For several years, one scenario has been receiving increased attention in the cybersecurity area: malicious actors would already be collecting encrypted data today, with a view to decrypting it at a later stage, when quantum computers have sufficient computing power. This approach, known as harvest now, decrypt later, is based on a simple assumption: what is still illegible today could become transparent tomorrow.
To address this latent threat, post-quantum cryptography (PQC) has become a priority. It encompasses all cryptographic methods designed to withstand the unparalleled capabilities of quantum computing. These include post-quantum encryption, which specifically focuses on protecting data confidentiality by means of suitable encryption algorithms. According to a study published by French agency ANSSI, 50% of the organizations surveyed are exposed to risks posed by future quantum attacks, notably linked to the use of VPNs or long-term certificates. The French Cybersecurity Agency urges beneficiaries of post-quantum solutions to start preparing their migration as soon as possible.
Principles And Objectives Of Post-quantum Encryption
Post-quantum encryption refers to a set of new cryptographic algorithms designed to withstand the power of future quantum computers. Unlike current technologies, often based on mathematical problems conventional computers would take ages to solve, these new approaches are designed to be robust even when faced with machines capable of using the laws of quantum physics to simultaneously explore a large number of possible solutions to certain mathematical problems. What's essential to note is that this post-quantum encryption is compatible with our current hardware, which means it can be gradually rolled out and without waiting for the emergence of quantum computers.
Post-quantum encryption finds its natural place wherever cryptography is already essential, whether in secure communications, financial transactions, cloud storage, critical infrastructures or connected objects. However, some business sectors need to pay more immediate attention to this transition. Banking, for example, relies heavily on security of payments and confidentiality of customer data. Likewise, the healthcare sector, where the protection of medical records and discussions between professionals is crucial, cannot afford to lag behind in this transformation. For these sectors, anticipating the quantum threat is not an option, rather a strategic necessity, precisely in the light of the length of data confidentiality.
Progress in post-quantum cryptography faced with industrial and technical challenges
The standardization of post-quantum cryptography is an ongoing process, mainly driven by NIST (National Institute of Standards and Technology). This work aims to validate algorithms that are robust, high-performance and secure faced with the threats posed by future quantum computers. But beyond the selection of secure algorithms, this standardization also involves defining best practices for their implementation, to prevent pitfalls from happening in concrete use.
Technologically, two key concepts stand out: hybridization and crypto-agility. Hybridization consists of combining conventional algorithms with post-quantum algorithms to secure the transition, particularly the time needed to test the robustness of post-quantum algorithms over the long term. Crypto-agility refers, among other things, to a system's ability to rapidly change its algorithm in case a vulnerability is found. As these two concepts are key in supporting the transition to PQC, they will be the subject of standardization or recommendations depending on usage.
At the same time, the maturity of actors varies. On the suppliers' side, we observe some mobilization, as many are actively following the current recommendations and gradually integrating the new standards into their products. On the end-users’ side, the picture is more mixed. Some sectors are still waiting for clear directives, while others, more sensitive to safety issues, are already anticipating the changes to come.
The Role Of French And European Authorities Play In Support And Regulation
In France, ANSSI plays a central role in raising awareness of the threat posed by quantum computing to current cryptographic systems. In addition to the technical recommendations, the Agency and its European counterparts suggest that we anticipate the costs, time frames and complexity linked to migrating to PQC, in order to avoid a hasty and risky transition.
It also has a role to play in international standardization work. The purpose is to ensure that future global standards incorporate safety requirements specific to the French context, and that the solutions chosen are technically and operationally compatible with national requirements.
On the regulatory front, the foundations are already in place for this transition. In Europe, for example, the Cyber Resilience Act (CRA) will create a duty on the part of suppliers to comply with strict requirements, including the state of the art in cryptography, with assessments scheduled according to the criticality level of solutions. At a national level, several legal texts already refer to cryptographic obligations. For example, sensitive users who are subject to these obligations, such as some vital administrations or operators, will have to continue to guarantee that their systems incorporate the state of the art. Non-sensitive users, without being directly subject to the same obligations, should nevertheless ensure that their suppliers provide solutions that comply with standards on post-quantum cryptography, depending on their needs.
Along with the development of quantum technologies, the implementation of post-quantum cryptography becomes an essential challenge for ensuring the security of information systems. This transition requires a gradual adaptation of infrastructures and coordination between the various actors in the sector. Beyond the technical aspects, it also raises organizational and strategic issues that need to be addressed to ensure effective implementation.
