The Risks of Post-Quantum Cryptography in a Quantum Future

Share on facebook
Share on twitter
Share on linkedin
Share on email

In the world of quantum, one of the most talked-about topics is undoubtedly quantum-resistant algorithms. Also known as post-quantum cryptography (PQC), these algorithms are based on mathematically complex problems that assure the confidentiality, integrity, and authentication of transmissions, even against future quantum computers. At least, they do so in theory.

A few years back, the National Institute of Standards and Technology (NIST) initiated a process to standardize one or more PQC algorithms to develop a cryptographic system that is secure against both quantum and classical attacks. And after a long wait, NIST finally announced the first four quantum-resistant cryptographic systems in July 2022.

These efforts notwithstanding, Quantropi believes that PQC algorithms alone won’t be enough to fully protect the world’s networks and data from the fast-approaching quantum threat.

Here’s why.

The Two Security Challenges of Post-Quantum Cryptography

PQC Isn’t Resistant to Advancements in Quantum Algorithms

PKI (Public Key Infrastructure) and PQC don’t claim to be unbreakable – instead, they’re intractable. Classical PKI relies on math puzzles that take classical computers a very long time to solve – so long that the encrypted information would be useless by the time it’s broken. We’re talking billions of years. However, quantum computers will be able to solve the math problems currently used by PKI in seconds.

PQC takes the PKI approach by extending intractability to cover quantum computers using math puzzles that are resistant to two known quantum algorithms – Shor’s and Grover’s. The problem here is that while PQC seems to be resistant to Shor’s and Grover’s algorithms, eventually, new quantum algorithms and processes may appear that will break even PQC math puzzles (which were only designed to resist Shor’s and Grover’s algorithms). Furthermore, we cannot pre-emptively design future-proof PQC systems that would be resistant to yet-to-be-developed quantum algorithms.

While the digital economy would not be totally defenseless with today’s PQC, stakeholders would never know when it was broken. And they would always have to be looking. It would become a very expensive game of cat and mouse where we would need to develop new cryptographic systems every time a new hack came out. The result would be a never-ending arms race between cryptography and quantum computers.

One recent paper titled “Two quantum Ising algorithms for the Shortest Vector Problem: one for now and one for later” supports this view. It describes a new adiabatic quantum process and Ising algorithm that can solve the Shortest Vector Problem (SVP) and break the security of the seemingly “quantum-intractable” Post-Quantum Cryptography. SVP is a complex mathematical problem that is the foundation for many PQC algorithms. These algorithms were developed to resist Shor’s and Grover’s algorithms and extend intractability from classic PKI to quantum computers. Lattice crypto is one such at-risk algorithm family that, ironically enough, is a top contender for NIST certification.

PQC Is Just One Piece of the Puzzle

Similar to its predecessor public-key (asymmetric) cryptography, post-quantum cryptography has two main use cases. These use cases are as follows:

  • Secure transmission of symmetric keys, which you can use to encrypt data at rest and in transit.
  • The generation of digital certificates that can authenticate the identity of the communicating parties.

In short, PQC can help you establish a secure, authenticated connection with another party.

This is great, but what about the security of your symmetric keys and the data that you encrypt with them? PQC might protect the keys in transit, but what then? If you use weak symmetric keys, PQC won’t be able to protect them after the fact.

And besides, what about the seed generation process for PQC keys? PQC is believed to be resistant to quantum attacks, but what if the hackers decide to go back to the basics and try to derive the seed that you used to generate quantum-resistant keys? If you use a weak pseudo-random number generator (PRNG), attackers might be able to simply derive your seed with a quantum computer. And if they do, they might be able to generate the exact cryptographic key that you used to protect your communications.

What this means is that PQC is just one component of quantum-secure protection. It doesn’t cover everything, so it alone cannot ensure that your network infrastructure is fully protected.

Post-Quantum Cryptography and the Issues with Crypto Agility

PQC supporters argue that they can address the above challenges by adopting “crypto agile” solutions, i.e., by just switching to another PQC family if one is suddenly broken. This approach might sound reasonable, but it has a few fundamental problems.

One is the lack of forward secrecy. Bad actors are constantly intercepting and storing encrypted communications today with the hopes of decrypting them later. Thus, even if you use lattice-based PQC to protect transmitted messages, if your data gets intercepted and stored by hackers today, it won’t matter whether or not you switch cryptographic systems tomorrow. It will be too late. Once a quantum computer becomes commercially available, the intercepted information can be decrypted despite being protected with PQC.

Another issue is that currently, we have very little insight into quantum algorithms and what’s possible in the future. We’re now closer than we’ve ever been to commercially available quantum computers, and practitioners are constantly looking for new algorithms to make quantum machines more suitable for practical applications.

Future quantum computers will operate in a high-dimensional space. However, our current efforts to defend our systems and data with PQC happen in lower dimensions. This is the core problem. Moreover, lattice-based PQC has already been broken, and as the SVP paper shows, researchers might be able to develop other algorithms that could neutralize the current security claims of PQC.

Crypto agility does have an extremely important role in cybersecurity. However, in cases where information is highly sensitive or needs to remain secret for long periods of time, more weight should be put on forward secrecy.

Crypto agility by itself is not a solution, especially when it’s only applied to PQC. Crypto agility is an all-encompassing process that should cover your entire data protection stack. If you only apply crypto agility to PQC and keep everything else fixed, you aren’t practicing true agility.

The TrUE Answer to the Quantum Threat

Does this all mean that PQC doesn’t have a place in the future of cryptography? Not necessarily – if implemented right, it could be the ultimate tool against the quantum threat.

The answer to the two security challenges from above is TrUE quantum protection – protection that covers all three foundations of quantum-secure encryption. TrUE consists of these three components:

  1. Trust (Tr), which is concerned with the establishment of trusted communication between parties.
  2. Uncertainty (U), which is focused on keeping data uncertain for attackers – that is, protecting data from interception.
  3. Entropy (E), which is focused on the generation and distribution of random numbers and cryptographic keys.

Trust is achieved with asymmetric encryption, which means that PQC is a method of Trust. Uncertainty is achieved with symmetric encryption, whereas Entropy is achieved by using strong random numbers that cannot be predicted by attackers.

With Uncertainty, we can ensure that our data stays protected after we deliver symmetric keys with PQC. And thanks to Entropy, we can ensure that the keys we use in PQC cannot be guessed. This means that with the three TrUE technologies, we can ensure all-around protection from quantum attacks.

Quantropi believes that the future of cryptography is TrUE quantum. TrUE quantum is the only way to provide end-to-end protection to government and corporate infrastructures. Reinforcing just one part of your network infrastructure is not enough because the total protection level of your network will depend on the protection of its weakest link. You might have PQC, but if hackers could just find another weakness in your system, then your efforts would be all for nothing.

Fighting Quantum with Quantum: Protecting Your Enterprise with QiSpace™

Cryptography’s future is TrUE quantum, and Quantropi’s QiSpace™ is the only quantum-ready SaaS platform in the industry that conforms to the three pillars of TrUE security – Trust, Uncertainty, and Entropy.

  • In QiSpace™, Trust is provided by MASQ™ quantum-secure asymmetric encryption; Uncertainty is provided by QEEP™ quantum-secure symmetric encryption; and Entropy is provided by SEQUR™. Each of these solutions offers cutting-edge performance and protection compared to their alternatives:
  • MASQ™ uses smaller key sizes and generates smaller digital signatures than NIST PQC finalists, which makes it more efficient and less costly to operate. The performance impact of MASQ™ on network systems is much lower than that of NIST PQC candidates and is on par with classical algorithms.
  • QEEP™ provides quantum-secure symmetric encryption and runs up to 18 times faster than AES-256 while consuming up to 95% less power. QEEP™ is thus ideal for resource-limited endpoints, like IoT devices.
  • SEQUR™ offers true random numbers and digital quantum key distribution (D-QKD) at distances between 4,000 and 15,000 kilometers. SEQUR™ can transmit keys at speeds between 130 and 190 megabits per second, beating all competing solutions.

And the best part – QiSpace™ and TrUE technologies don’t require quantum computers to work. They can be deployed to any classical network infrastructure and protect your business from quantum threats – starting right now.

Quantum-secure any application, product, network, or device with the QiSpace™ platform — without having to sacrifice performance or make major investments in new technology or infrastructure. See for yourself how only QiSpace™ offers TrUE quantum security via all three essential cryptographic functions. Leverage asymmetric encryption algorithms (the “Trust” or “Tr” of “TrUE”) via MASQ™, symmetric encryption (“U” for “Uncertainty”) via QEEP™ and strong random numbers (“E” for “Entropy”) via SEQUR™.  Make it TrUE with QiSpace™ — and protect your business, brand, and customer promise. Now and forever. 

To learn more about our quantum-secure solutions, don’t hesitate to get in touch with our experts!

Share on facebook
Share on twitter
Share on linkedin
Share on email

Talk To Us

Patricio Mariaca

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum quis mauris justo. Vestibulum vel nulla vel tortor dignissim auctor. Donec porta semper lacus, id mollis metus pretium at. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam malesuada ullamcorper metus, eget facilisis tortor posuere sed.

Eric Chan

Eric Chan a.k.a. EEPMON is a Crypto / Digital Artist with 15 years in the industry – and Quantropi’s Creative Emissary. His hybrid fractal/digital creations have been seen in fashion, comics to museums and has exhibited worldwide. EEPMON’s collaborations include Canada Goose, MARVEL, Snoopy, Microsoft Xbox, Canada Science & Technology Museum and was a TEDx performing artist. In 2018 he represented Canada on its first Creative Industries Trade Mission led by Canada’s Minister of Heritage and serves on the Canadian Museums Association‘s Board of Directors. At the same time, he is currently completing his Master of Information Technology – Digital Media at Carleton University. 

Dafu Lou

Dafu is Quantropi’s Director of engineering. Prior to Quantropi, he served as a technical leader at Irdeto, a world-leading provider of digital platform security software, where he was responsible for white-box cryptography, cloaked CA secure core, and iOS/android application protection services, among others. Prior to Irdeto, Dafu served as a senior software engineer at SecureNex Systems, where he led the implementation of an SSL-VPN solution and ECC-based secure data storage & PKI. He earned his Ph.D. in electrical engineering from the University of Ottawa in 2009. Dafu is also a part-time professor, teaching VLSI, Cryptography and other subjects at uOttawa.

Pauline Arnold

As James Nguyen’s EA, Pauline Arnold brings more than 40 years of experience in complementary customer service and administrative roles. Prior to Quantropi, she served 20 years as Branch Manager and an assistant in investments, and over 20 years at Metropolitan Life Canada in various aspects of the insurance sector – assisting clients, management and colleagues to complete tasks, solve problems, address questions and achieve goals. She also worked part-time for Royal Lepage Performance for 5+ years as a receptionist & admin, and for 5 years was chair of the TKFG’s charity golf tournament.

Bond Vo

Bond Vo is the Business Analyst of Quantropi. Along with Quantropi, Bond has been dynamic in accordance with a fast and evolving startup environment and is responsible in a wide range of areas including market research, funding, and more involved in the controller roles to oversee day to day accounting operation as well as build financing models and budget to achieve company’s ultimate goals/objectives. Bond has applied best practices consistently and successfully supports equity, debt, and non-dilutive funding for Quantropi since joint the team. He earned a Bachelor of Commerce concentrated in Finance from Carleton University. Outside of his professional career, Bond also participated in volunteer for the Vietnamese Immigration Student Association (VISA) to help and support students as well as newcomers in Canada.

Tina Wang

Tina develops websites and participates in a range of different projects, using new frameworks for front-end UI, along with Vuejs, Angula, Beego, Ruby on Rails, and Electron. She developed Quantropi’s desktop CipherSpace application by integrating Electron, Webassembly and Go, to ensure a good user experience, as well as perfect operating system compatibility. She is also part of the dynamic and efficient QKD-NODE project team. Tina is always looking for new ways to increase her knowledge, improve her technological proficiency and enhance her strong execution and implementation skills. Prior to Quantropi, Tina served as a full-stack web developer at Sunny Future, where she maintained a WordPress home site and managed the release of new content for the company.

Nick Kuang

As VP Corporate Services, Nick plans, directs and coordinates a wide range of activities aimed at achieving Quantropi’s vision of the Quantum Internet. He has a keen interest in transformative technologies and the possibilities they offer for bettering our everyday lives. A pharmacist by training, Nick nurtures teams with a focus on integrity and collaborative effort, coupled with strong attention to detail. With prior experience in a successful biotech start-up developing point-of-care test kits, he enjoys the fast pace and challenge of the start-up environment.

Alex He

Alex is a product-oriented project manager who bridges the gaps between the company’s engineering and commercial teams. He has over ten years of experience in the analysis, design and development of enterprise-class applications, with a particular focus on creating optimal user experiences (UX). Ever passionate about cybersecurity solutions that can deliver solid security without unreasonably sacrificing customer convenience, Alex is the lead inventor of a registered patent on user interface security. He is committed to helping ensure that the Agile software engineering team at Quantropi delivers consistently high-quality, high crypto-agility cybersecurity solutions for next-generation communications.

Michael Redding

Before joining Quantropi, Mike was Managing Director and co-founder of Accenture Ventures, where he grew a global portfolio of strategic partnerships and 38 equity investments in emerging technology startups.

During his nearly 30 years with Accenture, he incubated and launched technology innovations for enterprises across multiple geographies and industries. Ever-passionate about bold ideas with game-changing results, he speaks frequently on the impact of emerging technology on large organizations.

With a bachelor’s degree in Electrical Engineering and Computer Science from Princeton, and a Master’s in Biomedical Engineering from Northwestern, Mike is a former member of the Board of Directors for the Accenture Foundation and Board Observer for startups Maana and Splice Machine.

Raj Narula, P.Eng.

A seasoned technology executive, business builder and angel investor, Raj has held operational and advisory roles in Recognia (Trading Central), Belair Networks (Ericsson), March Networks (Infinova), Sandvine (Procera), Neurolanguage (ADEC), Bridgewater Systems (Amdocs), Vayyoo (Cafex), TenXc (CCI), 1Mobility (Qualys) and others. Having divided his time among North America, EMEA and Asia-Pac for over 20 years, Raj speaks several languages. He grew up in Asia, Europe, South America and Canada, and holds a B.Eng degree in Mechanical Engineering from the University of Ottawa. He is also a co-founder and Charter Member of the Ottawa chapter of TiE (the Indus Entrepreneur).

Ken Dobell

Ken leads marketing strategy at Quantropi. In high demand as a consultant with 25 years’ experience in performance media and an award- winning creative background, he has completed successful transformations, (re)branding and product development mandates with KPMG, Keurig, Fidelity, Eddyfi, Coveo, and more, and provides digital advice to the CMA. Previously, Ken pivoted an offline advertising brokerage to a leading-edge, data-driven performance agency as President of DAC Digital, held a progression of international leadership roles with Monster.com, pioneered a range of multi-channel initiatives as VP Marketing with a global franchisor, and introduced a mobile-first programmatic media offering to Canada within WPP.

Cory Michalyshyn

Cory brings a breadth of experience to the Quantropi team, working fractionally with multiple SaaS technology companies as CFO, and as the CFO with Celtic House Venture Partners. Prior to these roles, Cory was CFO and COO at Solink, and played a lead role in the metrics-led pivot to a direct-sales SaaS model, followed by multiple VC-backed funding rounds and their recognition as one of the fastest growing start-ups in Canada. He qualified as a CPA while serving technology, VC & PE-fund clients at Deloitte, and earned his Bachelor of Commerce at Queen’s University.

Dr. Randy Kuang

Randy holds a doctorate in quantum physics. His research findings have been published in top international journals and named “Kuang’s semi-classical formalism” by NASA in 2012. With a career spanning IT, including with Nortel as senior network researcher & developer, he co-founded inBay Technologies in 2009, serving as CTO of the cybersecurity platform. As the first recipient of a patent for two-level authentication (2011), Randy is a prolific inventor, with 30+ U.S. patents in broad technology fields, such as WiMAX, optical networks, multi-factor identity authentication, transaction authorization, as well as concepts, technologies and industrial applications for quantum key distribution.

James Nguyen

Prior to leading Quantropi, James was Chief Investment Officer & VP Asia Operations for a group of private and public real estate, mining, energy storage, graphene technologies and manufacturing interests, where, in his responsibilities for strategy, banking and global expansions, he secured large-scale investments and partnerships for commercializing graphene applications across multiple industries. A graduate of Carleton in Economics, he previously achieved success managing a mid-market portfolio (professional services, public sector, Asian markets) at RBC for over a decade. James has been on the HKCBA board, held advisory positions with technology start-ups and gives back as volunteer, fundraiser and mentor.