In our previous blog we discussed the emerging technology that is quantum computing, the benefits it brings, but also the risks it can pose to digital identities.
In this next blog we’ll be taking a closer look at Post Quantum Cryptography, and the measures being taken by the industry to secure digital identities in the post quantum era.
Why is this so important?
Quantum computing poses several risks to digital identities due to its ability to break certain cryptographic algorithms that currently underpin secure communication and digital identity systems. Some of the risks include:
- Compromising Digital Certificates: Quantum computers could break commonly used encryption and signature methods like RSA and Elliptic Curve Cryptography. These methods are important for secure communications and digital seals. Digital certificates help verify the identity and integrity of digital identities in applications like secure web browsing. Quantum computers can undermine the security of these certificates and allow attackers to create fake ones, pretend to be legitimate entities, and carry out malicious activities.
- Decrypting Past Interceptions: Quantum computers can potentially decrypt encrypted data that was intercepted in the past. If an attacker stores encrypted communication until a quantum computer is available, they could use quantum algorithms to decrypt the information. This puts previously intercepted data at risk of being exposed.
- Identity Theft and Fraud: Quantum computing can enable attackers to break the encryption protecting personal information like passwords and credit card numbers. This could lead to identity theft, fraud, and unauthorized access to personal accounts or systems.
Several industry standards are currently being developed and evaluated for post-quantum cryptography. Although the field is still evolving, these are some of the major organizations and initiatives that are actively contributing to the development of industry standards for post-quantum cryptography. Their efforts aim to provide new guidelines, new algorithms, and updated protocols that will ensure the security of digital systems and communications in the presence of powerful quantum computers.
NIST Post-Quantum Cryptography Standardization: The US National Institute of Standards and Technology (NIST) is leading the standardization process for post-quantum cryptography. NIST initiated a project in 2016 to evaluate and select quantum-resistant cryptographic algorithms. Multiple rounds of evaluations and public feedback have been conducted. NSIT has selected four algorithms it will standardize as a result of the Post-Quantum Cryptography (PQC) Standardization Process: CRYSTALS–KYBER, along with three digital signature schemes: CRYSTALS–Dilithium, FALCON, and SPHINCS+.
Internet Engineering Task Force (IETF): The IETF is actively working on standards related to post-quantum cryptography. The Quantum-Safe Cryptography Working Group within the IETF focuses on developing specifications for quantum-resistant cryptographic algorithms and protocols, as well as providing guidance on transitioning to post-quantum cryptography.
European Telecommunications Standards Institute (ETSI): ETSI is also involved in the standardization efforts for post-quantum cryptography. Their Quantum-Safe Cryptography Technical Committee is working on developing standards and guidelines to ensure the security of cryptographic systems against quantum attacks.
International Organization for Standardization (ISO): ISO has established a working group, ISO/IEC JTC 1/SC 27/WG 2, dedicated to the standardization of quantum-resistant cryptographic algorithms. The working group is responsible for developing and maintaining international standards in the field of information security, including post-quantum cryptography.
In part three, we’ll be taking a closer look at the industry examples of post quantum cryptography already in action.
For further reading, please check out the following: