The cryptographic community is in a race against time to prepare for a seismic shift. Governments and organizations from Washington to Wuhan are preparing for quantum computing’s arrival. That’s where Ali El Kaafarani comes in as the technical lead for this initiative. He has had a major hand in shaping the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards. Fortunately, the Biden administration recently released an all hands on deck memorandum. It requires that all federal agencies move to PQC-based security by 2035.
A little more than a year ago, NIST announced its first official standards for PQC algorithms. This milestone represents a major turning point in the history of cryptography. Legacy cryptographic standards such as RSA and elliptic curve cryptography are at greater risk from quantum threats with each passing day. We’ve got to get secure alternatives in place ASAP to ensure our sensitive data is protected. El Kaafarani, a research fellow at the Oxford Mathematical Institute and a team lead at PQShield, emphasizes the importance of this transition, highlighting the ongoing discourse about when quantum computers will become viable.
The Evolution of Cryptography
Today, those same experts are helping to start a crucial new conversation. Unfortunately, they awoke to the fact that quantum computing represented an existential threat to our current security paradigm. As quantum computing research rapidly advanced, it became increasingly obvious that conventional cryptographic techniques would be like castles built upon sand attempting to brave the storm of quantum machines. The mathematics behind post-quantum cryptography (PQC) has seen a lot of polishing since then. With NIST’s open-source guidelines now set, the road to adoption is significantly clearer.
It’s this shift in understanding that El Kaafarani points to as an important change around PQC. Here, he discusses the evolving conversations about PQC. First, how do we make sure it’s ready by the 2035 deadline? If it is working, don’t mess with it,” he says, highlighting the need to maintain often-invisible systems that operate under the surface while bringing in new standards.
The urgency of this transition isn’t just a nice idea—it’s absolutely critical. Let’s not forget that there are billions of devices still in operation that nobody has tested for PQC compatibility. And as organizations begin to understand the impact of these changes, several key questions about compliance and implementation best practices come to the forefront.
Challenges Ahead
El Kaafarani’s teams at PQShield have been tasked with stress-testing their own PQC designs. The mission is clear: ensure that the majority of critical infrastructure can withstand potential quantum attacks by 2035. To achieve this lofty goal, we need the partnership of developers of security products and the talented individuals who test security by trying to break it.
For many organizations, this is an increasingly frustrating catch 22, as they scramble to figure out how to implement these new standards. El Kaafarani highlights some common inquiries: “How can I be compliant? Where do you think I should start? And how can I evaluate where the infrastructure to understand where the most valuable assets are, and how can I protect them?” The difficulty of answering these questions speaks to the complicated, interwoven, and topsy-turvy transition to an entirely different security paradigm.
Further, El Kaafarani points out the importance of hardware manufacturers to make new algorithms compatible with their products in real time. “Hey, AMD and the rest of the hardware or semiconductor world go and put all those new algorithms in hardware, and trust us, they’re going to work fine, and then nobody’s going to be able to hack them and extract the key,” he asserts. This call-to-action highlights the need for innovation of an entirely different sort – within the hardware sector to support post-quantum solutions.
A Future Secured
Even through all the hard work and testing that is still to come, El Kaafarani is excited about the future of post-quantum cryptography. The groundwork created by NIST and current research endeavors to continue these efforts promise a solid foundation for developing systems that are both resilient and secure. As organizations plan for 2035, they need to find the right balance between innovation and a word we don’t often use—caution.
“Okay, I’ve got something that is secure. Nobody can break it,” he confidently states, reflecting a commitment to developing solutions that stand up against emerging threats. The collaboration between different sectors—from academia and research institutions, to chip makers—will be key in making this hyper ambitious target a reality.
The move in the direction of PQC represents a fundamental technological paradigm shift. It’s changing how the digital security field is perceived by society at large. Their members include organizations that are already actively wrestling with their preparedness for quantum threats. Alongside this, they should start exploring some real-world use cases for PQC technologies.
“What can we do with this particular use case?” El Kaafarani asks, encouraging organizations to think creatively about integrating PQC into their operations. This inclusive, tech-savvy mentality would go a long way to ensuring an ideologically impermeable future as the technological landscape continues to shift.