Author : Prateek Tripathi

Expert Speak Digital Frontiers
Published on Dec 04, 2023

With the number of data breaches multiplying rapidly over the years, India must ensure the timely migration to PQC algorithms across all sectors, particularly critical infrastructure.

Post-Quantum Cryptography: The lynchpin of future cybersecurity

With quantum computers poised to become a reality by the end of the decade, cyberspace is faced with the stark reality of dealing with the possibility of existing cryptographic protocols becoming redundant in the near future. The precise point of time when this occurs, what has now come to be called “Q-Day,” is fast approaching. The answer to this daunting challenge came in the form of Quantum Resistant Cryptographic (QRC) algorithms or Post-Quantum Cryptography (PQC), which is set to become a reality soon, owing to the widespread global initiative.

Importance of PQC

Most classical encryption schemes, including the widely used Rivest-Shamir-Adleman (RSA) algorithm, rely on the fact that prime factorisation is an inherently cumbersome task, especially for large numbers, and it takes classical computers a long time to do so. Quantum algorithms on the other hand, like the one conceived by Peter Shor in as early as 1994, proved that this would be a basic task for quantum computers. For example, it would take a classical computer about 300 trillion years to break a 2048-bit RSA encryption key by brute force, while a perfect quantum computer would be able to do so within 10 seconds. Shor’s algorithm is being further improved upon and has become more efficient in subsequent years, Regev’s algorithm being a case in point.

With quantum computers poised to become a reality by the end of the decade, cyberspace is faced with the stark reality of dealing with the possibility of existing cryptographic protocols becoming redundant in the near future.

Since we are still at least a decade away from an ideal quantum computer, this may not seem like an imminent threat. However, this is not the case, since Annealing quantum computers are already a reality. While these are not capable of utilising Shor’s algorithm, they can solve the factoring problem by formulating it as an optimization problem and have already made much progress. Furthermore, there is also the problem of “harvest now, decrypt later,” which essentially means that an attacker can steal data now, wait until quantum computers become a practical reality, and subsequently decrypt it at a later time. This implies that quantum computers already pose a very real threat, without even coming into existence. There is a distinct possibility that large amounts of data have already been compromised and the rectification of this problem is an immediate concern, which is why the incorporation of PQC into current encryption protocols is absolutely imperative. For instance, according to IBM’s “Cost of a data breach Report 2023,” more than 95 percent of the organisations studied globally have experienced more than one data breach. Besides, it will take a long time to fully integrate the new algorithms across all computer systems, making it prudent to start as soon as possible.

The pivotal role of the National Institute of Standards and Technology (NIST)

Although there are several ongoing initiatives working towards developing PQC around the world, it is the NIST of the United States (US) which has made the most significant progress. In 2016, the NIST initiated its “Post-Quantum Cryptography Standardization Project,” wherein it invited the submission of candidate PQC algorithms. Of the 69 eligible submissions, eventually, four were selected for standardisation i.e., CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+ and FALCON. The Kyber algorithm is designed for general encryption purposes while the rest are digital signature schemes. In August 2023, the NIST released draft standards for the first three of these in a bid to get public feedback. It expects to release them by 2024, along with draft standards for the FALCON algorithm.

Three of the algorithms employ what is known as “Lattice-Based Cryptography,” which relies on the problem of finding the point on a lattice[i] closest to a random point on it. As an analogy, this would be akin to the task of finding the tree closest to a random location in a forest. This turns out to be a particularly difficult problem for lattices possessing high dimensions, one which even quantum computers cannot seemingly solve.

SPHINCS+, on the other hand, uses so-called “Hash Functions,” a cryptography scheme which is already a critical part of blockchain technology. The NIST is also working on a second set of algorithms based on different math problems which are meant to serve as a backup in case any weaknesses should emerge in lattice-based cryptography in the future.         

Alongside this, the US Cybersecurity and Infrastructure Security Agency, National Security Agency (NSA), and NIST also published a sheet titled “Quantum Readiness: Migration to Post-Quantum Cryptography,” in which it urged all organisations, especially those supporting critical infrastructure, to lay out a “quantum-readiness roadmap” to facilitate migration to PQC standards.         

Following this development, the PQC Coalition was launched in September 2023, with an aim to promote a better understanding of PQC and the public adoption of NIST’s algorithms. Its members include tech giants like IBM and Microsoft, along with MITRE, PQShield, SandboxAQ, and the University of Waterloo.

India’s foray into PQC

The Indian Army, along with the National Security Council Secretariat, established the Quantum Lab at the Military College of Telecommunication Engineering, Mhow, Madya Pradesh, in 2021. It aims to spearhead research and training in the field of quantum computing and communication, with PQC as one of the primary thrust areas.         

The Centre for Development of Telematics (C-DOT), an autonomous R&D centre under the Department of Telecommunications, has been working quite actively towards developing PQC. It has indigenously developed quantum-secure products supporting PQC algorithms such as a quantum-safe encryptor called the “Compact Encryption Module,” and a quantum-safe, AI-enabled video IP phone called “Quantum Secure Smart Video IP Phone.”

An interesting development has been the increasing role being played by startups in the field. Bengaluru-based QNu Labs has emerged as only the fourth company in the world to develop a quantum-safe security product. It has created a PQC algorithm called “Hodos” which is based on one of the NIST’s lattice-based algorithms and has made it commercially available for organisations to deploy. It has also signed a MoU with the defence public sector unit Bharat Electronics Limited in case quantum-safe security systems are required to be built through a public sector entity in the future. Other startups like Scytale Alpha and Qulabs are also taking an active interest in PQC.

Future prospects

The aforementioned initiatives, although commendable, are not sufficient to counter the looming threat of quantum supremacy. With the number of data breaches multiplying rapidly over the years and the constant threat posed by China and non-state groups, India must ensure the timely migration to PQC algorithms across all sectors, particularly critical infrastructure. It must establish a thriving ecosystem for academic research, while also nurturing and incentivising the private sector, which has already shown a lot of promise in the field. The National Quantum Mission (NQM), serving as India’s flag-bearing initiative in quantum technology, has a key role to play in this regard. If the NQM hopes to establish India as a global leader in quantum technology, PQC and its adoption must serve as one of its integral components.  

While there is no guarantee that the NIST algorithms are airtight, they have succeeded in laying out the groundwork for a quantum-safe future.

Security protocols only work till the time someone finds a way to break them. The same is true for cryptography. So, while there is no guarantee that the NIST algorithms are airtight, they have succeeded in laying out the groundwork for a quantum-safe future. With their release slated for next year, it remains to be seen whether India will take advantage of the situation, it certainly has the opportunity to do so.


Prateek Tripathi is a Research Assistant Centre For Security Strategy and Technology at Observer Research Foundation


[i] In two dimensions, a lattice refers to a grid of points such as in case of a graph paper, except that in this case, the number of points is infinite. The complexity of the structure naturally increases with the number of dimensions.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

Author

Prateek Tripathi

Prateek Tripathi

Prateek Tripathi is a Junior Fellow at the Centre for Security, Strategy and Technology. His work focuses on emerging technologies and deep tech including quantum technology ...

Read More +