Abstract
Quantum computers are expected to break modern public key cryptography owing to Shor’s algorithm. As a result, these cryptosystems need to be replaced by quantum-resistant algorithms, also known as post-quantum cryptography (PQC) algorithms. The PQC research field has flourished over the past two decades, leading to the creation of a large variety of algorithms that are expected to be resistant to quantum attacks. These PQC algorithms are being selected and standardized by several standardization bodies. However, even with the guidance from these important efforts, the danger is not gone: there are billions of old and new devices that need to transition to the PQC suite of algorithms, leading to a multidecade transition process that has to account for aspects such as security, algorithm performance, ease of secure implementation, compliance and more. Here we present an organizational perspective of the PQC transition. We discuss transition timelines, leading strategies to protect systems against quantum attacks, and approaches for combining pre-quantum cryptography with PQC to minimize transition risks. We suggest standards to start experimenting with now and provide a series of other recommendations to allow organizations to achieve a smooth and timely PQC transition.
This is a preview of subscription content, access via your institution
Access options
Access Nature and 54 other Nature Portfolio journals
Get Nature+, our best-value online-access subscription
$29.99 / 30 days
cancel any time
Subscribe to this journal
Receive 51 print issues and online access
$199.00 per year
only $3.90 per issue
Buy this article
- Purchase on SpringerLink
- Instant access to full article PDF
Prices may be subject to local taxes which are calculated during checkout
Similar content being viewed by others
Data availability
The datasets analysed in the report are available from SUPERCOP at https://bench.cr.yp.to/supercop.html. Source data are provided with this paper.
References
Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. In Proc. 35th Annual Symposium on Foundations of Computer Science 124–134 (Soc. Industr. Appl. Math., 1994). Shor’s quantum algorithm demonstrated how to factorize large integers in polynomial time, which is an exponential speed-up over the best classical algorithms.
Bernstein, D. J. & Lange, T. Post-quantum cryptography. Nature 549, 188–194 (2017).
Arute, F. et al. Quantum supremacy using a programmable superconducting processor. Nature 574, 505–510 (2019).
Gidney, C. & Ekerå, M. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 5, 433 (2021). Gidney and Ekerå describe the resources required to implement Shor’s algorithm to break today’s standard cryptography, assuming noisy qubits.
Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing 175–179 (1984).
Alagic, G. et al. Computational security of quantum encryption. In International Conference on Information Theoretic Security 47–71 (Springer, 2016).
Barnum, H., Crepeau, C., Gottesman, D., Smith, A. & Tapp, A. Authentication of quantum messages. In Proc. 43rd Annual IEEE Symposium on Foundations of Computer Science 449–458 (IEEE, 2002).
Paquin, C., Stebila, D. & Tamvada, G. Benchmarking post-quantum cryptography in TLS. In International Conference on Post-Quantum Cryptography 72–91 (Springer, 2020).
Rose, S., Borchert, O., Mitchell, S. & Connelly, S. Zero Trust Architecture (NIST, 2020); https://csrc.nist.gov/publications/detail/sp/800-207/final
Kearney, J. J. & Perez-Delgado, C. A. Vulnerability of blockchain technologies to quantum attacks. Array 10, 100065 (2021).
Lemke, K., Paar, C. & Wolf, M. Embedded Security in Cars (Springer, 2006).
Anderson, R. & Fuloria, S. Security economics and critical national infrastructure. In Economics of Information Security and Privacy 55–66 (Springer, 2010).
Gura, N., Patel, A., Wander, A., Eberle, H. & Shantz, S. C. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In International Workshop on Cryptographic Hardware and Embedded Systems 119–132 (Springer, 2004).
Rivest, R. L., Shamir, A. & Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978).
Miller, V. S. Use of elliptic curves in cryptography. In Conference on the Theory and Application of Cryptographic Techniques 417–426 (Springer, 1985).
Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987).
Chang, S. et al. Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition NISTIR 7896 (NIST, 2012).
Hülsing, A., Butin, D., Gazdag, S.-L., Rijneveld, J. & Mohaisen, A. XMSS: eXtended Merkle signature scheme. RFC 8391 (2018); https://datatracker.ietf.org/doc/html/rfc8391
McGrew, D., Curcio, M. & Fluhrer, S. Leighton-Micali hash-based signatures. RFC 8554 (2019); https://datatracker.ietf.org/doc/html/rfc8554
Cooper, D. A. et al. Recommendation for Stateful Hash-based Signature Schemes NIST Special Publication 800-208 (NIST, 2020); https://csrc.nist.gov/publications/detail/sp/800-208/final
Alagic, G. et al. Status Report on the Second Round of the NIST Post-quantum Cryptography Standardization Process (US Department of Commerce, NIST, 2020); https://csrc.nist.gov/publications/detail/nistir/8309/finalThis report describes NIST’s findings after evaluation of the second round, and explains the motivation for selecting the seven finalist schemes as well as the eight alternative track schemes for evaluation in the third round.
Gheorghiu, V. & Mosca, M. Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes. Preprint at https://arxiv.org/abs/1902.02332 (2019).
Bernstein, D. J. et al. SPHINCS: practical stateless hash-based signatures. In Proc. EUROCRYPT Vol. 9056 368–397 (Springer, 2015).
Nechvatal, J. et al. Report on the development of the advanced encryption standard (AES). J. Res. Natl Inst. Stand. Technol. 106, 511–577 (2001).
Chen, L. et al. Report on Post-quantum Cryptography (NIST, 2016); https://csrc.nist.gov/publications/detail/nistir/8105/final
McEliece, R. J. A public-key cryptosystem based on algebraic coding theory. Jet Propulsion Laboratory, Pasadena. DSN Progress Reports 4244, 114–116 (1978).
Dierks, T. & Allen, C. The TLS protocol version 1.0. RFC 2246 (1999); https://www.ietf.org/rfc/rfc2246.txt
Rescorla, E. & Dierks, T. The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018); https://datatracker.ietf.org/doc/html/rfc8446
Rescorla, E. & Schiffman, A. The secure hypertext transfer protocol. RFC 2660 (1999); https://datatracker.ietf.org/doc/html/rfc2660
Holz, R., Amann, J., Mehani, O., Wachs, M. & Kaafar, M. A. TLS in the wild: an Internet-wide analysis of TLS-based protocols for electronic communication. Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016).
Steblia, D., Fluhrer, S. & Gueron, S. Hybrid Key Exchange in TLS 1.3 (IETF, 2020); https://tools.ietf.org/id/draft-stebila-tls-hybrid-design-03.html
Tjhai, C. et al. Multiple Key Exchanges in IKEv2 (IETF, 2021); https://www.ietf.org/archive/id/draft-ietf-ipsecme-ikev2-multiple-ke-03.txt
CYBER; Quantum-Safe Hybrid Key Exchanges ETSI TS 103 744, (ETSI, 2020); https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf
Quantum Safe Cryptography and Security; An Introduction, Benefits, Enablers and Challenges White Paper No. 8 (ETSI, 2015); https://www.etsi.org/technologies/quantum-safe-cryptography
Barker, W., Souppaya, M. & Newhouse, W. Migration to Post-Quantum Cryptography (NIST & CSRC, 2021); https://csrc.nist.gov/publications/detail/white-paper/2021/08/04/migration-to-post-quantum-cryptography/final
Lu, X. et al. LAC: practical ring-LWE based public-key encryption with byte-level modulus. IACR Cryptol. ePrint Arch. 2018, 1009 (2018).
Announcement of nation-wide cryptographic algorithm design competition result. Chinese Association for Cryptology Research https://www.cacrnet.org.cn/site/content/854.html (2021).
Alagic, G. et al. Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process (NIST, 2019); https://www.nist.gov/publications/status-report-first-round-nist-post-quantum-cryptography-standardization-process
Ott, D. et al. Identifying research challenges in post quantum cryptography migration and cryptographic agility. Preprint at https://arxiv.org/abs/1909.07353 (2019).
Bindel, N., Brendel, J., Fischlin, M., Goncalves, B. & Stebila, D. Hybrid key encapsulation mechanisms and authenticated key exchange. In International Conference on Post-Quantum Cryptography 206–226 (Springer, 2019).
Crockett, E., Paquin, C. & Stebila, D. Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. IACR Cryptol. ePrint Arch. 2019, 858 (2019). Implementations of NIST round two PQC algorithms in TLS, providing insightful data on which algorithms are likely to be performant enough for widespread use and which will suffer severe performance issues.
Ounsworth, M. & Pala, M. Composite Signatures For Use In Internet PKI (IETF, 2021); https://www.ietf.org/archive/id/draft-ounsworth-pq-composite-sigs-05.txt
Barker, E., Chen, L. & Davis, R. Recommendation for Key-Derivation Methods in Key-Establishment Schemes (NIST, 2020); https://www.nist.gov/publications/recommendation-key-derivation-methods-key-establishment-schemes
Peikert, C. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10, 283–424 (2016).
Bernstein, D. J., Buchmann, J. & Dahmen, E. Post-Quantum Cryptography (Springer, 2009).
Stebila, D. & Mosca, M. Post-quantum key exchange for the internet and the open quantum safe project. In International Conference on Selected Areas in Cryptography 14–37 (Springer, 2016).
Langley, A. BoringSSL. GitHub https://github.com/google/boringssl (2020).
Duong, T. Tink. GitHub https://github.com/google/tink (2020).
Bernstein, D. J. & Lange, T. SUPERCOP: system for unified performance evaluation related to cryptographic operations and primitives (VAMPIRE Lab, 2018); https://bench.cr.yp.to/supercop.html
Mosca, M. & Piani, M. Quantum Threat Timeline (Global Risk Institute, 2021); https://globalriskinstitute.org/publications/2021-quantum-threat-timeline-report/
Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandum-on-improving-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems/ (2022).
Author information
Authors and Affiliations
Contributions
D.J., R.M. and M.M. drafted the paper and provided technical expertise. J.T., F.D.P., O.L., P.V. and S.L. participated in extensive discussions, providing business and organizational perspectives and edits, and J.H. and R.H. drove the project from an executive level, helping to gather resources, provide direction and edit the manuscript. A substantial part of this paper was written while all the authors were a part of Alphabet.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Peer review
Peer review information
Nature thanks Tanja Lange and the other, anonymous, reviewer(s) for their contribution to the peer review of this work.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
About this article
Cite this article
Joseph, D., Misoczki, R., Manzano, M. et al. Transitioning organizations to post-quantum cryptography. Nature 605, 237–243 (2022). https://doi.org/10.1038/s41586-022-04623-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1038/s41586-022-04623-2
This article is cited by
-
Quantum variations of cyclotomic cosets for cyclic stabiliser codes construction
Quantum Information Processing (2024)
-
Exploring the solution space: CB-WCA for efficient finite field multiplication in post-quantum cryptography
Quantum Information Processing (2024)
-
Efficient lattice-based revocable attribute-based encryption against decryption key exposure for cloud file sharing
Journal of Cloud Computing (2023)
-
Implementing Post-quantum Cryptography for Developers
SN Computer Science (2023)