#Google implemented non-standardised #post-#quantum #cryptography for its internal encryption in transit protocol. Is quantum #threat so real to rush?

Google is at the forefront of quantum #technology, and it is not surprising to see them being the first to adopt post-quantum #encryption schemes. There is something to learn in this case for each organisation whose business is heavily IT-dependent. What is the risk? How to prioritise? What to do now?

In the article Google published (see below), they summarised all the right points about the currency of the threat and remediation practice.

An adversary with the quantum computer is motivated to run a store-now-decrypt-later attack. In other words, this is an attack when "an attacker might store encrypted data today and decrypt it when they gain access to a #quantum #computer". As for the currency of the threat, "Product lifetime might overlap with the arrival of quantum computers, and it will be difficult to update systems". These threats apply to data-in-transit, which uses quantum vulnerable asymmetric key agreements, and hardware devices (data-at-rest) with a long lifespan.

Google's step in the adoption of non-standard cryptography should not deceive an audience as a marketing campaign. This rather indicates strength and readiness to be cryptographically agile. Google acknowledged that further changes to cryptography algorithms might occur and make the transition with future modifications in mind. Probably, cryptography agility might be a big question for the next decade for each organisation. Switching cryptography protocols is challenging and becomes mission-impossible when an organisation does not control the whole delivery stack.

The selection of the post-quantum encryption algorithm is a challenging question too. Most of them are more computationally demanding and could not naturally fit instead of the classical counterparts. What is more important, new algorithms did not pass the "field test" and could introduce weaknesses. "Several of the candidates in the NIST process suffered devastating attacks that did not even require a quantum computer. We avoided a scenario where our attempt to secure our infrastructure against a theoretical computing architecture renders it defenceless against a laptop recovering private keys over a weekend by adding the post-quantum algorithm as an additional layer."

Existing facts about the quantum computing threat do not leave room to be dormant. Each organisation should be looking to build an internal capability, have a strategic approach and start remediation from the most affected areas.

You can read the full Google article here.