Advances in quantum computing threaten cryptography

Quantum computers are computers that operate on fundamentally different principles from conventional computers.
Among these, the one that is attracting particular attention is the possibility of quickly solving mathematical problems such as "prime factorization" and "discrete logarithm problems," which underpin the security of RSA¹ and ECC².

If large-scale quantum computers were to become a reality, these encrypted communications would theoretically be able to be decrypted in a matter of seconds to a few minutes (this may vary depending on research conditions).
In other words, the information we currently send and receive, thinking it is safe, runs the risk of being exposed in the future with the advent of quantum computers.

"Harvest Now, Decrypt Later" - Data stored now is also at risk

A common phrase in the security industry is "Harvest Now, Decrypt Later."
Attackers hope to intercept encrypted communications today and decrypt them in the future using quantum computers.

For example, highly confidential medical data, government communications, and long-term industrial information could potentially be breached by future technology, even if protected with current encryption.
This is the biggest reason why PQC³ is currently attracting attention.

The next step to creating a safer future

Governments and standards bodies around the world are aware of this risk and are working to standardize PQC³.
The US National Institute of Standards and Technology (NIST) began an international call for proposals for PQC in 2016 and announced a formal standardization proposal in 2024.
(Source: NIST official announcement, August 2024)

Over the next few years, PQC-compatible protocols and libraries, as well as MCUs and security devices capable of implementing PQC, are expected to appear on the market.
We are now in a period of transition to "security design for the quantum age."

PQC (Post-Quantum Cryptography) refers to a new encryption technology that is extremely difficult to decipher even with a quantum computer.
Unlike RSA and ECC, it does not rely on specific mathematically difficult problems (prime factorization, discrete logarithm problems), but is based on structures that cannot be easily solved even by quantum computing, such as lattice theory, coding theory, and hash functions.

It functions like traditional cryptography, such as public key cryptography and digital signatures, but the crucial difference is that it is resistant to quantum attacks.

What is the next-generation encryption "PQC"?

PQC (Post-Quantum Cryptography) refers to a new encryption technology that is extremely difficult to decipher even with a quantum computer.
Unlike RSA and ECC, it does not rely on specific mathematically difficult problems (prime factorization, discrete logarithm problems), but is based on structures that cannot be easily solved even by quantum computing, such as lattice theory, coding theory, and hash functions.

It functions like traditional cryptography, such as public key cryptography and digital signatures, but the crucial difference is that it is resistant to quantum attacks.

Calculations that quantum computers are good at and not good at

Quantum computing can exponentially speed up operations such as prime factorization and discrete logarithms, which RSA and ECC rely on.
However, efficient solutions to the "lattice problem" and "code-based problem" used in PQC have not yet been found, even in quantum computing.
For this reason, it is considered nearly impossible to decipher even with a quantum computer (Source: NIST PQC Round 3 Report, 2022).

Standardization Progress – NIST PQC Selection

In response to the importance of PQC, the National Institute of Standards and Technology (NIST) launched a PQC standardization project in 2016.
More than 80 proposals were received from research institutions and companies around the world, and the following algorithms were selected as finalists in 2022.
(Source: NIST official announcement, August 2024)

In the future, these algorithms will be incorporated into various protocols such as TLS, VPN, and IoT communications.

Differences from conventional cryptography (security, key length, computational cost)

While PQC is highly secure, it has a larger key size than RSA or ECC, and the computational load is also increased.
For example, to be as secure as an RSA 2048 bit key, Kyber would require a key several thousand bits in size.
Therefore, optimizing implementation in MCUs and embedded devices will be a future challenge (Source: NIST PQC Round 3 Technical Summary, 2022).

The basic structure of encryption

Encryption technology can be broadly divided into two types: "symmetric key encryption" and "public key encryption."
Common key cryptography is a method of encrypting and decrypting data using the same key, and while it offers fast communication speeds, it poses challenges in sharing the key.
Public key cryptography compensates for this, providing a mechanism for secure key exchange by using different keys for encryption and decryption.

The role and challenges of existing cryptography

Many current systems use RSA and ECC for TLS and VPN to protect communication routes.
These cryptographic techniques support the "security at the entrance" where key exchange and authentication are performed.
However, if quantum computers become practical, there is a possibility that this "entrance" could be breached.

Therefore, future security designs call for replacing the cryptographic algorithms themselves with PQC.

PQC's new role

PQC is not intended to replace existing cryptographic structures, but rather to be introduced as a secure, replaceable module within existing protocols.
For example, in TLS (Transport Layer Security), PQC such as CRYSTALS-Kyber is incorporated as the key exchange algorithm instead of RSA or ECC.

In this way, PQC is developing as a technology that makes existing infrastructure "quantum-resistant" while maintaining its current structure, rather than rebuilding it entirely.

Hybrid cryptography is needed during the transition period

Since it is difficult to immediately replace all current systems with PQC, hybrid encryption is attracting attention.
This is a method that uses RSA or ECC in parallel with PQC, and is a mechanism that can maintain the security of the entire communication even if one of them is broken.

This approach has attracted international attention, and it is believed that "hybrid cryptography," which combines existing cryptographic methods with PQC, will be important in the upcoming transition period.
In particular, in environments where it is difficult to immediately switch all current systems to PQC, it is practical to first adopt a combined design of "PQC + conventional encryption."

"Safe now, dangerous in the future" -- The essence of quantum risk

Current cryptographic communications using RSA and ECC are considered secure with current computing power.
However, once quantum computers become practical, this premise will collapse in an instant.
In the future, quantum computing may be able to decrypt encrypted data that was previously sent and received.

The issue, known as "Harvest Now, Decrypt Later," is already causing concern in the cybersecurity community.
In other words, data that you think is protected now may be read as "plain text" in 10 years.

Threats to long-term data storage

Particular care must be taken with data that is stored for long periods of time.
It is not uncommon for medical records, administrative information, financial data, and vehicle logs to be stored for more than 10 years.
Attackers could intercept and store these communications now and attempt to decrypt them once quantum computers arrive.

In other words, the structure is such that "the cryptographic design today will determine the risk 10 years from now."
Introducing a non-quantum-resistant system now risks increasing future redesign and recertification costs.

Impact on IoT, automotive and industrial equipment

​Devices with long product lifespans, such as IoT and automotive systems, are at particular risk.
Once shipped, these devices typically operate in the field for 10 years or more.
If current encryption is incorporated without considering PQC, it may become impossible to update communications or authentication in the future.

ENISA, the European Union's cybersecurity agency, recommends that "measures that can be implemented now should be taken to prepare for quantum risks."
This guideline is expected to become even more important in the future, particularly for IoT and automotive systems that require long-term operation and wide-ranging connectivity.

(Source: ENISA “Post-Quantum Cryptography: Current state and quantum mitigation”, 2024)

Impact on the entire supply chain

Failure to support encryption technology leads to a decline in the reliability of not only individual products but the entire supply chain.
For example, if one company uses a communication module that does not comply with PQC, all companies upstream and downstream from it will share the risk.

For this reason, there is an international movement to transition to security certification systems that include quantum resistance (e.g., FIPS 140-4⁴).
In the future, non-compliance with PQC may be deemed to "not meet certification and procurement requirements."

*3. ENISA (European Union Agency for Cybersecurity): A specialized cybersecurity agency in the EU that advises countries on quantum risk countermeasures.

*4. FIPS 140-4 (Federal Information Processing Standard 140-4): A US government standard for certifying cryptographic modules. A new version including quantum resistance is currently being developed.

What are the areas where PQC is required?

PQC is not a technology that will be introduced once quantum computers become available, but rather a cryptographic infrastructure that should be considered from the current design stage.
Early migration is essential, especially in areas where long-term data storage is required or where products have long lifespans.

Specifically, PQC is expected to be adopted in the following areas:

IoT and automotive mounting trends

In recent years, ETSI and AUTOSAR, standardization organizations for in-vehicle communications, have begun considering incorporating quantum-resistant cryptography.
Additionally, there is a growing movement to implement lightweight PQC in the IoT field.
For example, the Lightweight Cryptography Project, promoted by NIST, is discussing next-generation lightweight cryptography designs, including PQC.

This is expected to create an environment in the future where PQC can be implemented on a standalone MCU.

Expanding adoption in cloud and communications infrastructure

Cloud service providers and telecommunications providers are also working to validate protocols that incorporate PQC.
These efforts are accelerating the gradual transition of the entire internet to quantum-safe communications.