Charting a Path to Quantum-Safe Transformation Through Industry Initiatives
Quantum computers are rapidly approaching utility for real-world business problems. The timeline to a cryptographically relevant quantum computer—one powerful enough to break classical encryption algorithms in use today — is shortening. In response, standards bodies such as the US National Institute of Standards and Technology (NIST) have launched initiatives to standardize a new type of cryptography called post-quantum or quantum-safe cryptography that can withstand attacks from both classical and quantum computers. IBM researchers co-developed three of the four algorithms that NIST selected for standardization in 2024, with three additional digital signature algorithms under consideration for a future review cycle. With NIST’s post-quantum cryptography standards expected to be published this year, it’s critical for enterprises to prepare now to migrate to the new standards.
At IBM, we are committed to making the world quantum safe. Using IBM Quantum Safe technology and services, individual enterprises can discover, observe, and transform their cryptography to build cyber resiliency for the quantum era. However, the global quantum-safe ecosystem cannot be achieved piecemeal, one enterprise at a time. That’s where quantum-safe consortia come in: they bring together industry associations, companies with expertise in post-quantum cryptography, and market leaders in specific sectors to develop ecosystem-wide cooperation, assets, and strategies. This enables adoption.
Consortia promote awareness and implementation of quantum-safe cryptography through various focus areas: development, education, strategy, and deployment. While many initiatives work across several of these goals, some are dedicated to supporting the development of post-quantum cryptography by building software for evaluating and prototyping. Others educate and empower communities by facilitating conversations and performing analyses to better understand what the quantum-safe transition means for industry and ecosystem members.
Strategy-focused initiatives define a problem statement, align on an approach, and share experience with proof of concepts and trials. This guidance not only ensures that sector-specific regulations and policies are informed by real community needs and experiences, but it also equips organizations to translate policies and standards into practice. Finally, there are consortia that create open-source software implementations of post-quantum cryptography to enable implementation at scale.
Supporting the quantum-safe ecosystem through consortia is an integral component of how we advance quantum-safe transformation across technology and industry domains. And today, at Money20/20 Asia in Bangkok, we announced the formation of the Emerging Payments Association Asia (EPAA) work group on post-quantum cryptography. With founding members EPAA, IBM, HSBC, AP+, and PayPal, the EPAA work group unites leading financial services providers across the global payments and banking landscape to drive awareness, controls, initiatives, and technical solutions for quantum safe. The group plans to publish its first set of findings in October, in time for Sibos 2024.
Driving awareness and adoption of post-quantum cryptography
Consortia are particularly important in the context of a quantum-safe journey for several reasons. This is a cryptographic migration of unprecedented complexity that will require changes to security protocols and architectures, as well as ongoing cryptography monitoring and management. This cannot be done by enterprises in isolation. Consortia enable alignment on industry requirements and on topics such as interoperability and backward compatibility that need to be addressed collectively to ensure the availability of products and solutions.
Next, cryptography is often embedded in components throughout the global supply chain. Even if an enterprise remediates the quantum-vulnerable cryptography within its own applications, it likely cannot perform the necessary discovery and transformation work within its third-party software. Consortia drive awareness of the need for post-quantum cryptography so that vendors, suppliers, integrators, and other relevant stakeholders can undertake the quantum-safe journey in tandem and work together to create a quantum-safe technology stack within their industry.
At IBM, we advance consortia efforts in technology areas like open source, as well as in core industries for quantum safe such as telecommunications and financial services. In September 2022, we partnered with GSMA and Vodafone to found the Post-Quantum Telco Network (PQTN) task force, a group that comprises 60+ companies from across the global telco supply chain, with participation from government and regulators. The PQTN aims to define guidelines and processes for adopting post-quantum cryptography so that telcos can secure networks, devices, and systems against quantum-enabled cyber risks. Since its founding, the task force has facilitated dialogue on post-quantum cryptography with the telco ecosystem, standards bodies, and policy makers — collaboration that has resulted in publications detailing the impact of post-quantum cryptography on telecoms and offering best-practice guidelines for managing quantum-enabled cybersecurity risks, most recently with “Post-Quantum Cryptography — Guidelines for Telecom Use Cases.”
Ensuring the availability of quantum-safe products and solutions
Industry consortia help sectors understand what the quantum-safe transition means for their community and what tooling and migration strategies are needed to support members throughout their journey. Technology-focused initiatives contribute to this effort by aligning on technical approaches and interoperable standards, as well as by creating open-source, production-ready code for post-quantum cryptography. NIST’s National Cybersecurity Center of Excellence (NCCoE), for example, brings together over 30 organizations from academia, government, and industry to develop best practices and example solutions for the migration to post-quantum cryptography. In collaboration with the other NCCoE participants, IBM is demonstrating ways to automate the quantum-safe journey, such as through cryptographic discovery tools and vulnerability prioritization mechanisms.
As a founding member of the Post-Quantum Cryptography Coalition (PQCC), a group of technologists, researchers, and practitioners backed by MITRE, IBM is working across industry and government to advance post-quantum cryptography standards by providing education and outreach. The PQCC also helps industry verticals apply best practices for side channel resistance so that post-quantum encryption algorithms are not weakened by vulnerabilities in hardware or other system elements.
Our cross-industry consortia efforts extend into the open-source community with the Post-Quantum Cryptography Alliance, an open-source software alliance formed with the Linux Foundation that supports high-assurance implementations of post-quantum cryptographic standards with projects such as Open Quantum Safe and PQ Code Package. As a premier member, we work with key stakeholders to improve code quality checks on quantum-safe algorithms before they are deployed. This not only benefits the open-source community, but it also enables us to strengthen the implementations of these algorithms in IBM Quantum Safe technology. The result is a more resilient quantum-safe technology ecosystem.
As you embark on your quantum-safe journey, consider ways that you can get involved in post-quantum cryptography initiatives by joining meetings, participating in workshops, contributing code, and more. The more organizations that get involved, the stronger and more agile the ecosystem will be as we collectively usher in a quantum-safe future.