https://access.redhat.com/blogs/766093/posts/3031361?sc_cid=7016000000127ECAAY
The SSL/TLS protocol uses RSA, Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) primitives for the key exchange algorithm.
RSA is based on the fact that when given a product of two large prime numbers, factorizing the product (which is the public key) is computationally intensive, but a quantum computer could efficiently solve this problem using Shor’s algorithm. Similarly, DH and ECDH key exchanges could all be broken very easily using sufficiently large quantum computers.
For symmetric ciphers, the story is slightly different. It has been proven that applying Grover’s algorithm the strength of symmetric key lengths are effectively halved: AES-256 would have the same security against an attack using Grover’s algorithm that AES-128 has against classical brute-force search. Hashes are also affected in the same way symmetric algorithms are.
Therefore, we need new algorithms which are more resistant to quantum computations. This article introduces you to 5 proposals, which are under study.
237 Comments
Tomi Engdahl says:
https://www.microsoft.com/en-us/research/project/post-quantum-tls/
Tomi Engdahl says:
https://blog.cloudflare.com/kemtls-post-quantum-tls-without-signatures
The Transport Layer Security protocol (TLS), which secures most Internet connections, has mainly been a protocol consisting of a key exchange authenticated by digital signatures used to encrypt data at transport[1]. Even though it has undergone major changes since 1994, when SSL 1.0 was introduced by Netscape, its main mechanism has remained the same. The key exchange was first based on RSA, and later on traditional Diffie-Hellman (DH) and Elliptic-curve Diffie-Hellman (ECDH). The signatures used for authentication have almost always been RSA-based, though in recent years other kinds of signatures have been adopted, mainly ECDSA and Ed25519. This recent change to elliptic curve cryptography in both at the key exchange and at the signature level has resulted in considerable speed and bandwidth benefits in comparison to traditional Diffie-Hellman and RSA.
TLS is the main protocol that protects the connections we use everyday. It’s everywhere: we use it when we buy products online, when we register for a newsletter — when we access any kind of website, IoT device, API for mobile apps and more, really. But with the imminent threat of the arrival of quantum computers (a threat that seems to be getting closer and closer), we need to reconsider the future of TLS once again. A wide-scale post-quantum experiment was carried out by Cloudflare and Google: two post-quantum key exchanges were integrated into our TLS stack and deployed at our edge servers as well as in Chrome Canary clients. The goal of that experiment was to evaluate the performance and feasibility of deployment of two post-quantum key exchanges in TLS.
NIST post-quantum standardization process use mathematical objects that are larger than the ones used for elliptic curves, traditional Diffie-Hellman, or RSA. As a result, the overall size of public keys, signatures and key exchange material is much bigger than those from elliptic curves, Diffie-Hellman, or RSA.
How can we solve this problem? How can we use post-quantum algorithms as part of the TLS handshake without making the material too big to be transmitted? In this blogpost, we will introduce a new mechanism for making this happen.
TLS 1.3 was introduced in August 2018, and it brought many security and performance improvements (notably, having only one round-trip to complete the handshake). But TLS 1.3 is designed for a world with classical computers, and some of its functionality will be broken by quantum computers when they do arrive.
We can estimate the impact of such a replacement on network traffic by simply looking at the sum of the cryptographic objects that are transmitted during the handshake. A typical TLS 1.3 handshake using elliptic curve X25519 and RSA-2048 would transmit 1,376 bytes, which would correspond to the public keys for key exchange, the certificate, the signature of the handshake, and the certificate chain. If we were to replace X25519 by the post-quantum KEM Kyber512 and RSA by the post-quantum signature Dilithium II, two of the more efficient proposals, the size transmitted data would increase to 10,036 bytes[4]. The increase is mostly due to the size of the post-quantum signature algorithm.
KEMTLS, therefore, achieves the same goals as TLS 1.3 (authentication, confidentiality and integrity) in the face of quantum computers. But there’s one small difference compared to the TLS 1.3 handshake. KEMTLS allows the client to send encrypted application data in the second client-to-server TLS message flow when client authentication is not required, and in the third client-to-server TLS message flow when mutual authentication is required. Note that with TLS 1.3, the server is able to send encrypted and authenticated application data in its first response message (although, in most uses of TLS 1.3, this feature is not actually used). With KEMTLS, when client authentication is not required, the client is able to send its first encrypted application data after the same number of handshake round trips as in TLS 1.3.
Cloudflare and KEMTLS: the implementation
As part of our effort to show that TLS can be completely post-quantum safe, we implemented the full KEMTLS handshake in Golang’s TLS 1.3 suite.
Tomi Engdahl says:
Kvanttisalaus vaatii jo ensimmäisiä toimia
https://www.uusiteknologia.fi/2024/06/06/kvanttisalaus-vaatii-jo-ensimmaisia-toimia/
Suomalaisen kriittisen verkko- ja muun infrastruktuurin toimijoista vasta murto-osa on varautunut kvanttitietokoneiden tulevaisuuden kykyyn murtaa salaukset tietoliikenteestä. Tämä ilmenee tutkimuskeskus VTT:n Huoltovarmuuskeskukselle tekemästä selvityksestä, jonka oheen on tehty myös alan yrityksille tietopaketti ja tiekartta tarvittavista muutoksista salausalgoritmeihin ja kriittiseen tiedonsiirtoon.
Kvanttitietokoneiden arvioidaan saavuttavan 5–15 vuoden kuluttua kyvyn murtaa tietoliikenteen salaukset. Vaikka aikaa näyttäisi olevan, siirtymistä uudenlaiseen salaukseen ei ole VTT:n selvityksen mukaan syytä lykätä. Maailmantilanne on myös muuttunut. Vihamieliset valtiot ja kyberrikolliset voivat jo nyt tallentaa kannaltaan kiinnostavien organisaatioiden tietoliikennettä odottamaan aikaa, jolloin salaukset voidaan purkaa. Kvanttikoneiden kehitys voi myös edetä ennakoitua nopeammin.
Selvityksen yhteyteen VTT ja Huoltovarmuuskeskus ovat laatineet kvanttiturvallisiin algoritmeihin siirtymisestä ohjeistavan varautumistiekartan, joka näyttää miten ja missä järjestyksessä kannattaa edetä, jos toimii kriittisen infrastruktuurien alalla. Siirtymä kvanttiturvalliseen salaukseen täytyy suunnitella ja sen toteuttamiseen täytyy varata resursseja. Tiekartan alkupuoleen kuuluu myös avainhenkilöstön koulutus ymmärtämään, miksi ja miten siirtyä kvanttiturvallisiin algoritmeihin.
VTT:n selvityksen mukaan Yhdysvalloissa ja Britanniassa suositellaan, että siirrytään kerralla. Euroopassa Ranskassa ja Saksassa halutaan käyttää hybridimenetelmiä, jotka kuitenkin hidastavat toimintoja. Ne ovat myös mutkikkaampia, jolloin virheiden riski on suurempi. Suomessa valmius on selvästi jäljessä naapurimaista. Koko Eurooppa taas laahaa Yhdysvaltojen ja muiden englanninkielisten maiden perässä.
Kriittisen infrastruktuurin haasteena on myös se, että uudet kvanttiturvalliset algoritmit vaativat nykyistä salausta enemmän muistia ja suorituskykyä.
Tomi Engdahl says:
Quantinuum inches closer to fault-tolerant quantum with a 56 qubit machine
This one only produces errors 65 percent of the time. Woo-hoo!
https://www.theregister.com/2024/06/07/quantinuum_new_computer/
Tomi Engdahl says:
SSH:n kvanttiturvalliselle NQX-salausratkaisulle kansallinen huipputason turvaluokitus
Anna Helakallio16.7.202407:41SALAUSTURVALLISUUSTIETOTURVATULEVAISUUDEN TEKNIIKAT
Uusi turvaluokitus kestää kolme vuotta
https://www.tivi.fi/uutiset/sshn-kvanttiturvalliselle-nqx-salausratkaisulle-kansallinen-huipputason-turvaluokitus/f00fcbd3-49b8-403b-b4c1-135d2911e7e7
Tomi Engdahl says:
NIST Announces Post-Quantum Cryptography Standards Three security standards are ready for use, with a fourth on the way
https://spectrum.ieee.org/post-quantum-cryptography-2668949802
Today, almost all data on the Internet, including bank transactions, medical records, and secure chats, is protected with an encryption scheme called RSA (named after its creators Rivest, Shamir, and Adleman). This scheme is based on a simple fact—it is virtually impossible to calculate the prime factors of a large number in a reasonable amount of time, even on the world’s most powerful supercomputer. Unfortunately, large quantum computers, if and when they are built, would find this task a breeze, thus undermining the security of the entire Internet.
Luckily, quantum computers are only better than classical ones at a select class of problems, and there are plenty of encryption schemes where quantum computers don’t offer any advantage. Today, the U.S. National Institute of Standards and Technology (NIST) announced the standardization of three post-quantum cryptography encryption schemes. With these standards in hand, NIST is encouraging computer system administrators to begin transitioning to post-quantum security as soon as possible.
“Now our task is to replace the protocol in every device, which is not an easy task.”
—Lily Chen, NIST
“Today, public key cryptography is used everywhere in every device,” Chen says. “Now our task is to replace the protocol in every device, which is not an easy task.”
Why we need post-quantum cryptography now
Most experts believe large-scale quantum computers won’t be built for at least another decade. So why is NIST worried about this now? There are two main reasons.
First, many devices that use RSA security, like cars and some IoT devices, are expected to remain in use for at least a decade. So they need to be equipped with quantum-safe cryptography before they are released into the field.
Second, a nefarious individual could potentially download and store encrypted data today, and decrypt it once a large enough quantum computer comes online. This concept is called “harvest now, decrypt later“ and by its nature, it poses a threat to sensitive data now, even if that data can only be cracked in the future.
Security experts in various industries are starting to take the threat of quantum computersseriously, says Joost Renes, principal security architect and cryptographer at NXP Semiconductors. “Back in 2017, 2018, people would ask ‘What’s a quantum computer?’” Renes says. “Now, they’re asking ‘When will the PQC standards come out and which one should we implement?’”
NIST announced a public competition for the best PQC algorithm back in 2016. They received a whopping 82 submissions from teams in 25 different countries. Since then, NIST has gone through 4 elimination rounds, finally whittling the pool down to four algorithms in 2022.
These four winning algorithms had intense-sounding names: CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+, and FALCON. Sadly, the names did not survive standardization: The algorithms are now known as Federal Information Processing Standard (FIPS) 203 through 206. FIPS 203, 204, and 205 are the focus of today’s announcement from NIST. FIPS 206, the algorithm previously known as FALCON, is expected to be standardized in late 2024.
Two out of the three schemes already standardized by NIST, FIPS 203 and FIPS 204 (as well as the upcoming FIPS 206), are based on another hard problem, called lattice cryptography. Lattice cryptography rests on the tricky problem of finding the lowest common multiple among a set of numbers. Usually, this is implemented in many dimensions, or on a lattice, where the least common multiple is a vector.
The third standardized scheme, FIPS 205, is based on hash functions
central problem at the heart of all cryptography schemes: There is no proof that any of the math problems the schemes are based on are actually “hard.” The only proof, even for the standard RSA algorithms, is that people have been trying to break the encryption for a long time, and have all failed.
NIST’s announcement is exciting, but the work of transitioning all devices to the new standards has only just begun. It is going to take time, and money, to fully protect the world from the threat of future quantum computers.
“We’ve spent 18 months on the transition and spent about half a million dollars on it,” says Marty of LGT Financial Services. “We have a few instances of [PQC], but for a full transition, I couldn’t give you a number, but there’s a lot to do.”
Tomi Engdahl says:
Announcing Approval of Three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography
August 13, 2024
https://csrc.nist.gov/News/2024/postquantum-cryptography-fips-approved
The Secretary of Commerce has approved three Federal Information Processing Standards (FIPS) for post-quantum cryptography:
FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
FIPS 204, Module-Lattice-Based Digital Signature Standard
FIPS 205, Stateless Hash-Based Digital Signature Standard
These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.
FIPS 203 specifies a cryptographic scheme called the Module-Lattice-Based Key-Encapsulation Mechanism Standard, which is derived from the CRYSTALS-KYBER submission.
FIPS 204 and 205 each specify digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, which is derived from CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Standard, which is derived from the SPHINCS+ submission.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
The US NIST publishes its first three post-quantum cryptography standards; IBM’s director of research thinks quantum will hit an inflection point around 2030 — It’ll still be a while before quantum computers become powerful enough to do anything useful, but it’s increasingly likely …
The first post-quantum cryptography standards are here
https://techcrunch.com/2024/08/13/the-first-post-quantum-cryptography-standards-are-here/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAJMZevVzp3QppLycVFq9mC8mKfDsE6GEexiHjfz1qpzSoosAyNScqQo4kwG2bTBQLDtqSbwsVloEnNt8XJzMPJ4l1cKFKNvfm-fM-QiEy7ze3m4wE8xysv1KWMznO3_y2Oqauulp13ARgChyYx3dmqGG4FLZp9WOBJznI31uGyS6
It’ll still be a while before quantum computers become powerful enough to do anything useful, but it’s increasingly likely that we will see full-scale, error-corrected quantum computers become operational within the next five to 10 years. That’ll be great for scientists trying to solve hard computational problems in chemistry and material science, but also for those trying to break the most common encryption schemes used today. That’s because the mathematics of the RSA algorithm that, for example, keep the internet connection to your bank safe, are almost impossible to break with even the most powerful traditional computer. It would take decades to find the right key. But these same encryption algorithms are almost trivially easy for a quantum computer to break.
“Then the question is, from that point on, how many years until you have systems capable of [breaking RSA]? That’s open for debate, but suffice to say, we’re now in the window where you’re starting to say: all right, so somewhere between the end of the decade and 2035 the latest — in that window — that is going to be possible. You’re not violating laws of physics and so on,” he explained.
One excuse for this, he said, is that there weren’t any standards yet, which is why the new standards announced Tuesday are so important (and the process for getting to a standard, it’s worth noting, started in 2016).
Even though many CISOs are aware of the problem, Gil said, the urgency to do something about it is low. That’s also because for the longest time, quantum computing became one of those technologies that, like fusion reactors, was always five years out from becoming a reality. After a decade or two of that, it became somewhat of a running joke. “That’s one uncertainty that people put on the table,” Gil said. “The second one is: OK, in addition to that, what is it that we should do? Is there clarity in the community that these are the right implementations? Those two things are factors, and everybody’s busy. Everybody has limited budgets, so they say: ‘Let’s move that to the right. Let’s punt it.’ The task of institutions and society to migrate from current protocols to the new protocol is going to take, conservatively, decades. It’s a massive undertaking.”
It’s now up to the industry to start implementing these new algorithms. “The math was difficult to create, the substitution ought not to be difficult,” Gil said about the challenge ahead, but he also acknowledged that that’s easier said than done.
Indeed, a lot of businesses may not even have a full inventory of where they are using cryptography today. Gil suggested that what’s needed here is something akin to a “cryptographic bill of materials,” similar to the software bill of materials (SBOM) that most development teams now generate to ensure that they know which packages and libraries they use in building their software.
Like with so many things quantum, it feels like now is a good time to prepare for its arrival — be that learning how to program these machines or how to safeguard your data from them. And, as always, you have about five years to get ready.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16483-nyt-ne-ovat-valmiit-salausstandardit-kestaevaet-kvanttikonehyoekkaeykset
Tomi Engdahl says:
Race to develop quantum-resistant encryption intensifies: https://ie.social/Njw2d
Breakthrough quantum algorithm can break advanced data encryption
https://interestingengineering.com/science/quantum-algorithm-mit-crack-advanced-encryption?utm_source=facebook&utm_medium=article_image
The widely-used RSA encryption system relies on the difficulty of factoring extremely large numbers, a task that classical computers cannot accomplish in a reasonable timeframe.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16543-suomalaistekniikka-tuo-laitteisiin-kvanttiturvallisen-kaeynnistyksen
Kryptografiaratkaisuja kehittävä suomalainen Xiphera on esitellyt uusimman tuotteensa, joka tuo kvanttiturvallisen todennuksen käynnistyskuville ja laiteohjelmistopäivityksille. Tuote on nimeltään nQrux Secure Bootin, ja se tulee osaksi yhtiön nQrux Hardware Trust Engines -perhettä.
Tomi Engdahl says:
Meta warns of looming ‘quantum apocalypse’ for modern encryption, cryptography standards
Meta said that protecting asymmetric cryptography used by blockchains is the company’s top priority related to quantum computing.
https://cryptoslate.com/meta-warns-of-looming-quantum-apocalypse-for-modern-encryption-cryptography-standards/
Tomi Engdahl says:
‘Unbreakable’ quantum communication closer to reality thanks to new, exceptionally bright photons
https://www.livescience.com/technology/communications/unbreakable-quantum-communication-closer-to-reality-thanks-to-new-exceptionally-bright-photons
Scientists build a new light source for quantum communications by combining existing technologies together to create a stronger and more robust quantum signal.
Tomi Engdahl says:
The Register: Crypto-apocalypse soon? Chinese researchers find a potential quantum attack on classical encryption > https://go.theregister.com/feed/www.theregister.com/2024/10/14/china_quantum_attack/, 2024-10-14 06:30:09 +0000
Tomi Engdahl says:
Chinese Scientists Report Using Quantum Computer to Hack Military-grade Encryption
https://thequantuminsider.com/2024/10/11/chinese-scientists-report-using-quantum-computer-to-hack-military-grade-encryption/
Chinese researchers, using a D-Wave quantum computer, claim to have executed what they are calling the first successful quantum attack on widely used encryption algorithms, posing a “real and substantial threat” to sectors like banking and the military, as reported by SCMP.
The D-Wave Advantage, initially designed for non-cryptographic applications, was used to breach SPN-structured algorithms but has not yet cracked specific passcodes, highlighting the early-stage nature of this threat.
Despite the advance, the researchers acknowledge limitations such as environmental interference, underdeveloped hardware and the inability to develop a single attack method for multiple encryption systems still hinder quantum computing’s full cryptographic potential.
According to SCMP, the research team employed the D-Wave Advantage quantum computer to target the Present, Gift-64, and Rectangle algorithms, called key representatives of the Substitution-Permutation Network (SPN) structure. This structure is foundational for advanced encryption standards (AES), a system widely deployed in military and financial encryption protocols, according to the newspaper. While AES-256 is often labeled as military-grade and considered the most secure encryption standard available, the study suggests that quantum computers may soon threaten such security.
“This is the first time that a real quantum computer has posed a real and substantial threat to multiple full-scale SPN structured algorithms in use today,”
Tomi Engdahl says:
Chinese Hackers Use Quantum Computer to Break Military Grade Encryption
https://futurism.com/the-byte/hackers-quantum-computer-military-encryption
It’s “the first time that a real quantum computer has posed a real and substantial threat.”
As The Register notes, details of the hackers’ techniques remain pretty murky. The quantum-aided attacks were also implemented against a much shorter encryption key than is usually used in the real world, meaning that the alleged findings are, at best, a promising though still theoretical start to cracking these algorithms out in the wild.
All in all, though the paper comes with a heavy grain of salt, its findings may warrant a pulse check on the efficacy of modern encryption standards — not to mention fuel efforts to devise the cryptography standards of the future.
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/aloita-yrityksesi-siirtyma-kvanttisalaukseen-jo-tanaan?utm_source=facebook&utm_medium=social&utm_content=LAA-artikkeli-aloita-yrityksesi-siirtyma-kvanttisalaukseen-jo-tanaan&utm_campaign=AK_LAA_24-40-43_kyberturva2025_artikkelikampanja_&fbclid=IwZXh0bgNhZW0BMAABHYwVOMnd5Oss2ZdhPxKhWILiyV0BhUlbiqN-3r5uUgOoWsOcHI9rQg_IAw_aem_j4FIkBvcwvcOBEMYtSdc8A
Tomi Engdahl says:
Bittiumin Mobile VPN sai kvanttiturvan
https://www.uusiteknologia.fi/2024/10/22/bittiumin-mobile-vpn-sai-kvanttiturvan/
Oululainen teknologiayhtiö Bittium on toteuttanut tietoliikenneyhteyksien salaamiseen käytettävään SafeMove Mobile VPN -ohjelmistoonsa ML-KEM-algoritmilaajennuksen, jonka myötä Bittium voi tarjota kvanttiturvalliset yhteydet ja suojata ne tulevilta kvanttilaskennan uhilta.
Siirtymällä kvanttiturvallisten algoritmien käyttöön voidaan välttää tilanne, jossa klassisilla algoritmeilla salattuja tietoja on mahdollista kerätä myöhempää kvanttitietokoneella tehtävää analyysia varten. Klassiset algoritmit ovat haavoittuvia tehokkaalle kvanttilaskennalle, joten niiden korvaamiseksi tarvitaan kvanttiturvallisia algoritmeja.
Kvanttiturvallisten algoritmien toteuttaminen on tullut ajankohtaisemmaksi kvanttitietokoneiden kehityksen edetessä. Suomessakin kansallinen kryptotyöryhmä on linjannut, että NIST:n standardoimat kvanttiturvalliset algoritmit, kuten ML-KEM, tullaan lisäämään salaustuotteiden arvioinnissa hyödynnettävään kansalliseen kryptokriteeristöön.
Bittiumin IPsec-tietoliikenneprotokollaa käyttävässä SafeMove Mobile VPN -ohjelmistossa salaus toteutetaan niin kutsuttuna hybridimenetelmänä eli kahden algoritmin yhdistelmänä; klassisen julkisen avaimen algoritmin ja kvanttiturvallisen algoritmin. Hybridimenetelmän etuna on, että tiedon turvallisuus ei vaarannu, vaikka kvanttiturvallisesta algoritmista löytyisikin haavoittuvuus algoritmitutkimuksen ja kvanttitietokoneiden kehityksen yhä edetessä.
SafeMoveMobile VPN on käytössä esimerkiksi NATO Restricted ja TL III -tason tiedon suojaukseen hyväksytyssä Bittium Tough Mobile 2 C -militarikännykässä, ja se on mahdollista ottaa käyttöön muissa Android- ja Microsoft Windows -laitteissa.
https://www.bittium.com/defense-security/bittium-safemove-mobile-vpn/
Tomi Engdahl says:
Microchipin uusimmat RISC-V-mikroprosessorit tukevat kvanttiluokan salausta
https://etn.fi/index.php/13-news/16754-microchipin-uusimmat-risc-v-mikroprosessorit-tukevat-kvanttiluokan-salausta
Kvanttitietokoneiden odotettu saapuminen aiheuttaa merkittävän uhan, sillä ne saavat nykyiset tietoturvamenetelmät tehottomiksi. Microchipin RISC-V-pohjainen PIC64HX on yksi markkinoiden ensimmäisistä mikroprosessoreista, joka tukee äskettäin standardoituja kvanttitason salausalgoritmeja.
Kyse on NIST-järjestön standardoimista FIPS 203- ja FIPS 204-algoritmeista. FIPS 203 (ML-KEM) on avainten vaihtoon tarkoitettu kryptografinen algoritmi, joka tarjoaa suojan kvanttitietokoneiden laskentatehoa vastaan. FIPS 204 (ML-DSA) puolestaan on digitaalinen allekirjoitusalgoritmi, joka varmistaa tiedon eheyden ja autentikoinnin kvanttiturvallisella tavalla.
PIC64HX on korkean suorituskyvyn moniytiminen 64-bittinen RISC-V -mikroprosessori, joka kykenee kehittyneeseen tekoälyn (AI) ja koneoppimisen (ML) prosessointiin. Se on varustettu aikakriittistä verkotusta tukevalla TSN Ethernet -yhteys sekä puolustusluokan tietoturvalla.
Prosessorille integroitu Ethernet-kytkin sisältää TSN-ominaisuuksia
Tomi Engdahl says:
Quantum Technology Is a Threat to Data Security. It’s Also Part of the Solution
https://sponsored.bloomberg.com/quicksight/nokia/quantum-technology-is-a-threat-to-data-security-it-s-also-part-of-the-solution?utm_medium=social&utm_id=customcontent-PowerofN&utm_source=Facebook&utm_campaign=Business-Paid&utm_content=USEU-Ad3&fbclid=IwZXh0bgNhZW0BMABhZGlkAAAGAHqcVEgBHS1X1_kN91ffAXPn5oKh4nImD7UuKhLlW2-3c9bjIoeHgg2V-P9lPryghQ_aem_rkYl85JtEJeM4PJ-F8HJxg
As digital technology becomes more sophisticated, so do the associated risks. The average cost of a data breach is now almost $4.5 million, and ensuring data security and privacy are rapidly escalating business priorities. Companies are being forced to rethink their digital security strategies to minimize risks to their operations, employees and customers.
Fast-evolving quantum computers may further increase these risks
The Impact
It will take between five and 10 years for the necessary developments in hardware, software and error correction to bring quantum computing into the mainstream. While not yet mature, the technology is making faster progress than initially expected
The Global Risk Institute estimates that by 2030, there will be an 11% to 31% probability that quantum computers will be able to break our most prevalent cryptographic methods, which are based on the factorization of large prime numbers. And this probability will only increase.
This poses a tremendous threat to every enterprise or organization that relies upon trusted data as its lifeblood
For mission-critical industries such as defense, transportation, energy and utilities, security breaches can prove catastrophic. They can involve state actors, nation-to-nation conflicts and the disruption of critical systems. But the effects can be equally serious for financial institutions, research facilities and health care operations.
“That is where we are seeing a lot of momentum right now
“That is where we are seeing a lot of momentum right now, because those industries have the kind of sensitive information that has been—and needs to remain—private for a very long time,” Charbonneau says.
According to Mohapatra, “The key to overcoming this challenge lies in leveraging quantum computing to develop more robust cryptographic systems.”
Adopting a defense-in-depth strategy, which incorporates multiple layers of complementary and additive quantum-safe cryptography across both applications and networks, will make it harder for threat actors to compromise our data. And this is what quantum-safe networks—an outcome-based solution—aim to achieve.
Quantum-safe networks provide essential protection for quantum computing. By integrating quantum-safe technologies, such networks are fortified against future cyber threats, hindering malicious actors.
Investing in quantum-safe networks will reduce the risks faced by organizations due to quantum computers’ encryption-busting abilities.
Tomi Engdahl says:
Here’s the paper no one read before declaring the demise of modern cryptography
The advance was incremental at best. So why did so many think it was a breakthrough?
https://arstechnica.com/information-technology/2024/10/the-sad-bizarre-tale-of-hype-fueling-fears-that-modern-cryptography-is-dead/#gsc.tab=0
Tomi Engdahl says:
Merkittävä askel: kvanttisalaus kaupallisen operaattorin verkkoon
https://www.uusiteknologia.fi/2024/11/14/merkittava-edistysaskel-kvanttisalaus-vietiin-kaupallisen-operaattorin-verkkoon/
Tietoliikenneyhtiö Telia on ensimmäisenä kaupallisena operaattorina testannut uudenlaista kvanttisalaustekniikkaa omassa verkossaan. Tällä viikolla Helsingissä tehty kokeilu on merkittävä edistysaskel kansallisessa hankkeessa, jossa rakennetaan kvanttiturvallista salausverkkoa.
Uudenlainen kvanttiavainjakelu (QKD, quantum key distribution) on uusi kvanttimekaniikkaan pohjautuva menetelmä varmistaa turvallinen tietoliikenne. Hanke kuuluu osana EU:n EuroQCI-aloitteeseen, jossa ollaan luomassa erityisesti kriittisen infrastruktuurin turvaksi kattava kvanttisalausverkko unionin alueelle kuluvan vuosikymmenen loppuun mennessä.
Suomessa tutkimuslaitos VTT vetää Suomessa kansallisen kvanttiturvallisen verkon NaQCI.fi-hanketta yhdessä superkoneisiin keskittyneen Tieteen tietotekniikan CSC-keskuksen, valtion pääosin omistamien Cinia Oy:n ja Suomen Erillisverkot Oy:n kanssa. Siihen liittyen teleoperaattori Telian testi kuuluu vaiheeseen, jossa rakennetaan julkista koeverkkoa pääkaupunkiseudulle. Vastaavia kansallisia koeverkkoja on tulossa jokaiseen EU-maahan.
”Telian demo on merkittävä askel kohti Suomen kvanttiturvallisen verkon rakentamista ja sen laajempaa hyödyntämistä yrityksissä ja organisaatioissa. Nyt pääsimme näkemään, miten uusi ja vaativa teknologia toimii kaupallisen operaattorin verkossa”, VTT:n erikoistutkija Kari Seppänen sanoo.
We enable future security -
we enable the security of the future.
Petrus coordinates the deployment of EuroQCI, a secure quantum communication infrastructure spanning the whole EU, including its overseas territories.
https://petrus-euroqci.eu/
Tomi Engdahl says:
Telia testasi kvanttiavaintenvaihtoa
https://etn.fi/index.php/13-news/16852-telia-testasi-kvanttiavaintenvaihtoa
Telia on ensimmäisenä kaupallisena operaattorina testannut äärimmäisen turvallista kvanttisalaustekniikkaa omassa verkossaan Helsingissä. Viime viikolla toteutettu testi on merkittävä edistysaskel kansallisessa hankkeessa, jonka tavoitteena on rakentaa Suomelle kvanttiturvallinen salausverkko.
Kvanttiavainjakelu (QKD, quantum key distribution) on kvanttimekaniikkaan perustuva menetelmä, joka takaa äärimmäisen turvallisen tietoliikenteen. Testi liittyy Suomen kansalliseen hankkeeseen, joka on osa EU EuroQCI-aloitetta. Aloitteen tavoitteena on rakentaa Euroopan laajuinen kvanttisalausverkko vuoteen 2030 mennessä erityisesti kriittisen infrastruktuurin suojaamiseksi.
Suomessa kansallista kvanttiturvallista verkkoa kehittää NaQCI.fi-hanke, jota johtaa VTT yhteistyössä CSC:n, Cinian ja Suomen Erillisverkot Oy:n kanssa. Telian testi on osa hankkeen ensimmäistä vaihetta, jossa rakennetaan julkista koeverkkoa pääkaupunkiseudulle. Vastaavia verkkoja on kehitteillä kaikissa EU-maissa.
Tomi Engdahl says:
Check Point uudisti palomuurinsa: tekoäly mullistaa kyberturvan
https://etn.fi/index.php/13-news/16895-check-point-uudisti-palomuurinsa-tekoaely-mullistaa-kyberturvan
Check Point Software Technologies on julkistanut uuden Quantum Firewall Software R82 -ohjelmistonsa, joka tuo markkinoille ennennäkemättömiä tekoälyyn pohjautuvia kyberturvallisuusratkaisuja. Ohjelmiston tarkoituksena on vastata organisaatioiden kohtaamaan maailmanlaajuiseen kyberuhkien kasvuun, joka on yltänyt jopa 75 prosenttiin. R82 hyödyntää edistynyttä tekoälyteknologiaa ja tarjoaa tehokkaita ratkaisuja nollapäivähyökkäysten, tietojenkalastelun, haittaohjelmien ja DNS-haavoittuvuuksien torjumiseen.
Check Pointin tuotepäällikkö Nataly Kremer korostaa, että uhkien monimutkaistuessa organisaatiot tarvitsevat älykkäitä ja ketteriä ratkaisuja pysyäkseen askeleen edellä. Uusi ohjelmisto ei vain tarjoa maailmanluokan turvallisuusinnovaatioita, vaan tekee niiden käyttöönotosta helppoa ja skaalautuvaa, mikä on elintärkeää nykypäivän liiketoimintaympäristössä.
Quantum Firewall R82 -ohjelmisto hyödyntää neljää uutta tekoälymoottoria, joiden avulla se pystyy estämään jopa 99,8 prosenttia kaikista nollapäivähyökkäyksistä. Tämä tarkoittaa yli 500 000 lisähyökkäyksen torjumista kuukausittain. Lisäksi ohjelmisto on suunniteltu tukemaan datakeskusten ja sovelluskehityksen ketteryyttä. Virtuaalipalvelimien käyttöönotto on nyt jopa kolme kertaa nopeampaa, mikä mahdollistaa sovelluskehityksen nopean etenemisen ja monikäyttöympäristöjen vaivattoman hallinnan.
Merkittävä parannus on myös ohjelmiston hyödyntämä NIST-hyväksytty Kyber-salaus, joka tarjoaa kvanttitietokoneiden kestävää tietoturvaa. Tämä varmistaa, että organisaatioiden salattu tieto pysyy turvassa myös tulevaisuudessa, kun kvanttitietokoneet mahdollisesti uhkaavat nykyisiä salausstandardeja.
Check Point on myös lisännyt ohjelmistoonsa useita tekoälyyn pohjautuvia innovaatioita, kuten Infinity AI Copilot -avustajan, joka nopeuttaa uhkien ratkaisemista ja turvallisuuden hallintaa, sekä GenAI Protect -ratkaisun, joka mahdollistaa generatiivisen tekoälyn turvallisen käytön yrityksissä. Lisäksi yritys tarjoaa Infinity External Risk Management -palvelun, joka seuraa ja estää uhkia reaaliajassa.
Tomi Engdahl says:
Google unveils new quantum computing chip: Clock ticking for crypto encryption?
One expert says while Willow is a significant development, it’s still far short of being a threat to crypto encryption, at least for now.
https://cointelegraph.com/news/google-unveils-new-quantum-computing-chip-clock-ticking-crypto-encryption
Google’s Quantum AI team says its new quantum computing chip is capable of solving a computational problem in less than five minutes — the same problem that would take one of the best supercomputers about 10 septillion years to solve.
The chip, known as Willow, can exponentially correct errors and process certain computations at a mind-boggling pace, Hartmut Neven, Google’s Quantum AI lead, said in a Dec. 9 blog.
“This mind-boggling number exceeds known timescales in physics and vastly exceeds the age of the universe,” he said.
Is Willow a threat to crypto encryption?
Advances in quantum computing have long been feared as an inflection point for the crypto industry. Computers capable of breaking encryption could expose user funds to thieves in large volumes and at rapid rates.
Tech entrepreneur and former senior product manager for Google, Kevin Rose, said in a Dec. 9 statement on X that Willow was still far short of being a threat to crypto.
According to Rose, estimates for compromising Bitcoin’s encryption would require a quantum computer with approximately 13 million qubits to achieve decryption within 24 hours.
“In contrast, Google’s Willow chip, while a significant advancement, comprises 105 qubits,” he said.
Tomi Engdahl says:
Google’s Willow Chip Signals the Urgency of Post-Quantum Cryptography Migration
Google’s Willow quantum chip marks a transformative moment in quantum computing development.
https://www.securityweek.com/googles-willow-chip-signals-the-urgency-of-post-quantum-cryptography-migration/
Forget the 10 septillion years needed for a classical computer to solve this problem, and focus instead on the falling number of necessary error correction qubits.
Google announced its latest quantum computing advance, the Willow chip, on December 9, 2024. The announcement focuses on two aspects: current power and future potential.
The power is demonstrated by large numbers: Willow can solve a problem in less than five minutes that would take a classical supercomputer 10 septillion years to solve. Now, even though the supercomputer and the length of time it would take are not factual but obviously simulations, and even though the problem may have been developed specifically to be solved by Willow, this is mighty impressive.
Karl Holmqvist, founder and CEO of Lastwall, explains the process. “What Google achieved with Willow involves something called random circuit sampling (RCS), which generates random quantum circuits specifically designed as a benchmark for quantum computers,” he told SecurityWeek.
“RCS is about creating complex pseudo-random quantum circuits, making it extremely difficult for classical computers to process. In that sense, it’s a contrived problem because it’s built specifically to test quantum systems. However, it is also an accepted benchmark for evaluating whether a system can harness quantum effects.”
It is and is meant to be impressive. Note that in 2019 Google bragged about achieving ‘quantum supremacy’ with a quantum computer that could solve a different problem that would take a supercomputer 10,000 years to solve in around 200 seconds. Willow shows a remarkable improvement in just five years.
But it is perhaps not as impressive as we are meant to assume. There is no apparent dramatic decrease in the time to a cryptographically relevant quantum computer (CRQC) – that point at which a quantum computer will be able to decrypt current PKE encryption. To put it bluntly, it is specifically CRQC rather than quantum computing in general that is of current concern to cybersecurity professionals.
It is the other part of the Willow announcement that is of greater importance — Google appears to have made a breakthrough in quantum error correction. Qubits are so inherently fragile (prone to errors from environmental noise, decoherence, and operational imperfections) that each ‘functioning’ qubit requires many more qubits to correct the errors. Without that error correction, a quantum computer effectively decays into a classical computer.
Willow has 105 qubits. IBM’s Osprey says it has 433 qubits. “What’s the use of a high qubit count if error rates are so high the results cannot be trusted?” asks Skip Sanzeri, co-founder and COO, QuSecure. “I think it’s safe to say that IBM and others have not yet achieved these error correction milestones or most likely we would have heard about them. We can bet that all eyes will be on Google as other companies and nation-states will attempt to mimic Willow’s error correction.”
Google has demonstrated with Willow that it can increase the number of qubits while simultaneously reducing the reliance on error correcting qubits.
“This is a major watershed moment for quantum computation design, marked by the demonstration of below-threshold scaling capabilities,”
It is impossible to say that Willow and Google’s below threshold error correction brings the day of CRQC any closer, but it does have that potential. The real lesson for security folk is that we no longer dare delay our cryptographic migration to NIST’s post quantum and agile encryption algorithms. To do so goes beyond folly.
https://www.securityweek.com/post-quantum-cryptography-standards-officially-announced-by-nist-a-history-and-explanation/
Tomi Engdahl says:
https://u.today/googles-new-quantum-chip-wont-kill-bitcoin-expert-says
Tomi Engdahl says:
Nokia demosi ensimmäisenä kvanttiturvallista mobiiliverkkoa
https://etn.fi/index.php/13-news/16981-nokia-demosi-ensimmaeisenae-kvanttiturvallista-mobiiliverkkoa
Nokia ja Turkcell ovat yhteistyössä saavuttaneet maailman ensimmäisenä kvanttiturvallisen IPsec-verkkosalauksen toteutuksen mobiiliverkkojen käyttöön. Tämä merkittävä saavutus edustaa kriittistä askelta mobiiliverkkojen suojaamisessa tulevaisuuden kvanttitietokoneiden aiheuttamia uhkia vastaan. Nokia ja Turkcell käyttävät uusimpia kryptografisia standardeja varmistaakseen, että mobiiliviestintä pysyy turvassa nykyisissä ja tulevissa uhkatilanteissa.
Kvanttitietokoneiden kehittyessä perinteiset kryptografiset menetelmät, kuten RSA ja ECC, voivat tulla haavoittuvaisiksi tehokkaille kvanttihyökkäyksille, jotka voivat murtaa perinteisen salauksen. Tämä tuo merkittäviä haasteita tietoturvalle, erityisesti kriittisissä infrastruktuureissa kuten mobiiliverkoissa. Nokian ja Turkcellin yhteinen demonstraatio kvanttiturvallisen IPsec-salauksen käyttöönotosta mobiiliverkossa asettaa uuden standardin verkkojen suojaukselle.
Demonstraatiossa hyödynnettiin AES-256-salausta (Advanced Encryption Standard 256-bit), joka on symmetrinen salausalgoritmi. Symmetriset algoritmit, kuten AES-256, ovat kvanttiturvallisia, koska ne kestävät kvanttitietokoneiden tunnetut hyökkäysmenetelmät, kuten Groverin algoritmin, joka ainoastaan puolittaa algoritmin tehollisen avainpituuden (256 bittiä -> 128 bittiä). AES-256 tarjoaa edelleen riittävän turvatason jopa kvanttitietokoneiden aikakaudella.
Datan siirto reitittimien välillä perustuu MACsec-standardin (Media Access Control Security) käyttöön. MACsec on Ethernetin Layer 2 -salausstandardi, joka suojaa verkkoa varmistaen datan luottamuksellisuuden ja eheyden. Yhdistettynä AES-256-salaukseen MACsec takaa turvallisen datan ja avainten siirron verkossa.
Nokian FP5-prosessori toimii demonstraation teknisenä selkärankana. FP5 tukee sekä AES-256-salausta että MACsec-standardia
Tomi Engdahl says:
Bitcoin’s Endgame: Quantum Computing Comes For BTC
https://www.forbes.com/sites/davidbirnbaum/2024/12/28/bitcoins-endgame-quantum-computing-comes-for-btc/?fbclid=IwY2xjawHeqG1leHRuA2FlbQIxMQABHRD-P1FeCBYrN-hGdReYPoPE9SHAeqcTWZ5LJ539ggEg9KdVC4B6KP9r0w_aem_XRSoeDmB0WKRrXPBtYZGqQ
In recent days there has been a mini media firestorm surrounding Google’s announcement about Willow, its new quantum computer, and a perceived threat to bitcoin. Most of the analysis reveals a remarkably surface-level understanding of how quantum computing will change cryptography, as well as how bitcoin remains resilient to these kinds of technological advancements. We’re going to take a deeper look at quantum computing and the threat it poses to bitcoin. It will get a tiny bit technical, but this is necessary to scratch the surface and understand what these latest developments really mean.
In short, quantum computing will certainly necessitate a change to bitcoin’s protocol within the next few years, similar to the computer upgrades triggered by Y2K. It will likely be a complicated and time-consuming exercise, but not an existential threat to bitcoin itself. And it won’t only be bitcoin that’s affected, since what we are really dealing with is the ability of quantum computers to crack every kind of cryptography we use today across finance, commerce, banking, and more.
It’s hard not to wonder whether some of this alarmism about the end of bitcoin stems from a kind of “sour grapes” dynamic. Critics who have long eschewed bitcoin – whether because they don’t believe it could ever work, resent its challenge to government control, or simply regret not investing when it was cheaper – are seizing on Google’s quantum computing news to predict bitcoin’s downfall. These reactions often say more about the biases of the skeptics than the vulnerabilities of the bitcoin itself.
Google’s Willow quantum computer can make calculations with 105 qubits, and its output is believed (as of now) to be relatively accurate. Although 105 qubits represents a large step forward, breaking bitcoin’s encryption would require 200 to 400 million qubits. To reach this capability within 10 years, quantum bit depth would have to rise over 324% annually, which is far outside expectations.
Nonetheless, quantum computing is a threat to bitcoin that must be taken seriously, and bitcoin’s protocol will need be updated sooner than later. Conversations in the bitcoin developer community about when and how to do this have already begun.
Focusing on how quantum computing will affect cryptocurrency misses the much more important point: The end of encryption is not just a bitcoin problem, it’s an everything problem. The transition to a post-quantum world will be a fundamental challenge to civilization’s backbone.
Encryption is everywhere
Encryption is the bedrock of modern life, underpinning virtually every aspect of tech-enabled society. Financial systems rely on RSA encryption to secure online banking transactions, ensuring that sensitive details like credit card numbers and account credentials are safe from theft. Without encryption, there is no banking system.
E-commerce platforms use the same principles to protect payment data as it moves between buyers and sellers. Without encryption, there is no e-commerce.
Hospitals and medical providers rely on encryption to move electronic health records around and process payments. Without encryption, there is no modern medical system.
Government agencies use encryption to secure classified communications, shielding national secrets from potential adversaries. Without encryption, there is no national security.
Encrypted commands secure Internet of Things (IoT) devices, from connected cars to smart home systems, preventing malicious actors from taking control of everyday technology. Without encryption, there are no smart devices.
Harvest Now, Decrypt Later
Although we could still be years or even decades away from the end of conventional encryption methods, preparation for quantum supremacy has already begun in light of the “harvest now, decrypt later” threat.
One of the key features of encryption is that it allows you to send secure messages over insecure channels. For instance, when you log into your bank account on your home computer, your password is encrypted before being sent over the internet to your bank. Along the way, it may pass through numerous servers that could theoretically save and store it. However, since the password is encrypted, it would look like nothing more than a string of gibberish. If you were a bad actor, you could not decipher it, so saving it would be pointless.
However, in some domains, encrypted data could be useful years or even decades after it is saved – data having to do with state secrets, or master lists of passwords that are reused across platforms.
If quantum computing is expected to crack encryption in a few years or decades, attackers in sensitive domains like defense and intelligence would (and surely do) collect and save all the encrypted data they can get their hands on, even if it is currently indecipherable and useless. That’s why groundwork is already being laid for the transition to post-quantum cryptography.
Post-Quantum Cryptography
While quantum computers will eventually crack today’s methods of encryption, they could also be used to develop even more advanced cryptographic algorithms. Said a different way, quantum computing doesn’t signal the end of cryptography itself, but rather a shift from today’s cryptographic algorithms to newer, quantum-native ones.
Post-quantum cryptography (PQC) is an active field of research, producing promising advancements that aim to secure systems against future quantum threats while preserving the fundamental principles of cryptographic security. Bitcoin, and everything else, will need to make use of advancements in PQC to maintain its integrity.
Tomi Engdahl says:
This Cryptographer Helps Quantum-Proof the Internet Joppe Bos designs encryption that even quantum computers can’t crack
https://spectrum.ieee.org/post-quantum-cryptography-2670649921
Tomi Engdahl says:
The Quantum Cybersecurity Revolution: Arguably The Biggest Startup Opportunity In 2025
https://www.forbes.com/sites/abdoriani/2024/12/30/the-quantum-cybersecurity-revolution-arguably-the-biggest-startup-opportunity-in-2025/
Quantum computing is rapidly transitioning from theoretical research to practical applications. Among the most affected fields is cybersecurity, because the threat of quantum decryption makes many of the current cybersecurity systems obsolete.
Needless to say, this huge threat to the world’s digital information provides great opportunities for innovative companies to create effective data protection for a quantum computing world.
This article examines how these technologies are evolving and their implications for tech startups in the upcoming year.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/17066-kvanttikoneen-hyoekkaeyksen-kestaevae-suojaus-tuli-mikro-ohjaimelle
Tomi Engdahl says:
Hajautettu verkko voi olla ratkaisu kvanttitietokoneiden uhkaan
https://etn.fi/index.php/13-news/17080-hajautettu-verkko-voi-olla-ratkaisu-kvanttitietokoneiden-uhkaan
Tuoreen tutkimuksen mukaan kvanttitietokoneiden kyky murtaa nykyiset salaustekniikat voi aiheuttaa merkittäviä turvallisuusriskejä digitaalisiin järjestelmiin ja dataan. Tutkimuksen toteutti PQC- turvallisuuteen keskittyvä Naoris Protocol, jonka mukaan kvanttilaskennan kehittyessä yritysten ja organisaatioiden on siirryttävä hajautettuihin ratkaisuihin suojautuakseen tulevaisuuden kyberuhkilta.
Kvanttitietokoneet voivat ratkaista monimutkaisia laskentatehtäviä, jotka nykyisten järjestelmien salaus perustuu. Tämä tarkoittaa, että arkaluonteiset tiedot, kuten talousjärjestelmät ja terveystiedot, voivat olla vaarassa ilman uusia turvamekanismeja. Naoris Protocolin tutkimuksessa 95 % kehittäjistä ilmaisi huolensa kvanttitietokoneiden vaikutuksista kyberturvallisuuteen, ja 36 % heistä oli merkittävästi huolissaan.
Tutkimus nostaa esiin hajautetun fyysisen infrastruktuurin verkot eli DePIN:n (Decentralized Physical Infrastructure Network) mahdollisena ratkaisuna. DePIN toimii jakamalla infrastruktuurin, kuten datakeskukset ja verkon solmut, useisiin hajautettuihin yksiköihin. Tämä vähentää keskitettyihin järjestelmiin liittyviä riskejä ja lisää resilienssiä hyökkäyksiä vastaan.
Naoris Protocolin toimitusjohtaja David Carvalhon mukaan keskitetyt järjestelmät ovat erityisen haavoittuvia kvanttitietokoneiden aikakaudella. – Hajauttaminen vähentää yksittäisten solmujen merkitystä ja tekee järjestelmistä turvallisempia ja vastustuskykyisempiä.
Tomi Engdahl says:
https://www.edn.com/host-bus-adapter-boasts-quantum-resistant-network-encryption/
Tomi Engdahl says:
Infineon and the BSI pave the way for a quantum-resilient future: World’s first Common Criteria Certification for post-quantum cryptography algorithm on a security controller
https://www.infineon.com/cms/en/about-infineon/press/press-releases/2025/INFCSS202501-043.html
Infineon receives world’s first Common Criteria EAL6 certification for implementing a post-quantum cryptography (PQC) algorithm in a security controller
Internationally accepted certification is a crucial step towards a quantum-resilient world
Post-quantum cryptography supports the protection of digital infrastructure from the future threats of quantum computers
Munich, Germany – 23 January 2025 – Infineon Technologies AG (FSE: IFX / OTCQX: IFNNY) has achieved a milestone on the way to a quantum-resilient world in collaboration with the German Federal Office for Information Security (BSI) [1]. Infineon is the first company ever to receive the Common Criteria EAL6, an industry-leading certification level, for the implementation of a post-quantum cryptography algorithm in a security controller. Such cryptography enhances security for eSIM, 5G SIM and smart card applications, including personal IDs, payment cards and eHealth cards, against threats resulting from highly capable quantum computers. The world’s first certification is a milestone on the way to a quantum-safe future in our daily lives.
Within the next ten to twenty years, quantum computers are expected to become powerful enough to break current cryptographic algorithms, compromising the security of our digital lives. Documents like eIDs that currently being issued and are valid for many years need to be resistant against future attacks by quantum computers. The same is true of encrypted messages and emails that are sent now, because when stored these can be attacked by quantum computers later. Post-quantum cryptography algorithms such as Module-Lattice-Based Key Encapsulation Mechanisms (ML-KEM) [2] are designed to resist these attacks, fortifying the integrity of our digital infrastructure. A secured implementation of these algorithms is crucial to withstanding classical security attacks.
Tomi Engdahl says:
Cyber Insights 2025: Quantum and the Threat to Encryption
2025 is an important year – it is probably our last chance to start our migration to post quantum cryptography before we are all undone by cryptographically relevant quantum computers.
https://www.securityweek.com/cyber-insights-2025-quantum-and-the-threat-to-encryption/
SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Quantum computing and the threat to encryption.
We (probably) will not get a cryptographically relevant quantum computer (CRQC) in 2025. Public key encryption (PKE) will (probably) remain safe through 2025. But… Well, there are issues. It is those issues we wish to explore here.
Quantum decryption is getting perilously close. This article is a call to arms. We need to arm ourselves with quantum safe encryption – and crypto-agility – in 2025.
Quantum’s relevance to cybersecurity
It is a given that a sufficiently powerful quantum computer will be able to decrypt current PKE (such as RSA 2048) in or within 24 hours using Shor’s quantum algorithm or a derivative or improvement. That will upend cybersecurity as we know it today. All encrypted data that has been stolen and stored (harvest now, decrypt later) will be accessible to the group that stole it. Ongoing trust in and on the internet – its communications, its digital signatures, its transactions – would all be destroyed.
This will happen if / when PKE is broken, regardless of how it is broken. The only generally accepted certainty is that it will be broken by a sufficiently powerful quantum computer. This is why NIST has been instrumental in developing new, stronger encryption algorithms based on mathematical problems that are thought to be resistant to quantum computers. This is NIST’s post quantum cryptography (PQC).
Cybersecurity must migrate from using PKE to using PQC. But the urgency is still not fully understood by everyone, because the quantum threat is not fully understood by almost anyone. We’re going to shine some light on this and its progress through 2025.
(Quick warning: quantum computers and encryption involve more acronyms than the three-letter agencies.)
The timeline toward CRQC
For CRQC, Martin Charbonneau, head of quantum safe networks at Nokia, suggests, “A good estimation of this timeline was constructed in the Global Risk Institute’s Quantum threat timeline report. In 2024, it estimated that by 2034, there was between a 17% and 34% chance that a cryptographically relevant quantum computer (CRQC) would exist capable of breaking RSA 2048 in 24 hours. The probability increases to 79% by 2044.”
An alternative approach to timeline estimation could come from federal agency requirements. “The National Security Memorandum 10 (NSM-10) sets a clear deadline for the full migration to PQC by 2035. By this date, all cryptographic systems used by federal agencies must be quantum-resistant to ensure the security of sensitive information,” comments Carlos Aguilar Melchor, chief scientist, cybersecurity at SandboxAQ.
He adds that specific agencies have tighter deadlines. “The Department of Homeland Security describes on its website a shorter transition that ends by 2030. Finally, the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), required for National Security Systems, has set PQC as preferred as soon as 2025 and as mandatory by 2030 to 2033 (depending on the application).”
These dates range from now until 2035. The implication is that government is expecting CRQC any time after ten years from now.
Meanwhile, on December 9, 2024, Hartmut Neven, founder and lead at Google Quantum AI, announced the Google Willow chip with two claims. First, it is super-fast: “Willow performed a standard benchmark computation in under five minutes that would take one of today’s fastest supercomputers 10 septillion years – a number that vastly exceeds the age of the Universe.”
Second: “Willow can reduce errors exponentially as we scale up using more qubits. This cracks a key challenge in quantum error correction that the field has pursued for almost 30 years.”
Does this affect already vague timelines, or have the already vague timelines already anticipated such events already? Frankly, we don’t know. Melchor comments, “This year theoretical advances have divided the number of required qubits by three and reduced the theoretical stability needed by a factor 10. Quantum computers steadily progress and sudden reductions on the target brought by theoretical advances can suddenly change the estimations, and strongly increase the urgency.”
For cybersecurity defenders the standard adage remains true – you may hope for the best, but you should expect and prepare for the worst. CRQCs are getting closer at an unknown rate.
The problem with qubits
The reason it is difficult to predict a date for CRQC’s arrival is the nature of the quantum computer’s fundamental unit of calculation: the qubit. A qubit uses the unique quantum properties of superposition and entanglement to allow a greater number of possible states than the classical bit’s two-states. And the more qubits you have doing this, the greater the processing potential of the computer. That potential is almost unimaginable to anyone brought up on the limited two-state binary digit driven capability of classical computing.
But qubits are not stable.
This will surprise no-one who has looked at quantum mechanics – but it is this instability that causes the biggest problem in creating a usable quantum computer. Put simply, the stability of qubits is negatively affected by everything around them, from physical jolts to atmospheric noise. This leads to the phenomenon known as decoherence (basically, the loss of the quantum state) which introduces errors into computations involving qubits. These errors must be ‘corrected’ before the computational output can be trusted. And that is very, very difficult.
One approach is to use error correcting software – but this is incredibly complex and requires a huge number of additional qubits to correct the errors in just one qubit. In loose terms, a large number of additional physical qubits are necessary for every logical (useful) qubit. A second approach is more mechanical – to develop and use qubits that are naturally more stable and resistant to decoherence.
We can expect further progress, like Willow, on both fronts during 2025 – progress but probably no timeline-altering breakthrough. The engineering problem of having enough logical qubits operating together and able to practically unleash the full theoretical potential of quantum will be measured in years – we just don’t know how many or how few.
As Jason Soroko, senior fellow at Sectigo, explains. “Not all qubits are created equal… consider the following attributes of those qubits: Coherence Time (the duration a qubit can maintain its quantum state); Gate Fidelity (the accuracy in quantum gate operations); Error Rates (the frequency of errors during qubit operations)’ and Scalability (the ability to maintain qubit quality as the system scales up).”
Gate fidelity is important. “Shor’s algorithm requires gated qubits to complete its task, using a Quantum Fourier Transform which is part of what does the factorization work necessary to break RSA-2048,” says Soroko.
“2024 saw significant quantum advances, including Quantinuum’s achievement of 99.9% 2-qubit gate fidelity in a production environment – an industry first,” says Duncan Jones, head of cyber at Quantinuum. “In 2025, we expect to build on these successes and make additional improvements in hardware, software, quantum tokens, cybersecurity, and other areas.”
Adding AI to the development mix
Skip Sanzeri, co-founder of QuSecure
Skip Sanzeri – co-founder and COO at QuSecure
While declining to make any predictions (“There is no single roadmap that we have seen which will absolutely determine when a CRQC will emerge”), Skip Sanzeri – co-founder and COO at QuSecure, adds, “With AI developing so quickly we are seeing ways in which AI will speed time to a CRQC. For example, AI can help design more efficient algorithms and machine learning can simulate large numbers of quantum states enabling faster and more optimal quantum circuits.”
AI, he adds, “will also play a role in hardware development (noise reduction and more stable qubits), optimization (quantum experiments, qubit manipulation), and quantum simulation of complex systems.” AI’s benefit to quantum technology could begin to be realized in 2025.
It is worth noting this synergy between contemporary technology’s biggest innovations – quantum and AI. Quantum computers benefitting AI may well precede CRQC, but probably not this year. Neven, who named the Google lab he founded ‘Quantum AI’, has explained, “Both will prove to be the most transformational technologies of our time, but advanced AI will significantly benefit from access to quantum computing.”
Sanzeri adds, “In our opinion, consensus of when a CRQC will be available will most likely be overestimated since we cannot determine the effect technologies like AI will have on the timeline. As such we believe a CRQC will be here in less than 5 years.”
Karl Holmqvist, founder and CEO at Lastwall, is also wary of the combination of quantum and AI. “The combination of quantum and AI will produce cryptographically relevant results faster than either alone,” he suggests. It is entirely possible – although for cybersecurity we still hope unlikely – that CRQC will be achieved within just a few years.
Cryptography’s own uncertainty principle
NIST’s quantum proof encryption competition has focused on developing new algorithms to replace the current PKE that will fall to quantum computers. The focus is on algorithms that can serve the same purpose but be based on mathematical problems that are thought to be resistant to quantum computers. This is conceptually similar to current PKE, which is based on the mathematical difficulty of factoring very large numbers with just a classical computer.
But there are two assumptions here: that PKE has not already quietly been broken by an adversary using classical computers and AI; and that the same or another adversary has not already secretly achieved CRQC. We believe that neither has happened – but we still need to ask the question.
Sanzeri does not believe breaking PKE without quantum power is possible. “Breaking PKE will require an exponentially powerful computer, and our existing CMOS structures, even with AI optimized, cannot become exponentially powerful. The subatomic properties of superposition and entanglement enable quantum computers to reach exponential power.”
But he also adds, “Cryptography has a long history of unexpected breakthroughs – algorithms once thought secure for decades have fallen to novel attacks. While other approaches like advanced classical algorithms haven’t demonstrated feasibility for breaking PKE yet, we can never be completely certain.”
It is this lack of absolute certainty over any encryption algorithm that is the concern.
He believes that any secret adversarial ability to break PKE will more likely come from a quantum computer than from a classical computer. But therein lies our second unprovable assumption – that despite the billions of dollars being spent on quantum development, no adversarial nation has yet, secretly, developed CRQC. We don’t believe it, but we cannot prove it. “As with all things security: assume the breach has already happened, and act accordingly,” says Roer.
Holmqvist agrees that there is some uncertainty over adversarial capabilities. “The prize for breaking encryption is very high, and we know nation-state level entities are engaged in research on quantum computational systems. This means that if there were any significant breakthroughs in 2025 that might enable a system to be developed – it is possible – we might not know about them.”
Thomas Matheus, CTO at Cystel Limited, believes the bigger threat comes not from the algorithms but from their implementation. “It is more likely to happen that organizations implement post-quantum cryptographic solutions or other quantum products (such as quantum key distribution or quantum VPN) and do not configure these solutions or products correctly.”
But that assumes that the PQC algorithms are sufficiently strong, and that is yet one more uncertainty. Are NIST’s PQC algorithms themselves secure? After all, the SIKE candidate was broken with a classical computer and AI.
Agility is key
While cryptography’s uncertainty principle means that we cannot know for certain, however fervently we believe it, that PKE has not already been broken by a well-resourced adversary, we are similarly uncertain that NIST’s PQC algorithms are genuinely safe. Put simply, we may believe that NIST’s PQC algorithms are quantum safe (probably safe against quantum decryption), but we cannot prove they are quantum secure (provably secure against quantum decryption). In short, PQC algorithms up the ante in ongoing encryption, but do not provably solve the problem.
In compensation, a second approach to the use of encryption systems has been quietly bubbling in the background: crypto-agility. This is not a new idea, dating from around the turn of this century. Cryptographic systems fall to attackers – that’s a fact proven by history. So, it makes sense to have an alternative encryption system ready, waiting, and easily usable. That is the concept known as crypto-agility.
What is different today is that we know our current PKE encryption is going to fall with quantum computers. We are getting ready for this event by migrating wholesale to new algorithms. But although tested and scrutinized in laboratories, these algorithms are not yet proven in the battlefield. So, if anything, the need for crypto-agility is greater than ever – something NIST recognized from the beginning.
Chen defines crypto-agility as, “the ability for machines to select their security algorithms in real time and based on their combined security functions; the ability to add new cryptographic features or algorithms to existing hardware or software, resulting in new, stronger security features; and the ability to gracefully retire cryptographic systems that have become either vulnerable or obsolete.” In short, it is “the flexibility to implement, update, and replace cryptographic components within IT-systems, without affecting its functionality.”
Jones puts this into context. “NIST’s PQC algorithms have undergone rigorous evaluation against both quantum and classical attacks. However, no algorithm is entirely immune to unforeseen vulnerabilities.” (The breaking of SIKE during the competition proves this.)
“This reinforces why crypto-agility is critical,” he adds. “Organizations must be able to adapt their infrastructure as algorithms evolve. Focus should be on building agile systems that can integrate new standards and algorithms when needed.”
Summary – the encryption threat in 2025
It is ironic that the arrival of CRQC loosely suffers from quantum uncertainty. If we focus on powerful quantum computers, we do not know when we will get them. If we focus on a point in time, we do not know what we will have at that point. All we do know is that at some time within the next fifteen years, and possibly the next five years, classical PKE will fall to quantum decryption – and if we are not prepared, that could be disastrous.
Progress toward CRQC in 2025 will not be loud, but will be punctuated by occasional claims – like a new type of qubit that is more stable (such as neutral atoms), or new error correction capabilities (like Willow), or more qubits per processor (IBM is expected to introduce its ‘Kookaburra’ processor with more than 4,000 qubits).
There is now a possibility that CRQC could arrive in as little as five years. There is an equal possibility that a full migration to PQC will take some companies longer than five years. In 2025, as Kevin Bocek, chief innovation officer at Venafi points out, for those who haven’t yet started their PQC migration, “Given this uncertainty, the journey to becoming quantum-proof must start now.”
We have delved into the problems and potential solutions involved in quantum computer manufacture not because we expect any dramatic CRQC announcement during 2025, but to show how that date is getting closer. 2025 is an important year – it is probably our last chance to start our migration to PQC before we are all undone by CRQC.
Postscript: It won’t stop there. Shor’s quantum algorithm will break our current asymmetric encryption (PKE). Grover’s algorithm can attack symmetric keys (such as AES 256). But Grover ‘merely’ increases the speed of decryption – effectively halving the key length and reducing AES 256 to AES 128.
That’s a key still considered long enough – for now – and explains why NIST has concentrated on asymmetric algorithms. But that key length won’t be long enough to withstand quantum computers powerful enough to run Shor’s algorithm and with additional help from artificial intelligence, searching for methods to attack AES.
We may have some wiggle room if we can increase the AES key length beyond 256 bits. Technically this should be possible since AES’ underlying cipher is Rijndael, and Rijndael will support a wider range of key and block sizes.
Nevertheless, this whole process may need to be repeated at some point in the future, courtesy of the power of quantum computers.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/17166-instan-uusi-salain-ei-vuoda-dataa