We mention Post Quantum (PQ) cryptography in this section because it represents perhaps one of the most challenging cryptographic upgrade scenarios worldwide. Cryptography is based on difficult math problems, whether the discrete logarithm problem, the ability to rapidly factor large numbers in a finite field or over an elliptic curve, and others. Today's cryptography is threated by the rapid progress being made in the field of quantum computers (note: we are not talking about quantum cryptography here, but rather about the application of a quantum computer to break today's cryptography). The implications are severe because many types of organizations, most notably nation states, collect and retain vast troves of encrypted data sent over the internet. While they may not be able to read the data now, a future government or commercial quantum computer will be able to.
In effect, this puts the imperative on governments and all security/privacy-conscious organizations to start planning to upgrade to so-called PQ cryptographic algorithms that are analyzed and considered to be resilient to a quantum attack on its keys. Currently, the US government (NIST) is sponsoring a PQ cryptographic competition to determine, from among dozens of different algorithm submissions, which is a candidate to be standardized for government (and therefore, in a de facto sense, industry) use. The most mature and extensively studied PQ algorithm candidates are lattice-based.
While not standardized for prime time yet, in terms of practical advice, companies and other organizations may want to consider small pilot deployments to test some cryptographic libraries that have PQ algorithms. Pilot deployments could include using PQ crypto to do the following:
- Encrypt a database
- Authenticate and encrypt a TLS tunnel
- Encrypt and sign application data
Such pilot deployments may help organizations develop and refine their deployment roadmaps. At a minimum, IoT organizations should follow the track the issue and start assessing all of the components and systems in their organizations (including cloud assets) that will be affected.