Digital Trust is the Foundation for Every Business.

If stakeholders don’t trust you to keep their information private and secure, they won’t share it with you.

If they don’t share it with you, you won’t be able to access the operating efficiencies, new service layers, and revenue streams that data can help enable. Eventually, more trust-savvy companies will outperform you. There is literally no upside to having a bad digital trust posture. As an enterprise leader, you are the shepherd of your stakeholders’ data, and it is your job to keep it safe. The gravity of this responsibility is clear.

What may be less clear is whether the trust standards you have in place today are robust enough to survive rapid changes in the digital world. Threats are evolving. Quantum computing is sprinting from lab to reality, and the cryptographic systems that have been protecting the confidentiality, integrity, and authenticity of sensitive information for years are at risk of becoming obsolete. Simply having a trust model in place is not enough—it needs to be the right framework, and it needs to be implemented correctly.

That’s something every business leader should be thinking about.

In this article, part 1 of a 3-part series, we are taking a deep dive into the fundamentals of cryptography—what they are, why they are changing, why that matters, and what you can do to prepare.

The Coming Transformation of Crypto Standards

Though the average person isn’t aware of it, asymmetrical cryptography (or public key cryptography) underpins much of the data that is traveling between devices and networks, every minute of every day. It’s responsible for the digital locks that keep your data safe, and the digital signatures that prove the identity and legitimacy of the countless humans and machines that communicate with your organization.

Asymmetric cryptography works by using a pair of keys. The public key can be shared with anyone, and is used to encrypt data, while the private key remains secret and is used for decryption. The encryption step is based on complex mathematical problems. Algorithms such as RSA and elliptic curve cryptography (ECC) offer security because they are time-consuming to solve, and even more so as the key size increases. 

So, as decryption methods become more sophisticated, the recommended minimum key size is rising: In January 2024, the BSI (German Federal Office for Information Security) tightened its technical guidelines, requiring a minimum of 3000 bits for RSA. This number refers to the length of the modulus used to compute the key pair, so, ultimately, it’s a numbers game. The larger the number, the stronger the encryption. More digits, better protection.

Quantum Computing and the Limits of Encryption

Over the years, cryptographers have progressively expanded the length of these cipher keys to create the next generation of encryption. But there’s always the question: Where’s the limit? At some point, the keys will become awkwardly large and unwieldy, consuming excessive computational resources and slowing down systems. Imagine having a lock on your door and a key in your pocket to open it. Now, what if you needed a key that was 8 or 16 times bigger to open the door? It would become impossible to carry (or to memorize). 

Until recently, this wasn’t a major concern. In theory, all crypto algorithms are breakable by conventional computers, but it would take such immense computing power and time to break our most sophisticated algorithms that no one worried too much.

But now, we’re on the brink of a quantum leap in computing power. And these new quantum computers will enable bad actors to carry out more powerful crypto attacks. This has to do with Shor’s algorithm: A groundbreaking quantum algorithm for integer factorization that was developed in 1994. It showed quantum computers’ potential to crack crypto algorithms far, far faster than classical computers. It just needed parallel computers to run on—but, back then, there were none. The quantum computers on the verge of existence today, however, are highly parallel. So Shor’s algorithm plus next-generation quantum computers equals a new era of crypto threat complexity.

Crypto Against the Clock

When quantum computers are a reality, they will be able to do in seconds what would take a classical computer tens of thousands of years to do—meaning that all our cryptographic algorithms could be cracked in a matter of minutes. This unravels the fundamentals of cryptography. It won’t be enough to simply add more digits to keys; the algorithms themselves must change to become quantum-resistant.

Right now, the race is on to develop new algorithms. The United States National Institute of Standards and Technology (NIST) has held an open call for submissions and is currently reviewing the candidates. Once a new standard is agreed upon, it will be standardized and implemented on a wide variety of platforms and applications. 

But it won’t look like the keys you have relied on before. And that means you’re going to have to plan and potentially rebuild your processes so they are ready to receive, store, and use the new algorithms.

Should you wait until quantum-safe cryptography becomes available?

Definitely not. Here’s why:

• When cryptography breaks, credentials can be stolen, and information can be intercepted. In fact, information can be harvested today to be decrypted in the future, which means you can’t afford to kick the can down the road.
  
• It may take years to upgrade all the systems that rely on deprecated cryptography. Every time you change a crypto fundamental, you open a Pandora’s box. You find legacy systems that are hard-coded to work only with deprecated schemes. You find that some products work better with one type of encryption and others work better with another. You may find that some of your applications have components that can’t use the new algorithm, or that you need to replace apps or business processes entirely. Auditing your exposures takes time.
  
• Since full-fledged quantum computers big enough to attack current keys don’t yet exist, and it’s impossible to perform real-world testing, it’s expected there will be much trial-and-error before we know if our new quantum-safe algorithms will hold up under pressure. For an undefined period, we’ll exist in a limbo state, caught between new and unproven algorithms and proven but ultimately doomed algorithms.

So what can you do in the face of all this uncertainty? Two things: Become crypto-agile, and get your house in order for the radical changes to come.

Crypto Agility: Why Being Adaptable Matters

To be crypto agile means being able to flip the switch to a new algorithm, without the need to rewrite applications or deploy new hardware systems. So, you’re always using the cryptography that’s best for a given circumstance.

Going a step further, it means you have complete control over your cryptographic operations. You can choose which algorithms you use to pivot away from risks with minimal manual effort. Crypto agility offers a multitude of benefits, including improved compliance as standards and regulations evolve, enhanced future proofing, and minimal business disruption as you safely upgrade to post‐quantum cryptography over a reasonable period of time.

Achieving crypto agility isn’t hard, but it also isn’t trivial. It could take years to upgrade everything (depending on your organization, the number of legacy applications you have, how your algorithms are embedded, and the limitations of your infrastructure). But that’s still less disruptive than hard-coding a new algorithm, only to be forced to upgrade it again in a few years.

Preparing Your Processes

The process of migrating to crypto-agile—and ultimately to post-quantum cryptography—starts with identifying the systems and business processes that need to be future-proofed, and then creating a roadmap for achieving that. You’ll need to systematically review:

• Where in your organization are crypto fundamentals in place?

Digital identities, digital signature certificates, crypto libraries? How many different types and sizes of encryption algorithms do you currently use? Take a precise and detailed inventory of your cryptographic resources to help you identify which systems are most vulnerable to quantum attacks, and prioritize them for upgrading.

• What are your use cases?

Some organizations, including government entities, healthcare, and those with long product lifetimes, need to keep “secrets” for long periods. They will need to implement crypto-agility as soon as possible to protect today’s data from future quantum attacks. Crypto deprecation may be less relevant for companies that handle sensitive information for a short time. If you want to verify someone’s digital identity, for example, you may only need to do that for a couple of seconds, after which the information is no longer relevant. If that’s your primary use case, you may have the luxury of more time in your transition roadmap. 

• What practical obstacles might get in the way of your plans?

Suppose, for example, that you plan to use QR codes on phones to verify someone’s identity, but phones aren’t allowed on the factory floor. What’s your Plan B? You may not be able to answer that question right now, and that’s okay. But you need to be asking it before you start implementing new platforms and apps.

• How can you creatively enhance your digital trust mechanisms?

Consider the challenge of verifying a digital identity in critical, time-sensitive situations such as emergency medical services. If it takes 20 minutes for the paramedic to verify their ID in order to access a patient’s medical records, it could be a matter of life or death. In this case, being creative with technology and processes can save lives: If emergency medical services personnel can verify their digital identity at the start of their shift, they could access all necessary systems without further verification.

Every organization has processes like this that work okay but could be more trusted, efficient, and safer. So, what you’re doing right now is not just a defensive exercise. It’s also an opportunity to innovate and improve the digital trust of your workflows while making the system comfortable for users, in order to drive adoption. Figure out where improvements are needed, and consider what further support you need to implement them as part of your transition program.

The Takeaway

Change is coming, but how you adapt is not one-size-fits-all. You have to build cryptography solutions around your unique workflows, and you might want to consider a pilot project before going all-in. This could help identify the efficacy of the new deployments and note any obstacles throughout the process.

That’s really what this planning phase is all about: It’s an opportunity for you to understand your cryptography fundamentals and take your new quantum-safe practices for a test drive, in a safe environment, while you can afford to. 

So that when the threat happens—and it is a “when”, not an “if”—you will be ready.

Wondering what you need to do to get ready? Our experts are happy to help.