Thomas Watson, president of IBM in 1943, somewhat infamously said, “I think there is a world market for maybe five computers.” Though even the most astute of us can make egregiously incorrect forecasts about the future, this is a habit that the technologically minded are hoping to break in preparation for a world – not that far away – that features Quantum Computing by getting their plans for Post-Quantum Cryptography in place now.

What is Post-Quantum Cryptography (PQC)?

Though Quantum Computers are still in development, the fact of their existence is expected within 10 to 15 years – even less than that if there are significant technological breakthroughs that hasten the process. Much more powerful than their classical counterparts, Quantum Computers harness quantum phenomena like superposition and entanglement to work much, much faster.

The result? Computers that pose a very severe threat to your previously safely encrypted data.

Post-Quantum Cryptography (PQC) aims to solve this by putting quantum-safe encryption in place now. Think of it like the Semmering Railway, the first railway that was built across the alps. When construction began in 1848, there was not a locomotive in existence capable of making the journey, but they built it knowing that there soon would be.

Why Are SSL Certificates Affected?

Secure Sockets Layer (SSL) is a security technology used to set up an encrypted connection between a server and a client. Data is encrypted during transmission by an HTTPS protocol, after which there is one of two options:

1. If a secure connection is established between the domain server and the site user, the data of the user cannot be intercepted by a third party.
2. If the secure connection is interrupted, the SSL protocol is disabled.

SSL currently makes use of a combination of these four major common encryption standards:

• RSA (Rivest-Shamir-Adleman): this asymmetric encryption algorithm relies on the mathematical difficulty of factoring large prime numbers, and is used for secure data transmission.
• ECC (Elliptic Curve Cryptography): this asymmetric encryption method offers similar security to RSA, but is more efficient as it uses smaller key sizes.
• AES (Advanced Encryption Standard): this is a symmetric encryption standard, which is mostly used for securing data in transit and at rest. It comes in key sizes of 128, 192, and 256 bits.
• TLS (Transport Layer Security): this is a protocol that uses various encryption algorithms to secure communications over networks like the internet.

These encryption standards have been in use because classical computers would take anywhere between a thousand and a billion years – or even more – to crack these encryptions.

Quantum Computers, depending on their size and power, might only need minutes.

Furthermore, your information is at risk even now – some data can remain relevant for many years, and cybercriminals could be stealing your information now in the hopes that Quantum Computers will be able to decrypt it later. This is known as Harvest Now, Decrypt Later – maybe not so important for this week’s stock movements, but certainly relevant when you consider access to long term investments, Bitcoin keys and the like.

What are the PQC Timelines and Current Standards?

In preparation for a Post-Quantum Computing world, the National Institute of Standards and Technology (NIST) has released a final set of encryption tools designed to withstand a Quantum Computer enabled cyberattack. These standards, which contain the codes for encryption algorithms, how to use them, and what they should be used for, are the result of the agency rallying cryptography experts from across the world to develop and present cryptographic algorithms that could stand up to Quantum Computers.

At this stage, four Quantum-Resistant encryption algorithms have been rolled out, each of which is used for one of two chief use cases – general encryption and digital signatures:

• ML-KEM (formerly CRYSTALS-Kyber): for general encryption used to secure websites, due to its speed of operation and comparatively small encryption keys.
• ML-DSA (formerly CRYSTALS-Dilithium): for digital signatures used to verify identities – NIST also recommends this as the primary algorithm.
• FALCON: also for digital signatures used to verify identities, but used for when smaller signatures than ML-DSA can provide are appropriate.
• SLH-DSA (formerly SPHINCS+): said to be relatively larger and slower than the other two, though also for digital signatures used to verify identities, this algorithm has been selected as a backup because it’s based on a different mathematical approach.

The real-world deployment of PQC-ready certificates is likely to be a process that takes years, though high-risk cases will most likely be prioritized for migration by 2030.

Because PQC implementation won’t happen overnight, the best approach right now is to have a combination of certificates, making use of both classical and PQC algorithms as a practical, interim step towards PQC readiness.

This kind of crypto-agility, in that you should be able to switch algorithms with minimal disruption, allows for not only a gradual migration, but also testing to ensure that nothing goes wrong or gets lost during this process.

What Should Businesses Do Now?

Adopting a step-by-step approach to the PQC transition is the most strategic way to ensure that your business is not left wanting when it comes to quantum-safe encryption. Following the below guideline can be immensely helpful in preparing you for the transition:

1. Inventory and Audit:

Do an inventory of and audit your current cryptographic assets, such as keys and certificates. Assess your systems to determine which of them are critical, so that you can prioritize them for PQC upgrades.

2. Stop Gaps:

Consider adopting short-lived certificates for now, such as 1 year or even 90-day certificates. This will keep you protected during the transition phase without locking you into long term contracts that may become obsolete.

3. Get Help:

Think seriously about partnering with SSL providers like BrandShelter, who offer PQC transition support. We and others like us can help you to plan your transition, assist in the management and automation the lifecycle of PQC-ready certificates, and ensure that your systems can be adapted to meet the new PQC standards.

How Does BrandShelter Support the PQC Transition?

It’s important to note that, with the advent of PQC, the lifecycle of your SSL certificates are changing: instead of the previous need for renewal every 398 days, steps are being taken in the industry of moving towards a far shorter lifecycle of 47 days. There is a very good reason for this, namely that there will now be a much shorter time frame for attackers to make hay if your SSL certificate is compromised. Additionally, repeated verifications mean the risk of identity theft will be minimised, as will the potential for longer term harm.

The reasoning is sound, but this does mean that staying on top of SSL renewals is now even more necessary and far more frequent. BrandShelter offers expert support and tools for managing the SSL lifecycle, including options such as tracking when your renewals are due.

We may not know exactly when Quantum Computers will be available. But we do know that now is the best time to future-proof your digital security. By acting early, and not waiting for mandatory compliance to be enforced or disaster to strike, you can be assured that you and your business will be fully prepared for a Post-Quantum reality when it arrives.

Next Steps

The first step is understanding exactly where your current SSL and encryption setup stands. That’s why BrandShelter now offers a free SSL audit, giving you a clear picture of your existing certificates, their lifecycles, and any gaps that could leave you exposed in a quantum-ready world.

With that insight, we can help you build a tailored roadmap toward quantum-safe encryption – before the clock runs out.

Share article