, CCSP, has 18+ years of experience in identity and access management, secure architecture, risk and compliance, and vulnerability management. He has held technical and strategic roles, with responsibility for secure system design, governance, and compliance. Nirupam’s cybersecurity work spans IAM tool and process implementations, security audits and cloud security architecture.
Related Insights