Quantum computing is evolving at a faster rate than the industry anticipated just a few years ago, with many experts predicting that cryptanalytically relevant quantum computers (CRQCs) might be available by around 2030. This highlights the need for organisations to start preparing their digital platforms and products for the change sooner rather than later.
This is one of the key takeaways from the Quantum Tech 2024 conference in London, which brought together global leaders, innovators and organisations to discuss the state of quantum computing and its implications for cybersecurity and cryptography. Here are some of the key discussion points I picked up at the event.
Quantum computing is reaching an inflection point
Conference speakers agreed that quantum computing is moving towards maturity at a faster rate than expected five years ago. Following a funding boom between 2020 and 2023, investments have declined, and we have started to see consolidation in the sector. This rapid move into the mainstream should be on every financial services company’s radar.
Quantum computers pose a threat to the payments sector because they will potentially be able to solve computational problems that are impossible for conventional computers to solve within a reasonable amount of time. This includes cracking the encryption algorithms used to protect information such as credit card data, mainly data that are in transit and protected by today’s public key cryptography.
A CRQC is a quantum computer that can break the cryptographic algorithms that are embedded in nearly every digital solution and financial product we use today. By some estimates, we are getting closer to the date when such a computer will be available, with some projecting it will arrive by the early 2030s.
Unlike many other sectors, the payments industry works with sensitive data that has a short lifespan. Credit cards and the associated data are valid -typically- for only five years, for example. This gives us a bit of breathing room in getting ready for CRQCs. At Stanchion, we see 2027–2028 as the critical period to begin implementing quantum-resistant measures.
NIST fires the starting gun for a new era
Governments, industry standards bodies and payments infrastructure companies have been working for years to get ahead of the threat that quantum computing poses to digital transactions. Through years of work, they have already started to deliver a comprehensive set of standards and best practices to guide preparation.
One of the most significant milestones was the release of new post-quantum cryptography (PQC) standards from the US’s Department of Commerce’s National Institute of Standards and Technology (NIST). The algorithms specified in the first completed standards from NIST’s standardisation project are ready for immediate use.
According to NIST, the new standards are designed for two essential tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. The adoption of these standards marks the beginning of a long transition.
Over the next decade or more, organisations will need to overhaul their existing public-key infrastructure (PKI) to implement quantum-safe cryptographic measures. For many of our clients, this transformation will affect systems ranging from VPNs and Internet connections to hardware security modules (HSMs) and payment systems.
The urgency of crypto-agility
The availability of standards from bodies like NIST means that now is the time for companies to start navigating the migration to quantum-safe cryptography. At the foundation of quantum-safe cryptography is a concept known as cryptographic agility or crypto-agility.
Earlier cryptography standards such as RSA and elliptic curve cryptography have faced challenges and required updates to remain secure. But in the quantum world, it will become even more urgent for industry standards and organisational defences to evolve rapidly to keep up with a changing threat landscape.
Crypto-agility is about ensuring that an organisation’s technology platforms and cryptographic mechanisms and algorithms can swiftly adapt to new vulnerabilities and threats. This is not just about technology protocols or the adoption of standards, but also about adopting architectures and governance that keep up with a changing world.
The resurgence of Quantum Key Distribution (QKD)
The good news is that we are seeing a lot of innovation in addressing the challenges of PQC. Judging from the conference, Quantum Key Distribution (QKD) is receiving renewed attention from the industry. QKD uses quantum physics to exchange cryptographic keys in such a way that is provable and guarantees security.
Challenges with QKD remain, including reliance on traditional, insecure communication channels and high deployment costs. But we are now seeing hybrid QKD emerge to address some of the shortcomings. Such innovations are likely to appeal to large enterprises and government organisations that prioritise top-tier security.
Hybrid QKD blends QKD’s unique capabilities with PQC algorithms to create a robust and practical encryption solution. In such a solution, QKD can be used for generating and exchanging encryption keys within limited, high-security networks. For communication over longer distances, hybrid QKD incorporates PQC algorithms to secure data.
The new Y2K problem?
Moody’s says that the transition to PQC will be long and costly, drawing comparisons with the large-scale efforts required to address the Y2K bug. According to Moody’s, implementing new cryptographic standards across devices could take 10 to 15 years. Yet a Moody’s survey shows most organisations are unaware of the potential threat.
This lack of awareness is worrying, given the forecast that quantum computers may be capable of breaking widely used encryption algorithms within a few years. Organisations must balance the need for immediate preparation with the understanding that quantum technology is still in its infancy.
Banks and payments companies should start preparing now to avoid future costs and security gaps. Whether through professional services, adopting agile cryptographic solutions, or updating products to incorporate PQC standards, organisations must position themselves to face the quantum future with confidence.
Stanchion’s role and roadmap
Stanchion is watching the evolution of quantum computing and its impact on the financial sector, and we will ensure that our Verto platform is quantum ready. As a digital overlay for legacy systems, Verto enables banks to integrate advanced payment features without massive investments and prepare for future trends like PQC.
We can also help you create an inventory of cryptographic vulnerabilities and develop strategies for quantum resistance. Our approach supports crypto-agility, ensuring organisations can adapt to evolving standards. Get in touch to learn how we can help future-facing companies navigate payments disruption and new security threats.
The writer, Costas Valakas, is a Senior Solutions Consultant at Stanchion Payment Solutions
Discussion about this post