Post-Quantum

Challenges of Upgrading to Post-Quantum Cryptography (PQC)

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email October 14, 2019
5 minutes read
PQC Upgrade Challenges
PQC Upgrade Challenges

Introduction

Quantum computing, once a theoretical field, is rapidly becoming a tangible reality. Its potential to revolutionize many scientific and technical fields is accompanied by a dark side: the ability to break many of the cryptographic protocols we rely on today. Asymmetric cryptography algorithms like RSA and ECC, which safeguard much of our online data and communications, will be rendered vulnerable to quantum attacks, primarily due to algorithms like Shor’s Algorithm. This means that to secure the future, we must transition to post-quantum cryptography (PQC)—a massive task that poses significant challenges for organizations worldwide. In my opinion, a task that is more massive then Y2K. For those who remember it.

The Quantum Threat: A Universal Vulnerability

One of the most significant implications of quantum computing is its ability to compromise nearly every device that relies on encryption. Devices today use both asymmetric and symmetric cryptography for everything from secure communications to validating software integrity. While asymmetric algorithms like RSA and ECC will be completely broken by quantum computers, even symmetric cryptography will be weakened. For example, symmetric algorithms like AES, although not entirely broken, will require substantially larger key sizes to remain secure. Moreover, quantum computers can weaken cryptographic hash functions used to verify data integrity, thus making software updates, digital signatures, and device authentications vulnerable.

This means the quantum threat doesn’t just apply to high-security enterprise systems—it touches every connected device. From smartphones and laptops to industrial control systems and IoT devices, quantum computing poses a risk to all of them.

Beyond Enterprise IT: The Vulnerability of Non-IT Systems

Many organizations focus solely on securing their enterprise IT infrastructure in preparation for the quantum age. However, this overlooks a wide range of other connected devices that are just as vulnerable. Data center systems, like connected mechanical and electrical controls, smart building devices, transportation systems, and even personal electronics like smartphones, all depend on encryption to function securely. These systems often operate in the background but are integral to day-to-day operations  .

Consider the smart cities of today, which use encrypted data to manage public infrastructure such as traffic systems and streetlights. Similarly, healthcare IoT devices that monitor patient health and logistics platforms managing supply chains also rely on encryption to ensure data integrity and privacy. The quantum threat to these systems, if left unaddressed, could lead to widespread disruption, far beyond typical IT systems .

Performance and Efficiency Concerns: Larger Key Sizes and More Computing Power

One of the more technical challenges of transitioning to PQC is the increased computational resources these algorithms demand. Many quantum-resistant algorithms, such as lattice-based cryptography, require significantly larger key sizes than classical algorithms. For example, PQC solutions like CRYSTALS-Kyber, use larger key sizes and more complex computations than RSA and ECC .

  • Larger key sizes: RSA typically uses key sizes between 2048 and 4096 bits, while quantum-resistant alternatives may require tens of thousands of bits. This increase in key size can slow down encryption and decryption processes, especially in environments with constrained resources, such as IoT devices.
  • Computational overhead: The increased complexity of PQC algorithms means that more computational power and energy are required to run encryption tasks. For systems with limited processing capabilities, this can lead to performance bottlenecks, necessitating hardware upgrades.

This is especially problematic for resource-constrained environments, such as industrial IoT devices and embedded systems, which often lack the computational capacity to handle these more demanding algorithms. These devices may need to be redesigned, adding further cost and complexity to the transition.

Security Auditing, Algorithm Maturity, and Side-Channel Attacks

Though NIST will select several quantum-resistant algorithms, the security community continues to scrutinize these methods. PQC algorithms are relatively new compared to RSA and ECC, which have been battle-tested for decades. As with all cryptographic algorithms, newly discovered vulnerabilities are a possibility. For instance, the SIKE algorithm, once considered promising, was found to be vulnerable to a classical attack.

Additionally, while PQC algorithms resist quantum attacks, they are not immune to side-channel attacks, which exploit information leaks like power consumption or timing variations during encryption operations. Ensuring resilience against these attacks requires not just new algorithms but also hardware improvements and careful implementation. Security audits must be conducted at every level to confirm that systems can resist both classical and quantum attacks.

Supply Chain and Vendor Coordination

The adoption of PQC isn’t just an internal organizational challenge; it requires coordination across the entire supply chain. Most organizations depend on third-party vendors for hardware, software, and encryption libraries. The shift to PQC will require each of these vendors to integrate quantum-resistant algorithms into their systems.

  • Third-party dependencies: Vendors of encryption tools and devices must update their products to support PQC. Organizations cannot secure their systems without their vendors first providing the necessary cryptographic libraries, certificates, and protocols .
  • Supply chain synchronization: Many industries, particularly those relying on IoT or cloud services, require tight coordination between multiple suppliers. As organizations move to PQC, any misalignment between supply chain members could leave parts of the system vulnerable .

Cost and Resource Allocation: A Complex and Expensive Transition

Upgrading to PQC is a cost-intensive process. It involves software updates, hardware replacements, extensive testing, and staff training. These costs are especially high for organizations with legacy systems that are not compatible with quantum-resistant algorithms. Moreover, the transition may involve significant downtime as systems are updated, which can impact critical services .

  • Hardware costs: As discussed earlier, many PQC algorithms require more computing power and larger key sizes, which may necessitate hardware upgrades, particularly in environments like IoT devices.
  • Ongoing costs: Organizations must also account for the long-term costs of maintaining quantum-resistant systems. These include regular security audits, patches, and the potential need to switch to different PQC algorithms if vulnerabilities are discovered in current implementations.

Organizational Readiness and Misconceptions: Why Companies Delay Action

Many organizations continue to procrastinate on PQC adoption, either because they believe the quantum threat is still years away or they assume the transition will be straightforward. This is a dangerous misconception. While fully functional quantum computers capable of breaking encryption might still be years off, data encrypted today could be intercepted and stored for future decryption. By the time quantum computers become available, the damage could already be done.

Moreover, upgrading to PQC is far from a simple process. Many organizations falsely believe that transitioning to quantum-resistant algorithms will be as easy as installing a software update. In reality, it requires significant changes to cryptographic systems, encryption protocols, and hardware. The process involves careful planning, testing, and implementation—none of which can be accomplished quickly or with minimal effort.

Conclusion: The Need for Immediate Action

The shift to post-quantum cryptography is not a distant problem but an imminent challenge that requires immediate attention. The quantum threat affects all forms of computing—whether it’s enterprise IT, IoT devices, or personal electronics. Transitioning to quantum-resistant algorithms is a complex, resource-intensive task that demands coordination across the supply chain, extensive security audits, and careful management of performance and cost issues.

Organizations that delay this transition risk exposing themselves to future quantum attacks. The time to start planning is now. Developing a quantum-readiness roadmap, engaging with vendors, and conducting a thorough inventory of cryptographic systems will be key to ensuring long-term security in the quantum era.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email October 14, 2019
5 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap