Post-Quantum Cryptography: Finally Real in Consumer Apps?
Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it’s keeping them up tonight.
Today, many rely on encryption in their daily lives to protect their fundamental digital privacy and security, whether for messaging friends and family, storing files and photos, or simply browsing the web. The question experts have been asking for a long time, with their eye on the advances in quantum computing, is, “How long before these defenses fail?”
The ticking clock of quantum computing
One set of researchers is already sounding the alarms, claiming that they’ve found a way to break 2048-bit RSA encryption with a quantum computer. While the claims may be premature, they hint toward a scary future that is perhaps closer than we once thought. Breaking RSA encryption would represent a massive privacy and security vulnerability for virtually every aspect of our digital lives—a master key for all our digital data.
And it’s not just our future data and communications at risk. The breaching of modern encryption protections can have deep retroactive impact as well, with the possibility that attackers are harvesting data now with the hope of decrypting it in the future.
“We know for a fact that store-now-decrypt-later attacks are happening right now, and their frequency will only increase the closer we get to delivering a fault-tolerant quantum computer,” says David Joseph, a research scientist at Sandbox AQ. “Once encrypted data has been exfiltrated, there is no way to protect it from future decryption and exploitation.”
Simply put, while your encrypted messages may be safe and private today, if someone captures them and holds onto them until they get access to a quantum computer, they’ll be able to decrypt and read them in the future.
The emergence of post-quantum cryptography
Post-quantum cryptography (PQC) refers to cryptographic algorithms that are resistant to attacks by both classical (i.e., the non-quantum ones we use today) and quantum computers. These algorithms are based on mathematical problems that are believed to be computationally hard for both types of computers. They serve as a backup plan to ensure that our data remains secure in a future where powerful quantum computers exist.
While PQC has been a topic of research and development for many years, it’s only just now starting to see early applications in the consumer protection space. This is due to a number of factors, including the increasing maturity of PQC algorithms and the growing awareness of the threat of quantum attacks. Last month, for example, Chrome just began supporting a PQC algorithm, though it will not be in wide use yet and will be dependent on broader ecosystem support.
Hybrid cryptography for comprehensive defense
One of the challenges of post-quantum cryptography is that it’s still in the early stages of development, lacking the track record of the widely used and time-proven classical cryptography of today. That’s where hybrid cryptography comes in, providing a two-layered shield of sorts.
“A hybrid approach means that users are safe from attacks by classical computers without relying on post-quantum algorithms, and they also have the best chance we know of today of being safe from attacks by quantum computers,” explains Peter Membrey, Chief Engineering Officer at ExpressVPN. “Post-quantum algorithms are still relatively new and less battle-tested. By leaving classical cryptography in the hands of existing tried-and-true standards, we can ensure any unforeseen issues with post-quantum algorithms don’t impact the security or integrity of the broader cryptographic infrastructure—and by extension the security of users.”
As messaging app Signal recently explained in an announcement about quantum-resistant encryption, instead of replacing any existing classical cryptography, they use PQC to “[augment] existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people’s communications.”
The future of PQC in consumer applications
Recent advances in PQC in consumer apps are the vanguard of a new era in cybersecurity and a sign that the tech industry is taking quantum threats seriously. As quantum computing moves from science fiction to reality, the question isn’t whether we need post-quantum cryptography—it’s how quickly we can make it a standard feature in our digital lives. The clock is ticking, and soon more consumers will be asking not just what their apps are doing to protect their data today, but also how they’re preparing for the threats of tomorrow.