Thorsten Stremlau of the Trusted Computing Group outlines the quantum threat, the NIST PQC algorithms, and how organisations are preparing
Across the globe, there is a growing awareness of the threat we face from quantum-era computing. For those still unaware, we are rapidly approaching a time when someone will build a quantum computer powerful enough to crack the commonplace encryption algorithms that protect our devices and systems to this day. Known as ‘Q-Day’, this event will have significant ramifications for any sector or industry storing highly sensitive information, including highly protected applications like online banking and critical infrastructure.
While opinions differ on exactly when Q-Day will occur, common consensus indicates the first quantum device capable of breaking common algorithms will appear within the next 5 to 10 years. There will be no sweeping announcement of when we reach this stage, and as such, organisations now find themselves in a race to become quantum ready as soon as possible.
Understanding the quantum threat
Presently, the encryption methods we rely on today are only effective because current computers struggle to break down the extremely complex mathematical equations they use. Both symmetric algorithms (such as the commonly used Advanced Encryption Standard (AES)) and asymmetric algorithms (Rivest-Shamir-Adleman (RSA)) work on this principle: to break RSA, a computer would need to factor significantly large prime numbers near instantaneously, whereas AES uses different key lengths up to 256 bits and longer keys to ensure a strong defense against potential attacks.
In the post-quantum era, these methods are under threat. Quantum computers will be able to use principles such as superposition and entanglement to process equations much easier. Attackers can use Shor’s algorithm to break asymmetric encryption with ease, while Grover’s algorithm can be used for quadratic speedup to weaken symmetric algorithms. This means the latter will need even longer keys to ensure the necessary security.
That’s not to say threat actors are sitting back and awaiting Q Day before they begin their attacks. For example, it is highly likely that ‘harvest now, decrypt later’ attacks are already underway. A form of retroactive decryption, these attacks involve the storing of sensitive data from multiple industries, and breaking the encryptions once quantum computers are capable of doing so.
It’s important to note that the threat of quantum computers remains hypothetical until these devices are actualised. However, the threat landscape they offer is so vast that action needs to be taken immediately to mitigate the potential damage.
The actions being taken
Thankfully, steps have already been taken to secure our devices well ahead of Q-Day. Organisations such as the National Institute of Standards and Technology (NIST) have been hard at work developing new algorithms capable of keeping data secure in this new age of computing, with three post quantum cryptography (PQC) standards finalised this year.
First announced in August 2024, CRYSTALS-Kyber, CRYSTALS-Dilithium and SPHINC+, as well as the reserve key encapsulation mechanism KEM which was announced later in 2025, will be the main encryption methods set to be used in the future. These PQC algorithms have been heavily featured in a number of key national and regional migration strategies and roadmaps, long before they were finalised: by November 2024, NIST had already outlined their priorities and considerations for full migration. This included their commitment to doing this by 2035, and a desire to depreciate the current asymmetric algorithms used today by 2030.
It’s not just the US leading the way either. The National Cyber Security Centre (NCSC) have also published its migration roadmap for the United Kingdom, detailing the requirements for large organisations. Starting from 2028, decision-makers at these key companies must have published their initial plans, with all identified high priority activities actioned by 2031. Much like NIST’s roadmap, the result will be that all devices, systems and products found within the country will be PQC ready by 2035.
What is TCG’s current approach to PQC?
In terms of implementing these crucial standards, organisations like the TCG and Fido Alliance are presently updating their standards in order to best protect devices ahead of Q-Day. The timeline for these being carried out will vary, depending on the external dependencies and complexities each organisation must consider within their specification chains.
The work being done by these organisations will form a crucial part in a broader community of standards that companies across the entire computing landscape must adhere to before true PQC-ready products can be sold within the marketplace. Despite having to wait for NIST to develop these standards, standards organisations have been aware of the need for PQC readiness for some time. For example, in 2013 the TPM 2.0 introduced crypto agility – the functionality required to update algorithms, support ECC and SHA-256, and so on – which has become the foundation for the migration to PQC. The TPM 2.0 has since become a prerequisite for major systems such as Windows 11.
This focus on cryptographic agility will be crucial going forward, and as businesses start to become acutely aware of the protections needed against quantum devices, the standards being developed with NIST’s algorithms at the core will remain their best bet for protecting sensitive data for years to come.
Thorsten Stremlau is a Distinguished Engineer and Systems Principal Architect in NVIDIA. He is responsible for technical strategies for components, devices, software and Cloud services.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
