Interest in post-quantum cryptography is growing among business leaders and technology vendors. In May 2024, Zoom became the first UCaaS company to introduce “post-quantum” end-to-end encryption to Zoom Workplace. Soon after, Meta announced it had also deployed post-quantum cryptography strategies across most of its internal service communication systems.
Even before this, companies like Google had already been experimenting with post-quantum cryptography models. This year, Apple announced that its iMessage platform would become the first “major messaging platform” to introduce an advanced version of post-quantum encryption.
All of this sounds exciting, but what does it mean? What is post-quantum cryptography, and will it help make our communication strategies more secure in the years ahead?
Understanding Cryptography and Encryption
Before we can define post-quantum cryptography, we need to talk about “basic” encryption and cryptography. To protect data, cryptography uses a variety of tools to secure digital data and communications. One of the things cryptography does, is leverage “encryption”, to encode information to ensure only specific people can read it.
Encryption scrambles data into an unreadable mess, ensuring that only the person with the correct code, password, or key can access it. For instance, when you use an app like WhatsApp to send a message, it is scrambled via encryption before it arrives at its intended destination.
There are two common forms of encryption used in cryptography. Symmetric encryption requires communicating parties to agree in advance on a shared key. This key can be used to encrypt and decrypt communications. Asymmetric encryption relies on pairs of unique but related keys. One is used to encrypt the message, while another is used to decrypt the data.
Most apps that use end-to-end encryption leverage a combination of symmetric and asymmetric cryptography messages for extra security. Usually, standard encryption ensures that if someone doesn’t have a key to “decrypt” the data, they won’t be able to access or read it.
However, decrypting data without a key may not be impossible. Theoretically, breaking encryption is just a matter of solving a complex equation. If someone had a computer powerful and fast enough to solve that equation, they could still access your data.
Quantum Computers vs Classic Computers
Virtually every communication tool you leverages some form of encryption powered by the “key infrastructure” mentioned above. That’s because this method of key encryption works to protect data against attacks launched by “most” computers available today.
Every computer you’ve likely used up to this point is a “classic” computer. These classic computers work on the principles of classic physics and don’t have the power or capacity to solve the equations that would allow them to break through standard encryption protocols. Even the most advanced computers would likely take billions of years to “crack” the code.
But a new breed of computer is emerging: the quantum computer. The rise of the quantum computer is driving the need for post-quantum cryptography. Quantum computers operate on the mechanics and principles of “quantum physics,” hence the name.
This gives them two major advantages over “classic” computers. They’re faster and more powerful. Where a classic computer uses “bits”, defined as 1s and 0s, quantum computers use “qubits”, which can be both 1s and 0s at the same time. The science might be a little confusing to get your head around, but you need to know that this makes quantum computers a lot more powerful than any classic computer.
The power of quantum computers could transform the world on a massive scale. Experts believe they’ll help fuel progress in developing sustainable energy management and life-saving medical research. Unfortunately, there’s also a downside. Next-level quantum computers could potentially overpower the encryption protocols we use for virtually every form of security.
The Post-Quantum Computing Threat
Ultimately, you won’t be able to order a quantum computer from Amazon soon. There’s still a lot of progress to be made here. However, experts believe the first fully error-coded quantum computers might start rolling out in 2030. That’s great news for innovators and researchers who need access to high-powered computers to transform our world.
However, it also presents new challenges to overcome regarding security and compliance. As far back as the 1980s, scientists were already speculating about the risks of quantum computers. These computers can potentially complete calculations that would take classical computers years in minutes.
Since current encryption methodologies just require systems to solve a quantum equation, you can probably see where the problem lies. In the 1990s, Peter Shor confirmed the concerns of analysts, by demonstrating that a theoretical quantum computer could break the algorithm used for public key encryption (or PKE). Since then, the quest for improved encryption has evolved.
In 2016, the National Institute of Standards and Technology (NIST) began requesting submissions for algorithms that might replace “public key encryption,” digital signatures, and old-fashioned forms of encryption. Programmers and mathematicians began experimenting, marking the initial stages of a transition to post-quantum cryptography.
So, What is Post-Quantum Cryptography?
So, what exactly is post-quantum cryptography? Post-quantum cryptography, or quantum encryption, is the development of specialist cryptographic systems. These systems can be used on classical computers to mitigate attacks launched by quantum computers.
It’s still a work in progress, but post-quantum cryptography uses complicated mathematics and algorithms to make it harder for supercomputers to access our data. The hope is that applying these methodologies to the secure systems we use today will help to protect us when quantum computers become available to the public (and criminals).
Various organizations have taken their own approach to post-quantum cryptography. Google’s experiments combine an “elliptic curve” algorithm with a new post-quantum algorithm to provide users with an extra layer of security.
The Signal foundation, responsible for one of the first messaging apps to leverage any type of post-quantum encryption, introduced a solution called “PQXDH”. Apple built on this with their advanced “PQ3” solution. Zoom, now the first collaboration app offering post-quantum cryptography in its Meetings technology, uses its form of encryption.
Zoom’s post-quantum E2E encryption uses the “Kyber 768” algorithm, currently being standardized by NIST and the module lattice-based key encapsulation mechanism. Lattice schemes are one of the more common solutions being leveraged for post-quantum encryption because they make it much harder for supercomputers to “break” the equation.
Is Post-Quantum Cryptography Necessary?
Although “theoretical” research shows that it may be possible for quantum computers to break through traditional encryption methods, there isn’t much to worry about right now. Ultimately, today’s quantum computers still can’t overcome classic encryption strategies.
The technology being used to create quantum computers is extremely expensive. Really, it’s just scientific and government research bodies that have access to this tech right now, and they’re unlikely to be launching any large-scale cyber attacks any time soon.
However, that doesn’t mean post-quantum cryptography isn’t essential. The bad news is that malicious actors can already start to prepare for a day when they can use quantum computers to access our data. Many have already invested in “harvest now, decrypt later” (HDNL) attack methods.
In an HNDL attack, bad actors gather as much encrypted data as possible from messaging apps, collaboration tools, and other systems. They can’t read or use that data but can store it somewhere in the cloud until they can access a quantum computer.
Essentially, this means that whenever quantum computers become available, we could see a massive increase in data breaches, revealing information that criminals collected today.
When Will We Need Post-Quantum Cryptography?
Experts aren’t entirely sure when quantum computers will be powerful enough to unscramble encrypted data for criminals, or when they’ll become available. Some conservative estimates suggest we’ve got at least 30 years to wait before quantum attacks become a problem.
Others say that quantum supremacy could be accessible in the next 5 to 10 years. Either way, you might wonder whether you should worry about post-quantum cryptography right now. The chances are you won’t be too concerned about someone accessing a WhatsApp conversation you had with a friend today five years from now.
However, certain data, such as passwords, social security numbers, payment details, and sensitive data shared through customer service apps, will still be valuable to criminals 10 years from now.
That’s why many experts are recommending an early investment in post-quantum cryptography. The right strategy will be particularly crucial for any company creating products that rely heavily on encryption today, such as contact centers and communication platforms.
The chances are we’ll continue to use these apps several years from now, and by then, the amount of data shared (and potentially captured) by bad actors could be phenomenal.
Is it Time to Invest in Post-Quantum Cryptography?
Ultimately, we may not be fighting attacks from quantum computers today, but the threat is already emerging. Security experts are paying attention and constantly introducing new guidance. NIST even provided draft standards for new quantum-resistant algorithms in 2023. That’s likely why so many leading technology vendors, such as Apple, Meta, and Zoom, are updating their policies.
Of course, there’s a long way to go before we can ensure we’re fully protected from quantum attacks. Post-quantum cryptography technology is still relatively new, and it’s difficult to know how effective future quantum computers will be at solving equations.
Even when leaders like NIST finalize their “PQC standard specifications,” we may need to commit to constantly experimenting with new cryptography methods. Still, it does make sense to take advantage of post-quantum cryptography solutions when they emerge in your business apps.
Mitigating the threats caused by quantum computers might not seem like a big deal right now. However, as little as ten years from now, your decision to leverage post-quantum cryptography could protect you from a severe data leak.
