What we do
TCS Research
TCS Research: Inventing to build sustainable futures
Highlights
- Quantum computing is becoming a real-world concern, with cybercriminals stealing encrypted data knowing they’ll be able to break it in the future.
- NIST’s post-quantum standards offer a foundation for enterprises to stay resilient, but they must also build crypto-agile systems to be future-ready.
- Sectors like finance, defence, and healthcare that deal with sensitive data are highly vulnerable.
- For a successful post quantum cryptography (PQC) migration, enterprises must identify high-risk areas, prioritise remediation efforts, select optimal solutions, and adopt a guided implementation approach.
On this page
On this pageinpage
Quantum threat to cybersecurity
Quantum computing has evolved from academic research to having real-world implications for businesses. Enterprise security thrives on a foundation of robust cryptography, which is embedded in the digital infrastructure of organisations and helps them protect sensitive data. However, once quantum computers become viable, they will be able to break existing cryptographic algorithms used in public key encryption methods such as Rivest-Shamir-Adleman (RSA) and elliptic curve cryptography (ECC).
Recent developments in quantum computing are forcing enterprises to take note. There is a sense of urgency reflected in the growing use of the term Y2Q or years to quantum, which refers to the countdown to when quantum computers will become capable of breaking into classical cryptographic encryption. Experts believe that cryptographically relevant quantum computers could become available in the next 5-15 years. However, this does not mean enterprises have time to wait.
Cybercriminals’ quantum bet
Cybercriminals are already engaging in harvest now, decrypt later (HNDL) attacks, where they capture ciphertext and its associated metadata and archive it for long-term storage. Attackers can then use a quantum computer to derive the session or private keys from the recorded data and decrypt the communications.
When quantum computing starts to be implemented on a large scale, it will pose significant challenges to the current cryptographic systems. Shor’s algorithm can rapidly factor large numbers, something that classical algorithms are unable to do. And this gives hackers the upper hand in cracking the RSA and ECC encryption systems. In addition, Grover’s algorithm is a significant improvement over classical search algorithms and has the ability to break traditional encryption methods.
Cryptography is one of the main defences we have against cybercriminals. But quantum computing could pierce through those defences, and as a consequence, there could be a significant breakdown of trust in our current systems. Industries such as banking, healthcare, defence, and energy could be severely impacted. Enterprises that do not take swift action will be at risk of losing customer confidence and of regulatory compliance failures. Therefore, they must develop a roadmap to assess risk, prioritise remediation, and transition to quantum-resilient systems.
NIST guardrails to counter the threats
The National Institute of Standards and Technology (NIST) has finalised its first set of post-quantum cryptographic algorithms and set timelines to transition to the new standards. Existing algorithms such as elliptic curve digital signature algorithm (ECDSA), Edwards-curve digital signature algorithm (EdDSA), and RSA will be deprecated by 2030 and then disallowed by 2035.
The regulatory body has also formally standardised quantum-safe algorithms. Kyber enables key encapsulation for secure data transmission, while Dilithium and FALCON provide digital signatures for identity verification. And Sphincs+ offers stateless, hash-based signatures for long-term security needs such as secure backup. However, these algorithms are also being tested for inherent security vulnerabilities, and the efforts to strengthen them are evolving constantly.
Adopting NIST standards is an imperative. Enterprises need to secure their digital infrastructure and establish flexibility in their cryptographic infrastructure, apart from ensuring compliance to NIST standards. Crypto agility means that a system can easily switch to a new algorithm if newer standards are established or new threat vectors arise.
Crypto agility is key to resilience, helping organisations protect data, ensure compliance, and maintain business continuity. Those that future-proof their cryptographic systems today will gain a critical competitive advantage tomorrow.
Risks and industry challenges
Certain industries are at a higher risk from quantum algorithms as their data has a longer shelf life.
- Government and defence: National security data, defence strategies, and information about critical infrastructure are prime targets for HNDL attacks. A breach could pose risks to national security and public safety. Exposure of covert missions, troop movements, or intelligence-gathering methods could weaken a country’s defences.
- Banking: Transaction data, financial histories, and customer identities stored for years could be compromised. Data breaches in recent years have affected millions, exposing sensitive data like social security numbers and financial information.
- Insurance: Sensitive customer data, financial records, and claims information are vulnerable to breaches. The lack of products that provide protection against quantum attacks could leave customers uninsured.
- Life sciences: Medical research data and patient records are prime targets for HNDL attacks. If these are exposed, they could lead to patient harm and loss of intellectual property. Data breaches could also trigger compliance violations under the Health Insurance Portability and Accountability Act or other frameworks.
- Power utilities: Industries such as power utilities are vulnerable to a cascading flow of damage that can cut across many other sectors and critical infrastructure. Compromised utilities could bring down sectors such as banking, finance, travel and transportation, and retail.
Barriers to PQC migration
Despite the growing urgency, most organisations are not ready for the transition to post-quantum cryptography. They face several hurdles at each stage in their journey.
- Hidden vulnerabilities: Cryptographic vulnerabilities are deeply embedded across systems. Locating and auditing them throughout an organisation is a highly complex task that is also resource- and time-intensive.
- Application prioritisation: Identifying the most vulnerable and business-critical applications requires deep cross-functional analysis. Applications are often connected, and new code in one area can break code in other areas.
- Fragmented standards: For most organisations, there are a number of post-quantum libraries to choose from. Selecting the right fit of algorithms for each use case can be a difficult task.
- Migration risks: Transitioning at scale introduces new risks within organisations. Any misstep can expose systems to additional vulnerabilities.
- Cost and resource burden: Moving to a quantum-safe infrastructure demands significant investment in tools, skills, and time. Managing to achieve this with uncertain timelines creates challenges. Further, quantum-resilient algorithms are computationally expensive and may need specialised hardware.
Overcoming these challenges calls for an intelligent, adaptable, and enterprise-aligned approach towards migration.
A practical framework for quantum migration
To navigate the complex transition to post-quantum cryptography, enterprises must adopt a strategic approach. We recommend a four-pillar framework that can help translate complex technical requirements into an actionable migration roadmap.
- Identify high-risk areas: Pinpoint areas where the most vulnerable cryptographic assets are located across the IT infrastructure.
- Prioritise remediation efforts: Prioritise and manage the applications that require immediate quantum-safe upgrades.
- Select optimal libraries: Select quantum-safe libraries, aligned with both organisational and application-level goals such as performance, security and compliance.
- Remediate with crypto agility: The aim should be to address future vulnerabilities of PQC algorithms.
Focus areas for migration
During a migration, enterprises must especially focus on three areas that require complex decision making:
Risk assessment: Enterprises use thousands of applications that are vulnerable to quantum attacks. Their IT landscape is so intricate that humans will not be able to accurately analyse and diagnose risks associated with applications just by analysing their architecture. The application context and metadata, data content, and organisational standards must be considered. Without a clear understanding of the risks, stakeholders cannot prioritise the migration of these applications to a quantum-safe state. Unlike other kinds of risk scoring, quantum threats need a special framework flexible enough to adapt to the technical landscape of an enterprise. It should also provide granular details of each factor’s contribution to the overall risk score to enable the enterprise to make decisions about the mitigation approach.
Recommendation system: After the initial stages of assessing quantum vulnerabilities and conducting a migration prioritisation comes the complex task of migrating the applications to a quantum-safe state. Enterprises must be aware of vulnerabilities that may creep in during the transition, as the underlying system of systems could throw up new threat surfaces. Migrating the applications involves replacing the existing cryptographic APIs with suitable, quantum-safe cryptographic APIs. There is a plethora of quantum-safe libraries with disparate performance characteristics such as memory, storage, and CPU requirements. In general, quantum-safe APIs are performance-intensive, which presents a challenge. Application owners must make informed decisions to select the best option that would have no impact on the non-functional requirements (NFR) of the application. However, this is a complicated process. Enterprises have multiple applications, with different programming languages and architectures. To comply with NIST standards, enterprises must choose the most optimal quantum-safe library, which is a complex problem and is impossible to solve manually in the absence of a robust recommendation engine. PQC recommendation is a complex process as different conflicting objectives (depending on NFRs of applications, performance characteristics of cryptographic libraries, crypto library availability, compliance to standards and interoperability and other factors) must be simultaneously optimised.
Remediation: Remediation is widely recognised as a highly complex phase across both research and enterprise communities. Complete automation is not feasible, and no universal solution exists due to the diversity of application types and dependencies.
To address this variability, applications can be categorised by remediation complexity. Each category would follow a tailored remediation recipe, supported by human-in-the-loop strategies to ensure accuracy and efficiency. An intelligent system would guide developers and engineers through the remediation process, offering contextual recommendations, effort estimations, and validation support, enabling a faster, cost-effective, and reliable migration.
The way forward
The transition to post-quantum cryptography is more than just a technological reinvention. Enterprises must treat it as a strategic transformation that will have an impact on areas such as data security, compliance with NIST standards, and business resilience. Making applications quantum safe will help businesses minimise threats from business disruption, data breaches, and financial loss. While it may still take take several years, enterprises must treat quantum preparedness as a C-suite imperative, embedding it into digital transformation roadmaps. The winners of tomorrow will be those who act today, establishing resilient, compliant, and secure cryptographic foundations ahead of the curve.