Published: 4 September 2024
Contributors: Stephanie Susnjara, Ian Smalley
Quantum-safe cryptography secures sensitive data, access and communications for the era of quantum computing.
Almost everything you do on a computer uses cryptography. That's why, most of the time, intruders can't read your emails, access your medical records, post from your social media account, remotely shut off your car or mess with your city's electrical grid.
Modern cryptography is so good that when a secure data or systems breach occurs, it is seldom because someone broke the encryption itself. Most breaches are due to human error—someone accidentally gives out a password or leaves a back door into a secure system. You can think of modern encryption methods, such as 2048-bit public keys, as the sturdiest vaults: close to impossible to breach unless someone leaves a key lying around outside.
But the era of quantum computing might change things. In the future, a bad actor with a quantum computer of sufficient power might unlock any 2048-bit vault and access the data that it protects.
We don't know exactly when quantum systems might be powerful enough to crack 2048-bit cryptography, but some experts have sketched out timelines based on what we know so far.
The National Institute of Standards and Technology (NIST)'s Report on Post-Quantum Cryptography found that the first breaches might come as soon as 2030.1
"I have estimated a one in seven chances that some of the fundamental public-key cryptography tools upon which we rely today will be broken by 2026," wrote Dr. Michele Mosca, an expert from the University of Waterloo, "and a 50% chance by 2031."2
Quantum-safe cryptography rebuilds the cryptographic vault, making it safe against quantum and classical attacks.
It's worth noting that some people also refer to quantum-safe cryptography as post-quantum computing (PQC) or quantum-resistant computing. According to NIST, this type of IT security "aims to "develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks."3
Not to be confused with quantum cryptography, which relies on the natural laws of physics to produce secure crypto-systems, quantum-safe cryptographic algorithms use different types of cryptography to create quantum-proof security.
Check out our video “3 Steps to Become Quantum Safe with Crypto-agility,” and learn a simple, three-step framework for transitioning your organization to quantum-safe cryptography while also building crypto-agility.
Learn about threats posed by quantum computers and start to take action to prepare for quantum-safe cryptography.
In computing, there are two major use cases for cryptography: encryption and authentication. Encryption protects data from prying eyes, and authentication prevents bad actors from pretending to be other people.
Most of the encryption architectures computers use today are asymmetric or public keys. These systems use a public key for encryption and a private key for decryption.
The public key is only useful for encrypting data or checking someone's authentication. You can't use the public key to decode a message or pretend to be someone else. Only the second private key can do that.
When you type in your password on most websites, you use a private key to authenticate yourself. The website does some math to check that the private and public keys match before letting you in, without actually making a copy of the private key itself. When you enter your passcode on your phone, you're doing something similar: entering the private key that unlocks your phone's data, which has been encrypted using the public key.
These codes, keys, encryption schemes and authentication schemes are just math problems specifically designed to be difficult for classical computers to solve. Public-key algorithms work well because all those mathematical problems are hard to solve using classical computers—but their solutions are easy to check.
Take the widely-used RSA encryption: the public key is a 2048-bit integer, a huge number. The private key is the prime factor of that number. It's trivial for even a pocket calculator to check the private key against the public key: multiply the factors together. But every star that has ever or will ever burn in this universe will run out of fuel and die before the most powerful classical supercomputers might crack the 2048-bit integer into its component factors and read the encoded message.
Standard methods used in secure key exchange—including RSA and Diffie-Hellman (DH)—have worked well for decades because humanity just hasn't had the tools to break these forms of encryption. That goes as well for elliptic curve cryptography (ECC), the public key encryption technique based on elliptic curve theory, which creates faster, smaller and more efficient key sizes than RSA and DH.
But classical computers are limited. Only specific algorithms we know run well on their binary processors. Over time, we've come to engineer our society based on the assumption that if a problem can't be solved by using 1s and 0s, it can't be solved at all.
Quantum computers take advantage of quantum mechanics, the study of subatomic particles. These next-generation computing machines represent an entirely new paradigm of computation, setting aside binary bits for the complex computational spaces created by using qubits and solving problems that once seemed impossible.
Most of the time, this is a good thing. IBM® is building quantum computers to solve the world's most critical problems. (Learn more about how they work on our Topics page “What is quantum computing?”)
However, one of those once-impossible problems is prime factorization. The mathematician Peter Shor showed in 1994 that a sufficiently powerful future quantum computer would be able to find the prime factors of integers much more easily than classical computers. Shor's algorithm was the first algorithm ever developed for quantum computers, and it will one day mean the end of every major public-key encryption system in use.
Symmetric encryption is less secure against classical attacks but is still used for certain purposes (like credit card transactions), and is also under threat. The Advanced Encryption Standard (AES) is the most widely used symmetric encryption algorithm and block cipher. It works on fixed-size data blocks using a symmetric key for encryption and decryption.
Grover's search algorithm (also known as the quantum search algorithm) isn't quite the skeleton key for symmetric cryptography that Shor's is for asymmetric. However, it might aid in brute force attacks and make symmetric cryptography much less secure.
The most important thing to understand about quantum-safe cryptography standards is that they substitute the math problems that are easy for quantum computers to solve with math problems that are difficult for both classical and quantum computers to solve.
In 2016, NIST put out a call for proposals as part of a standardization process. Their goal focused on finding the best quantum-safe algorithms and schemes to become the new cryptographic standards. Organizations all over the world created and submitted schemes—69 in total.4
Six years later, NIST officially published the world’s first three post-quantum cryptography standards. IBM researchers, in collaboration with several industry and academic partners, developed two of these post-quantum cryptographic algorithms: ML-KEM (originally CRYSTALS-Kyber) and ML-DSA (originally CRYSTALS-Dilithium). The third published digital signature scheme, SLH-DSA (initially submitted as SPHINCS+) was co-developed by a researcher who has since joined IBM. Additionally, NIST selected a fourth IBM-developed digital signature algorithm, FN-DSA (originally FALCON), for future standardization.
Where earlier forms of cryptography relied on factoring large numbers, these new standards rely on lattice problems. To understand a lattice problem, imagine a mathematician showed you a list of 1,000 large numbers. Now, let's say that mathematician showed you an even larger number and told you they made it by adding up 500 numbers from the list. If they asked you to figure out which 500 numbers they used, classical and quantum computers wouldn't be much use in finding the answer. But if the mathematician told you which 500 numbers they used, it would be easy to check whether they were telling the truth. That makes lattice-based problems good replacements for prime factorization problems in cryptography.
The good news is that quantum-safe cryptography already exists. We are so confident in these new standards that we have already built them into IBM z16™ cloud systems, and are working with clients to integrate them into their security infrastructure.
Historically, cybersecurity infrastructure has taken a long time to upgrade, and there is no time to waste.
Quantum computers are progressing quickly. We expect to see the first demonstrations of quantum advantage within the next five years. Most experts agreed in a poll that a quantum computer capable of breaking 2048-bit encryption is likely by the late 2030s.
Ten to 15 years is not a long time. Many critical pieces of cybersecurity infrastructure in government and industry have remained unchanged for decades. Many computers already or soon to be in use will need to work for the next several decades with minimal alterations. Consider the microchip in your car or the encryption schemes that protect passports. There have already been cases in which unknown bad actors stole large batches of encrypted data, possibly to be hoarded and decrypted later using future technology.
Data breaches can go undiscovered. Any data not encrypted using quantum-safe standards today should be considered already lost.
IBM has been a leader in cryptography for decades and is now the global leader in both quantum-safe cryptography and responsible quantum computing. We draw on our deep cryptographic and quantum expertise to position clients to capitalize on the quantum future and navigate it safely.
The individualized IBM Quantum Safe™ program supports clients as they map out their existing cybersecurity and begin to upgrade it for the era of quantum computing. That mapping alone is an important exercise. Most organizations do not have a complete view of what data they hold, where it is most vulnerable or how it is protected. Organizations that go through this process gain better control of their cybersecurity systems and see that their cybersecurity systems become more agile. This positions them to adapt more quickly to future events.
Securing the world’s digital infrastructure for the era of quantum computing.
Quantum computers make most of the world's existing encryption algorithms obsolete. IBM developed many of the foundational technologies that will secure the world in the quantum era. It now offers the tools and services needed to implement them.
IBM Guardium® is a family of data security software in the IBM portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Z® is a family of modern infrastructure that runs enterprise operating systems and IBM Z systems software.
Quantum computing is an emergent field of cutting-edge computer science harnessing the unique qualities of quantum mechanics to solve problems beyond the ability of even the most powerful classical computers.
Learn why companies and institutions are partnering with IBM for quantum computing innovation.
Quantum cryptography (also known as quantum encryption) refers to various cybersecurity methods for encrypting and transmitting secure data based on the naturally occurring and immutable laws of quantum mechanics.
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users.
A qubit, or quantum bit, is the basic unit of information used to encode data in quantum computing and can be best understood as the quantum equivalent of the traditional bit used by classical computers to encode information in binary.
Supercomputing is a form of high-performance computing that determines or calculates by using a powerful computer, a supercomputer, reducing overall time to solution.