Quantum Safety Principles for Technical Professionals

🚨𝗬𝗼𝘂’𝗿𝗲 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗗𝗮𝘁𝗮 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗣𝗮𝘀𝘁, 𝗡𝗼𝘁 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗙𝘂𝘁𝘂𝗿𝗲 Your data may already be compromised. You just don’t know it yet. Most security strategies assume yesterday’s threats. Quantum changes the timeline, not just the technology. Quantum computing doesn’t need to exist at scale to break today’s security. 'Harvest now and Decrypt later has already changed the risk equation. This paper by Mastercard is a wake-up call for #governments, #enterprises, #CISOs and #boards preparing for a post-quantum world. 𝗧𝗵𝗲 𝗞𝗲𝘆 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀 𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗧𝗵𝗿𝗲𝗮𝘁 The real risk is time. • Encrypted data can be stolen today and decrypted later • Long-life data (health, defence, IP, identity) is most exposed • Quantum resource estimates show this is not theoretical anymore 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝗼𝗻𝗶𝗻𝗴 𝘁𝗼 𝗤𝘂𝗮𝗻𝘁𝘂𝗺-𝗦𝗮𝗳𝗲 𝗦𝘆𝘀𝘁𝗲𝗺𝘀 Risk management must start before quantum arrives. • Crypto agility is now a strategic requirement • Post-Quantum Cryptography (PQC) emerges as the most scalable path • Quantum safety is about migration planning, not last-minute swaps Security teams must plan for years, not upgrades. 𝗠𝗮𝗻𝗱𝗮𝘁𝗲𝘀 & 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀 𝗔𝗿𝗲 𝗖𝗮𝘁𝗰𝗵𝗶𝗻𝗴 𝗨𝗽 Governments are already moving. • Global mandates now require quantum-safe migration plans • Clear guidance is emerging on PQC vs QKD use cases • Public sector action will soon cascade into enterprise obligations • Compliance pressure will arrive faster than most expect. 𝗣𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 & 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗥𝗲𝗮𝗹𝗶𝘁𝘆 Quantum-safe doesn’t mean business-safe by default. • PQC algorithms vary widely in performance impact • TLS needs redesign, not patching • Hybrid approaches are becoming the practical bridge strategy • Security teams must balance safety, latency, and scale. 𝗣𝗤𝗖 𝗠𝗶𝗴𝗿𝗮𝘁𝗶𝗼𝗻 𝗜𝘀 𝗮 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝗺𝗲, 𝗡𝗼𝘁 𝗮 𝗣𝗿𝗼𝗷𝗲𝗰𝘁 Migration is the hardest part. • Inventory cryptographic assets first • Prioritise systems with long data retention • Test, phase and monitor continuously • There is no “one-and-done” quantum fix. 𝗞𝗲𝘆 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀 ✅ Quantum risk is a present-day governance issue ✅ Waiting for quantum computers is already too late ✅ PQC migration will define future cyber resilience ✅ Security leaders must act before regulators force the move 𝗕𝗼𝘁𝘁𝗼𝗺 𝗟𝗶𝗻𝗲 Quantum security is no longer about cryptography. It’s about foresight, governance, and timing. Those who migrate early will set the standard and who delay will inherit the risk. 👉 If data is harvested today, when does the liability actually begin? #Quantum #QuantumSecurity #PostQuantumCryptography #CyberRisk #AIandQuantum #Governance #CISO #Board #DigitalTrust #TechforGood

Recent research from Shanghai University demonstrated quantum annealing attacks on RSA encryption. But here's what you really need to know about our quantum-ready future: The Current Landscape: - NIST finalized quantum-resistant standards - Two approved signature methods: ML-DSA & SLH-DSA - One key exchange method: ML-KEM - DWave quantum annealer cracked 50-bit RSA 🔍 Breaking Down Our Quantum-Safe Tools: 1. ML-DSA (Dilithium) - The "speed champion" for signatures - Efficient for most enterprise uses - Smaller signatures than alternatives - Based on lattice cryptography - Already being implemented by Google 2. SLH-DSA (SPHINCS+) - The "security champion" - Incredibly small keys (32-64 bytes) - Larger signatures (17KB) - Based on hash functions - Perfect for high-security needs 3. ML-KEM (Kyber) - The future of secure key exchange - Replacement for current RSA/DH - Strong performance characteristics - Currently being tested in Chrome The Reality Check: - Current 2048-bit RSA remains safe... for now - Quantum capabilities doubling every ~6 months - "Harvest now, decrypt later" attacks are real - We have standards - implementation is key 🎯 Smart Next Steps for Leaders: 1. Identify systems using pre-quantum crypto 2. Plan for larger signature storage needs 3. Consider hybrid classical/quantum-safe approaches 4. Build quantum-safe requirements into new projects 5. Watch market leaders' implementation strategies Why This Matters: - Quantum computing access is expanding - Standards are set - action is needed - Early adoption = competitive advantage - Security compliance will require updates The Bottom Line: We're not facing a quantum apocalypse, but we are in a critical transition period. The organizations that thrive will be those that understand quantum isn't just coming - it's already being built into tomorrow's security standards. 💭 Questions for Leaders: - How are you planning your quantum-safe transition? - Have you identified your most vulnerable systems? - Which NIST standard aligns with your security needs? #Cybersecurity #QuantumComputing #Encryption #InfoSec #TechLeadership

Quantum computing is advancing rapidly, bringing unprecedented processing power that threatens traditional encryption methods. The "collect now, decrypt later" strategy underscores the urgency of preparation, adversaries are already harvesting encrypted data with the intent to decrypt it once large-scale quantum computers become viable. Fortinet is leading the way in quantum-safe security, integrating NIST PQC algorithms, including CRYSTALS-KYBER, into FortiOS to safeguard data from future quantum-based attacks. "A recent real-world demonstration by JPMorgan Chase (JPMC) showcased quantum-safe high-speed 100 Gbps site-to-site IPsec tunnels secured using QKD. The test was conducted between two JPMC data centers in Singapore, covering over 46 km of telecom fiber, and achieved 45 days of continuous operation." "The network leveraged QKD vendor ID Quantique for the quantum key exchange, Fortinet’s FortiGate 4201F for network encryption, and FortiTester for performance measurement." This is not just a theoretical concern, organizations are already deploying quantum-safe encryption solutions. As quantum computing capabilities advance, organizations must adopt quantum-resistant security architectures and take proactive steps now to safeguard their sensitive information against future quantum-enabled attacks. These proactive methods include: -adopting hybrid cryptographic approaches, combining classical and PQC algorithms, ensuring interoperability and a phased transition -implementing crypto-agile architectures, for seamless updates to encryption mechanisms as new quantum-resistant standards emerge -leveraging PQC capable HSMs and TPMs -evaluating network security architectures, such as ZTNA models -ensuring authentication and access controls are resistant to quantum threats. -identifying mission-critical and long-lived data, that must remain secure for decades. -implementing sensitivity-based classification, determine which datasets require the highest level of post-quantum protection. -conducting risk assessments to evaluate data exposure, storage locations, and current encryption standards. -transitioning to quantum-resistant encryption algorithms recommended by NIST’s PQC standardization efforts. -establishing data-at-rest and data-in-transit encryption policies, mandate use of PQC algorithms as they become available. -strengthening key management practices -developing GRC frameworks ensuring adherence to post-quantum security. -implementing continuous cryptographic monitoring to detect and phase out vulnerable encryption methods. -enforcing regulatory compliance by aligning with emerging PQC standards. -establishing incident response plans to handle quantum-driven cryptographic threats proactively. Fortinet remains committed to pioneering quantum-safe encryption solutions, enabling organizations to stay ahead of emerging cryptographic threats. Read more from Dr. Carl Windsor, Fortinet’s CISO!

The imperative to prepare for the transition to quantum-safe cryptography doesn't necessarily mean an immediate switch. Consider these two critical aspects: ☝ Complexity of Cryptographic Algorithm Transition: Transitioning cryptographic algorithms is a complex undertaking. A quick examination within your organization or with your service providers may reveal the use of obsolete algorithms like SHA-1 or TDEA. For example, the payment card industry still employs TDEA, despite its obsolescence was announced in 2019. It's essential to enhance your organization's cryptography management capabilities before embarking on the transition to quantum-safe cryptography. ✌ Scrutiny Required for New PQC Algorithms: The new Post-Quantum Cryptography (PQC) algorithms are relatively recent and warrant careful examination. Historically, we have deployed cryptographic algorithms on a production scale only after several years of existence, allowing comprehensive scrutiny. While PQC standardization offers some security assurances, it doesn't cover the software implementations deployed in your environment. Consider employing phased deployments and hybrid implementations to avoid compromising the existing security provided by classical cryptography. Recent news, as mentioned in this article, highlights the immaturity of implementations of new PQC algorithms. While the title might be somewhat misleading, it's crucial to recognize that occasional flaws in implementations, like those found (and solved) in various instances of Kyber, serve as reminders. As we transition to these new implementations, we must first gain control over our cryptography. Here's a suggested action plan: 🚩 Cryptography Management: Prioritize gaining control over your cryptography. 🚩 Understanding Quantum-Safe Cryptography: Familiarize yourself with the development of quantum-safe cryptography. 🚩 Transition Plan Preparation: Follow recommendations to prepare a comprehensive transition plan. Some of my favourite resources are: - Federal Office for Information Security (BSI)'s "Quantum-safe cryptography" (https://lnkd.in/dqkSAQSP) - Government of Canada CFDIR's "BEST PRACTICES AND GUIDELINES" (https://lnkd.in/d-w_Nbfj) - National Institute of Standards and Technology (NIST)'s "Migration to Post-Quantum Cryptography" (https://lnkd.in/dYMKnqBb) 🚩 Decision-Making: Make informed decisions based on the acquired knowledge. In summary, a thoughtful and phased approach is key to ensuring a smooth transition to quantum-safe cryptography. https://lnkd.in/dxAgF2ac #cryptography #quantumcomputing #security #pqc #cybersecurity

Quantum computing is moving from "science fiction" to "business reality" faster than most predicted. Two recent papers have fundamentally shifted the timeline for when we need to care about Quantum-Safe security: 1️⃣ The "10,000 Qubits" Milestone: New research shows that we can execute Shor’s algorithm—the math that breaks today’s encryption—with far fewer resources than previously thought. By using reconfigurable atomic qubits, the hardware requirements for cracking RSA-2048 have dropped by nearly 20x. 2️⃣ The "9-Minute" Crypto Warning: Google’s latest whitepaper highlights a terrifying reality for digital assets. Under advanced quantum scenarios, the encryption protecting a cryptocurrency wallet could be cracked in under 10 minutes. This puts billions in "dormant" assets at immediate risk of "at-rest" attacks. The Bottom Line: The "Q-Day" window is shrinking. It’s no longer about if a quantum computer can break your encryption, but when your current migration timeline will run out. How do we respond? We can't just flip a switch on "Q-Day." For many organizations, becoming quantum safe is a multi-year journey. This is where Palo Alto Networks Quantum-Safe Security comes in. Instead of a manual, multi-year overhaul, we provide a path to Agentic Resilience: - Continuous Discovery: It automatically maps your "cryptographic bill of materials" (CBOM), identifying exactly where vulnerable RSA and ECC algorithms are hiding in your network. - Risk Prioritization: It correlates your encryption strength with business criticality, telling you exactly which high-value assets need to move to Post-Quantum Cryptography (PQC) first. - Real-Time Remediation: For legacy systems that can’t be easily upgraded, a "Quantum-Safe Proxy" re-encrypts vulnerable traffic into post-quantum algorithms (like ML-KEM) at the network edge. The transition to a quantum-safe future is a marathon, but the starting gun has already fired. Learn how to take your first steps at the link in the comments.

🔐Europol PRIORITISING POST-QUANTUM CRYPTOGRAPHY MIGRATION ACTIVITIES IN FINANCIAL SERVICES ⚛️As post-quantum cryptography (PQC) becomes integrated into mainstream information technology (IT) products and services, financial services institutions must begin to execute their transition strategies. This document provides actionable guidelines to incorporate quantum safety into existing risk management frameworks by assessing the ‘Migration Priority’ based on the ‘Quantum Risk’ and ‘Migration Time’ of business use cases and highlighting opportunities for immediate execution. ⚛️A critical first step is to inventory all business use cases that rely on public key cryptography. This inventory enables the creation of a prioritised transition roadmap by assessing the Quantum Risk of each use case based on three parameters: 🟣 Shelf Life of Protected Data: How long the data remains sensitive. 🟣 Exposure: The extent to which data is accessible to potential attackers. 🟣 Severity: The business impact of a potential compromise. ⚛️When the Quantum Risk is assessed, organisations can prioritise actions based on each use case’s Migration Time, i.e., the complexity and timeline required to achieve Quantum Safety for a use case. As part of this activity, organisations will identify, for instance, actions that can be launched immediately and the use cases that require coordination with long-term asset lifecycles. 🟣 Solution Availability: Maturity of PQC standards, and their general availability in products and services. 🟣Execution Cost: The effort, cost, and complexity of implementing the quantum-safe solutions within the organisation. 🟣 External Dependencies: Execution complexity due to coordination required with third parties and their transition roadmaps (standardisation bodies, vendors, peers, regulators, and customers). ⚛️Examples of use cases that financial organisations can begin implementing today include: 🟣 Integration of post-quantum requirements into the long-term roadmap for hardware-intensive use cases aligned with financial asset lifecycles. 🟣 Enhancement of confidentiality protection for transactional websites. 🟣Identification and elimination of cryptographic antipatterns to reduce future technical debt. ⚛️These are examples of how financial institutions can take timely, structured steps toward an efficient and forward-looking transition to post-quantum cryptography. https://lnkd.in/d4qiS6X9

PwC’s analysis of #quantum #computing #cybersecurity #risk underscores that quantum technologies represent one of the most significant emerging threats to modern #digital security, primarily due to their ability to undermine current cryptographic systems. T oday’s encryption methods—used to secure financial transactions, communications, identity systems, and critical infrastructure—are fundamentally vulnerable to future quantum capabilities. Once sufficiently advanced, quantum computers could decrypt sensitive data at scale, exposing organizations across all sectors to systemic risk. A key concern highlighted is the exposure of both data in transit and data at rest, including long-lived sensitive information such as healthcare records, intellectual property, and government data. This risk is amplified by the “harvest now, decrypt later” threat model, where adversaries collect encrypted data today with the intention of decrypting it once quantum capabilities mature. PwC emphasizes that quantum risk is not a distant issue but a current strategic concern, given the long timelines required to transition to quantum-resistant security. Migration to post-quantum cryptography is expected to be complex, resource-intensive, and multi-year, requiring early planning, investment, and coordination across enterprise systems and external ecosystems. The firm outlines several priority actions. Organizations must first conduct cryptographic discovery and risk assessments to understand exposure. They should then develop roadmaps for adopting quantum-safe encryption, while ensuring crypto-agility to adapt as standards evolve. Engagement with vendors, regulators, and industry partners is also critical, as quantum risk spans entire digital supply chains. PwC frames quantum cybersecurity as a #board-level and #enterprise-wide transformation challenge, not merely a technical upgrade. Early movers can strengthen digital #trust and #resilience, while delayed action increases the likelihood of operational disruption, regulatory exposure, and long-term data compromise in the quantum era.

I've given talks about Post Quantum Cryptography the past few years and pretty much everyone has appreciated the heads up, for those that haven't made it to a talk here are the highlights of what you need to do to prepare for Quantum Computers. 1) Build organizational readiness: • Educate and align the C-suite on the urgency of quantum risk and make the business case for a multi-year investment, i.e. get budget. • Identify personnel responsible for migration execution across different teams, i.e. assign a point person for this project. 2) Discover what you have and assess if the systems are ready: • Get an inventory of you hardware and software assets to identify encryption protocols and categorize them (PQ ready, depreciated, really old). • Assess whether hardware assets have sufficient compute to support PQC algorithms (most systems will but the OS might not be ready) • Figure out which systems will require upgrades or replacements. • Identify vendors and partners that you use and discuss their PQC roadmaps, migration support capabilities. [This one is key, talk to your vendors, find out what they are doing, or not doing!] 3) Begin getting Quantum ready • Buy the hardware / software and replace or upgrade whatever does not support PQ cryptography • Test things! Run proof-of-concept deployments in controlled environments (i.e. your test environment) and use a hybrid approach that combine current and post-quantum algorithms. 4) Deploy Quantum ready solutions • Roll out your solutions / new hardware & software in phases, starting with your high priority systems (Duh). • Ensure configurations enforce quantum-safe algorithms by default and automatically block deprecated algorithms when possible (this will be harder than you might think). • Update your security policies to manage both current and quantum-safe network traffic as you transition. • For the old stuff you can't get rid of, use proxy solutions to make IoT devices (like hospitals, manufacturing, etc.) quantum-ready until they can be updated directly. Last but not least, be prepared to change encryption schemes going forward, what we call, Crypto Agility. 5) Keep patching your stuff • Now that you have a list of your hardware and software and what kind of encryption is uses, do this: • Monitor your inventory for vulnerabilities or new threats. Keep in mind that PQ standards are new and they will likely change over time. • Establish a process to replace or update vulnerable algorithms There, you've now just read my talk, but you missed all my jokes and fun stories, but you got the details / important take aways. 😃 😁 😀 If you want the Internal Control Questionnaire (#ICQ) I put together for some auditor friends, message me here and I'll send it to you.

India’s National Quantum Mission, the Government has laid down a roadmap for a quantum-safe ecosystem, openly acknowledging an inconvenient truth: the cryptography securing banking, digital identity, telecom networks, and critical infrastructure has a limited shelf life. The real danger isn’t tomorrow’s quantum computer. It’s today’s data being harvested for tomorrow’s decryption. This is the classic “Harvest Now, Decrypt Later” risk and it means sensitive data is already at stake, silently. This is not a routine security patch. It’s a national resilience strategy. What the roadmap gets right: Cryptographic asset discovery You can’t protect what you can’t see. Inventory crypto usage and quantify quantum exposure. Crypto-agility by design Systems must switch algorithms and keys without breaking business. Hard-coded crypto is technical debt. PQC & hybrid pilotsnow, not later Finance, telecom, defence, and government cannot afford a “wait and watch” approach. Testing, certification, regulation Quantum safety must move out of labs and into audited, certified deployments. Phased migration with urgency Critical infrastructure migrates first. Everyone else follows, on a clock, not a comfort zone. Bottom line: Quantum preparedness will soon be judged the way we judge data protection today, not as innovation, but as baseline responsibility. Those who start early will migrate calmly. Those who delay will migrate under crisis. #quantumcomputing #dpdpa #it #AI #cybersecurity #publicpolicy #policy #cryptography #blockchain #infosec #cloud #isms #GRC #startup #law #leadership #innovation

𝗦𝘁𝗶𝗹𝗹 𝗿𝘂𝗻𝗻𝗶𝗻𝗴 𝗼𝗻 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 90𝘀? 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗰𝗼𝗺𝗽𝘂𝘁𝗲𝗿𝘀 𝘄𝗼𝗻’𝘁 𝘄𝗮𝗶𝘁 𝗳𝗼𝗿 𝘆𝗼𝘂𝗿 𝘂𝗽𝗴𝗿𝗮𝗱𝗲. Most organizations rely on cryptographic systems that were designed decades ago. Back then, they were cutting-edge. Today? They’re a ticking time bomb. Quantum computers capable of breaking modern encryption could be here in 5–15 years. That might seem far away, but the risks are already piling up: → Hackers are "harvesting now, decrypting later." → Cryptographic vulnerabilities are exposing sensitive data. → Compliance and operational risks are growing. The solution? Build a cryptographic inventory-a golden source of truth for your organization’s cryptographic assets. Here’s how it helps: ✔️ Identify vulnerabilities in keys, certificates, and protocols. ✔️ Prioritize risks based on your business context. ✔️ Prepare for the shift to post-quantum cryptography (PQC). ✔️ Strengthen compliance and reduce exposure. But here’s the key lesson: You can’t protect what you don’t know you have. Automation can help map your cryptographic infrastructure, but expert oversight is critical. Cryptography is now a core part of your business’s resilience-it needs to be treated as such. What can you do today? 1. Assign a C-level executive to oversee cryptographic risk. 2. Start discovering your cryptographic assets with available tools. 3. Begin planning your transition to quantum-safe cryptography. Cryptographic risk isn’t just a technical issue. It’s a business imperative. A robust inventory enhances trust, reduces financial exposure, and ensures your organization is prepared for the quantum era. Still managing your digital infrastructure without knowing your cryptographic weak points? The cost of waiting could be enormous. Let’s start preparing. Authors and contributors. Leon Molchanovsky (Very Quantum) Alejandro Rodríguez-Pardo Montblanch Philip Intallura Ph.D Taher Elgamal Nagi Moustafa Vladimir Soukharev, Ph.D. Julien Probst Peter Armstrong Stefano Lindt Blair Canavan Jennifer Nuttall