Impact of Quantum Computing on Cryptography
By Dan Cuthbert, Head of Cybersecurity Research, and Jaime Gómez García, Head of Quantum Technologies, at Santander.
Executive summary
- The impact of quantum computing on cryptography poses a serious threat ⚠️ to the sustainability of a secure digital society.
- This risk could be realized when there is a sufficiently powerful quantum computer 🖥️, estimated throughout the 2030s if there is no acceleration in development; or before, due to the emergence of previously unidentified vulnerabilities, or improvements in classical cryptoanalysis.
- Cryptography management has traditionally been a complex, undermanaged issue. In general, companies 🧑💻 are not able to quickly modify their cryptographic algorithms.
- There is a great global 🌍 effort to standardize and adopt secure cryptography against quantum computing, as well as to improve cryptography management in organizations. This effort is also reflected in various regulations, which establish in 2025 the first milestones of improvement and transition.
- Santander addresses this risk with the “Santander Quantum Threat Program” and collaborates globally to support a safe transition of the financial 🏦 sector and society as a whole.
What is the risk?
The digital society can operate securely on the Internet thanks to the widespread use of cryptographic techniques. Every purchase 🛍️ we make, every message we send, every bank transaction 💳 we carry out… is protected by cryptography. Cryptography provides guarantees of authentication, integrity and confidentiality in our digital communications and processes.
The development of quantum computers, which can bring enormous advantages in numerous fields, poses a threat to cryptography. It is expected that throughout the 2030s , if not before, there may be a quantum computer capable of breaking fundamental algorithms of the cryptography used today to secure our communications, privacy and digital society in general.
This risk has led to the search for secure cryptographic alternatives to quantum computing to replace vulnerable algorithms. The main line of work in this regard is the standardization of postquantum cryptography led by the NIST (National Institute of Standards and Technology, USA 🇺🇸). This process, initiated in 2016, will publish new cryptographic standards in mid-2024 to replace current ones.
But the existence of replacement standards is only part of the solution. Some of the main challenges for adopting the new standards are:
🤯 Complexity: Replacing cryptographic algorithms is an extremely complex task that has traditionally taken years or even decades to complete. It is easy to find obsolete cryptographic algorithms in use in numerous industries.
⏳ Deadlines: The critical path of the transition project is marked not only by the length of the migration process, but also by the time during which information must be kept secure. For example, chips that are installed in a car that may be circulating within 15 years should consider the risk of quantum computing today.
😴 Inaction: The perception that this is a risk that will materialize in the long term may delay taking decisive action to address it in time. However, the reality is very different: Various regulatory requirements demand concrete action by 2025.
What are the main global actions?
The 🇺🇸 US government has taken very determined actions to lead the future of quantum technology and protect cybersecurity:
▪️ It leads the standardization of postquantum cryptography.
▪️ Has taken executive actions to improve crypto management in its agencies immediately (NSM-10, M-23–02)
▪️ Has designed a very aggressive plan for transitioning your agencies to secure cryptography (CSNA2)
The new CSNA2 policy requires government agencies to use cryptography by default since 2025 and to have abandoned the use of classical cryptography in 2033. This is a demonstration that this is not a long-term task, but a complex project that must be started immediately.
The governments of 🇨🇦 Canada, 🇩🇪 Germany, 🇬🇧 UK, 🇫🇷 France and 🇳🇱 the Netherlands are also very active in developing recommendations, mainly aimed at facilitating the transition process.
In 🇪🇸 Spain, the National Cryptology Center has published a guide of recommendations for the transition.
In 🇪🇺 Europe, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) have recently submitted to the Commission proposals for technical standards under DORA that, among other measures, seek to improve cryptographic management in the financial sector.
The WEF has published several recommendations based on consultations with global experts, including those of the Santander Group: “Quantum Security for the Financial Sector: Informing Global Regulatory Approaches” (1/2024), “Quantum Readiness Toolkit: Building a Quantum-Secure Economy” (6/2023) and “Transitioning to a Quantum-Secure Economy” (9/2022).
The payment card 💳 industry information security standard, PCI-DSS 4.0 (requirement 12.3.3), requires the implementation of improved cryptography management processes by early 2025.
What does Santander do?
Santander has been addressing for years the impact of technologies on its business and cybersecurity. The main objective of the “Santander Quantum Threat Program”, started in 2022, is to convert Santander into a “Quantum-Safe” company.
Some of the main public milestones achieved in this area are:
🤝 Collaboration with NIST: Santander is collaborating with the National Cybersecurity Center of Excellence (NCCoE) of the US National Institute of Standards and Technology (NIST), in the “Migration to Post-Quantum Cryptography Project” Consortium to bring awareness to the issues involved in migrating to post-quantum algorithms and to develop practices to ease migration from current public-key algorithms to replacement algorithms. This collaboration underscores the urgent need to evolve current cryptographic methods, which are vulnerable to the advanced capabilities of quantum computing.
💰 Quantum Safe Financial Forum: Santander has led the creation of a sectoral forum to coordinate the transition to secure cryptography. This forum is supported by the European Cybercrime Centre of Europol and currently has 25 organizations including banks, central banks, associations and financial services companies.
🏙️ Collaborations with third parties:
- OpenSource Software Crypto Inventory Tool: Developed in collaboration with Github and Microsoft, it will enable individuals and organizations of all sizes to understand which cryptography their applications use.
- Caramuel: Consortium led by Hispasat and 19 Spanish public and private entities to design a quantum key distribution system on a geostationary satellite for the European 🚀 Space Agency. This initiative is followed up in a mission covered by the Aerospace PERTE endowed with over 100 million Euros.
- Awareness and Engagement: The first phase of the Santander Quantum Threat Program addresses the need to disseminate 🧑🏫 about quantum technologies and their impact on cryptography to promote awareness and implementation of transition plans. Apart from the internal dissemination actions, Santander participates in forums such as the WEF, sector conferences or outreach actions in universities, Santander BeTech and WorkCafé Santander.
Before you go:
Clap if you liked it 👏, comment and share this article to reach more community 🧞.
Would you like to be part of our technology project? Find our open vacancies worldwide here 👉 https://www.betechwithsantander.com/en/home
