Blog Post-Quantum Encryption — The CISO Perspective
By Jason Rader / 10 Mar 2025 / Topics: Cybersecurity
By Jason Rader / 10 Mar 2025 / Topics: Cybersecurity
What does this mean for encryption? Consider the following example: When your web browser has HTTPS rather than HTTP in the URL, this means it has an encrypted channel between the web client and the web server. In the initial stages of setting up that secure channel, a session key is exchanged using key exchange algorithms like Diffie Helman and RSA. These asymmetric algorithms are considered secure based on the technology that was available at the time. Looking at these algorithms, the math says that it would take longer than the universe has existed for an attacker to try every possible combination to brute force the key exchange and acquire the symmetric key used to encrypt the session. So, with current technology, the likelihood of an adversary capturing all of that encrypted traffic and then brute forcing the key is highly unlikely. However, if quantum hardware and associated software were available today, it would theoretically be capable of processing all possible calculations to brute force the key exchange in an exponentially shorter time than with conventional hardware/software.
Right now, the availability of quantum chips is relegated to researchers, but regardless, organizations that require privacy and security to operate (governments, financial institutions, etc.) have been paying attention to stay ahead of adversaries gaining access to these resources. Without preparation, standards, and agreements on protocols, all current mechanisms for ensuring confidentiality, integrity, and availability with encryption are put at a higher potential risk.
In the United States, the National Institute of Standards and Technology (NIST) publishes standards for acceptable encryption techniques and algorithms for unclassified federal systems. The business world almost universally follows these recommendations, and I expect they will continue to do so for some time. Last August, NIST published their accepted post-quantum encryption standards after years of submissions and public scrutiny. There are certainly more standards and algorithms that will follow, but it’s a good start.
The good news is these post-quantum algorithms are available today and they’re relatively easy to incorporate into an application or system from a programmatic perspective. However, based on what we currently know, these algorithms are only resistant to attacks that would leverage the power of quantum computing. If AI is any example, things could change drastically once these technologies are mainstream. To that end, the timeline looks like three years at a minimum to me.
Is post-quantum encryption something that the average consumer or business should worry about? Probably not, at least right now. My expectation is that the hardware and software vendors will converge to incorporate the latest and greatest techniques to allow us to communicate in a secure and private manner and the algorithms incorporated will remain abstract to the end-users.
To conclude, quantum computing is an exciting prospect, but the technology’s not fully there — yet. Google may be in the lead, but there are surely competing technologies on their tail. Till then, it’ll be fun to speculate what awaits us on the other side of quantum computing.
VP and Chief Information Security Officer, Insight
Jason assumed the role of Insight’s chief information security officer in 2021 after joining the company in 2015 to build the security consulting group. Today, he builds upon more than 25 years of experience to develop Insight’s end-to-end security consulting portfolio and share Insight's transformation journey with fellow security leaders.