Challenges of deploying PQC globally

As big as Y2K

According to Moody’s, the ability to break asymmetric encryption could have profound repercussions on e-commerce. Pointing to the US International Trade Administration projections, Moody’s reported that global e-commerce is set to grow to $41.7tn a year by 2027.

“If there is a loss of trust in online transactions, these flows would be at risk. Air traffic systems and GPS signals could also be manipulated, risking lives. The ability to break this encryption could also imperil companies’ intellectual property as well as governments’ classified documents,” the Moody’s report warned.

Moody’s also noted that the transition to PQC is likely to take a long time and will also be extremely expensive. It estimated that implementing new cryptographic standards across devices could take 10 to 15 years due to operational challenges. While the cost of the transition is hard to estimate, it said that parallels can be drawn with the expensive, large-scale efforts required to address the Y2K bug.

If Europe and the UK want to direct their own quantum funding efficiently and build public confidence in PQC, they need a clear and well-communicated strategy that reaches startups, the public sector and other key stakeholders

For instance, as Moody’s pointed out, some devices are in hard-to-reach places, such as satellites in orbit, and some types of hardware, such as in cars and cash machines, are difficult to update. Its report referenced data from US officials that shows implementing a new cryptographic standard in devices widely could take 10 to 15 years.

Beyond the challenges of a wide-scale roll-out of PQC, implementing the new encryption standards may prove very difficult, as Roberta Faux, field chief technology officer at Arqit and former NSA cryptographer, explained.

“We are still in the early stages of a fast-moving industry, and unfortunately even the secure implementation of these standards will be a difficult process,” she said. “These aren’t ‘drop-in’ solutions. As we migrate systems, we will find all kinds of interoperability issues, alongside the plethora of vulnerabilities and downtime that come from making systems more complex. It’s a long-term project with a lot of uncertainty.”

However, Moody’s noted that the rapid deployment of PQC by some key technology and internet infrastructure companies would speed up protections for swathes of users.

Global adoption

Questions are also being raised over whether the UK and Europe should adopt the NIST standards. Faux said the German and French governmental cyber security agencies are shying away from endorsing the NIST post-quantum key exchange.

Ekaterina Almasque, general partner at early-stage tech venture capital firm OpenOcean, said: “Europe must take the lead in post-quantum cryptography standards, not just ride on the US’s coattails. That requires strategic thinking.”

Almasque said the US government has already communicated to companies working on sensitive projects that they may soon be required to use quantum encryption algorithms. “If Europe and the UK want to direct their own quantum funding efficiently and build public confidence in PQC, they need a clear and well-communicated strategy that reaches startups, the public sector and other key stakeholders,” she added.
 
“While Europe and the EU’s diversity is a strength, it could easily become a vulnerability if we don’t introduce a cohesive quantum strategy that ensures all member states are aligned in their quantum defences.”

There appears to be wide industry consensus around the new NIST PQC standards. However, as Arqit’s Faux points out, some quantum cryptography experts like Michele Mosca have raised concerns that the lattice algorithms on which NIST has based its PQC encryption standards may be broken within a decade.