02.04.2025

|

Markus Günther

|

Article

Post-quantum Cryptography: a New "year 2000" Hype?

Teaser Image

Google, IBM and Microsoft are independently driving hardware and software development for quantum computers. In response1, NIST has published a draft roadmap for the transition to post-quantum cryptography (PQC)2. This guideline, which is currently the subject of much discussion, focuses on the period after 2030. As the topic of cryptography is complex and developments are progressing rapidly, we want to provide an up-to-date, comprehensible assessment together with recommendations for action. It should be noted that these publications are only binding for the US administration and only for unclassified data - however, some national regulators are following the guidelines and using them as food for thought for their own requirements.

The following is proposed in the preliminary NIST roadmap:

AlgorithmKey lengthBits of security strength3Roadmap
RSA2048 Bit112Not recommended (from 2030)
RSAAll variantsAll variantsNo longer to be used (from 2035)
ECDSA224-255112Not recommended (from 2030)
ECDSAAll variantsAll variantsNo longer to be used (from 2035)

In summary, this means that algorithms used on a large scale should no longer be used from 2035 at the latest.

The challenge here:

  • Even today, so-called Harvest Now, Decrypt Later (HNDL) can occur - the storage of information that could theoretically be decrypted later using quantum computers.
  • Although new, future-proof algorithms have been standardized since 2024, hardware and software manufacturers have yet to integrate them into their products.
  • Cryptography is omnipresent in IT, and depending on the size of the organization, it is used in very different ways on thousands of IT systems.

Our advice: approach it from both sides!

Tackle the technical basis…

  • Utilize existing options: Industry giants such as Google are already using hybrid protocols to gain experience and accelerate the spread of PQC algorithms. These options should be investigated and monitored by companies, as both performance problems and security risks can arise. Where possible, features such as Perfect Forward Secrecy should also be enabled.
  • Establish crypto agility: Regardless of the development around quantum computers, IT must be able to renew key material during operation and algorithms as part of the change process without serious effort.4 This must also be tested at critical points.

and introduce a top-down risk assessment in order to prioritize

  • Risk-based recording of cryptography in order to focus on a small number of critical systems and processes: What data today will need to remain confidential after 2030? Where does cryptography fulfill critical functions such as authentication outside the corporate network?
  • Preserving integrity: Documents that are to remain valid for decades must be protected with cryptographic processes that will endure even after the introduction of powerful quantum computers. This requires new PKI approaches with PQC-capable signature algorithms, both internally and externally. As long as traditional methods are still secure, hybrid signatures or notary services with additional protective measures can be used to ensure authenticity and proof of origin in the long term.

Conclusion: Act now

Companies that do not start their analysis until 2029 may already be in trouble today. Transparency and agility are crucial factors when it comes to cybersecurity. Risk-based analyses help to provide sufficient security in the right places - now and in the future. In addition, today’s technologies already offer ways to protect against PQC risks if they are properly classified. Don’t wait until you are forced to act - take action now and prepare in good time!

  1. https://news.microsoft.com/source/features/innovation/microsofts-majorana-1-chip-carves-new-path-for-quantum-computing/ ↩︎

  2. https://doi.org/10.6028/NIST.IR.8547.ipd ↩︎

  3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf ↩︎

  4. https://bughunters.google.com/blog/6182336647790592/cryptographic-agility-and-key-rotation ↩︎

About the author

Markus Günther
Markus Günther
Senior Security Consultant
MSc IT GRC Management
CISA, GCFA, CISSP, SSAP

Promoting security culture and awareness and conducting strategy and compliance assessments are my passion. Thanks to my many years of experience in the practical implementation of these topics, I know the challenges at first hand. I use this knowledge to provide my clients with practical advice and develop tailor-made solutions.

Linkedin

Teaser Image
02.04.2025| Markus Günther | Article

Post-quantum Cryptography: a New "year 2000" Hype?

Read article
Teaser Image
22.10.2024| Bruno Blumenthal | Presentation

AI Compliance Essentials: Standards and Emerging Regulations

Read article
Teaser Image
11.09.2024| Markus Günther | Article

Post Quantum Cryptography - Do the Locks Used Hold Up?

Read article
To all contributions

Contact us

TEMET AG
Basteiplatz 5
CH-8001 Zürich
info@temet.ch
+41 44 302 24 42

Page overview

© 2025 TEMET AG, All rights reserved.
Imprint
Privacy Policy