“The first thing organizations need to do is understand where they are using cryptocurrencies, how and why,” says El Kafarani. “Start assessing which parts of your system need to be switched and build the transition to post-quantum cryptography from the most vulnerable parts.”
There is still a great degree of uncertainty surrounding quantum computers. No one knows what they will be capable of or if it will even be possible to build them on a large scale. Quantum computers being built by the likes of Google and IBM are beginning to outperform classical devices in specially designed tasks, but scaling them up is a difficult technological challenge and it will be many years before there is a quantum computer that can run Shor’s algorithm in any meaningful way . “The biggest problem is that we have to make good assumptions about the future capabilities of both classical and quantum computers,” Yang says. “There is no guarantee of safety here.”
The complexity of these new algorithms makes it difficult to estimate how well they will actually work in practice. “Evaluating security is usually a game of cat and mouse,” says Arthur Eckert, professor of quantum physics at the University of Oxford and one of the pioneers of quantum computing. “Lattice-based cryptography is very elegant from a mathematical perspective, but evaluating its security is really difficult.”
The researchers who developed these NIST-backed algorithms say they can effectively simulate how long it will take a quantum computer to solve a problem. “You don’t need a quantum computer to write a quantum program and know how long it will run,” claims Vadim Ljubashevski, an IBM researcher who contributed to the CRYSTALS-Dilithium algorithm. But no one knows what new quantum algorithms researchers might cook up in the future.
Indeed, one of NIST’s shortlisted finalists—a structured lattice algorithm called Rainbow—was knocked out of the running when IBM researcher Ward Beullens published a paper titled “Breaking Rainbow Takes a Weekend on a Laptop.” NIST’s announcements will focus the attention of codebreakers on structured lattices, which could undermine the entire project, Young argued.
Also, Ekert says, there’s a careful balance between security and efficiency: Basically, if you make your encryption key longer, it’ll be harder to crack, but it’ll also require more computing power. If post-quantum cryptography becomes widespread like RSA, it could mean a significant impact on the environment.
Young accuses NIST of somewhat “naïve” thinking, while Ekert believes “more detailed security analysis is needed.” There are only a handful of people in the world with the combined quantum and cryptographic expertise required to perform that analysis.
Over the next two years, NIST will publish draft standards, invite comments, and finalize new forms of quantum-resistant encryption, which it hopes will be adopted worldwide. After that, based on previous implementations, Moody’s thinks it could be 10 to 15 years before companies widely implement them, but their data may be vulnerable now. “We have to start now,” says El Kafarani. “It’s the only option we have if we want to protect our medical records, our intellectual property or our personal information.”