Action by a government standards agency on potential post-quantum cryptographic algorithms will strongly stimulate the PQC market over the next five years, according to an international research and advisory firm.
In its recently released Post-Quantum Cryptography application analysis report, ABI Research predicted PQC revenues will jump 12% from US$196 million in 2022 to $218.6 million in 2023 and 20% from $328.7 million in 2026 to $395.3 million in 2027.
The report noted that the fledgling market would kick into high gear as the National Institute of Standards finalizes its choice of PQC algorithms.
“NIST is the foremost standard development organization leading PQC algorithm development, and much hinges on the successful conclusion of this process, after which work on algorithm integration and the updating of protocols can be advanced by other organizations, industry consortia, and open source movements,” ABI Cybersecurity Applications Research Director Michela Menting said in a statement.
“The progress of work in these fora will be a sign of technology maturity, and the goal for vendors will be to present ‘plug and play’ types of technologies for their respective industries, making for easier commercial integration and adoption.”
“The field took an important step forward when NIST announced it had selected four encryption and digital signatures algorithms to build quantum-safe standards by around 2024,” Ray Harishankar, quantum safe lead at IBM, told TechNewsWorld.
Preparing for PQC Migration
ABI’s growth forecast was unsurprising to some in the quantum domain. “Since the latest NIST announcement, the cork has come partially out of the bottle,” Ben Packman, senior vice president of strategy at PQShield, a cryptography standards developer in Oxford, U.K., told TechNewsWorld.
“They were a lot of people waiting to see what NIST would announce to start to think about their plans for migration to PQC,” he explained.
“I’m saying partially out of the bottle because until those standards get ratified –probably in 2024 — it’s just the promise of a standard. Nevertheless, it does allow people to plan with some certainty,” he added.
When standards are finalized, they will have a significant impact on the technology industry because everyone from vendors to standards bodies will need to adopt changes and update protocols that rely on cryptography, Samantha Mabey, product marketing management director for Entrust, an identity solutions provider in Shakopee, Minn., explained to TechNewsWorld.
In addition to vendors and standards bodies, anyone with secrets that need to be kept private for more than 10 years needs to be closely following NIST’s work, since that time period is well within the quantum risk time frame, added Anderson Cheng, CEO of Post Quantum, a quantum-safe encryption, blockchain, and digital identity company in London.
Cheng told TechNewsWorld that the NSA, GCHQ, DOD, and MI6 are seeing their encrypted data siphoned off right now. “From time to time, their internet traffic is being diverted to some East European country for two or three hours at a time and then returning to normal. The consensus is that Russia or some adversaries have been doing rehearsals to suck out data and decrypt it later.”
NIST is not alone in preparing cryptography standards for the post-quantum era. “There is ongoing work in other standards bodies too — like IETF — to update secure message formats — like S/MIME email and code signing — and secure protocols — like TLS — to adopt PQC, which includes formalizing hybrid cryptographic data structures — like composite certificates — for those who don’t think they’re ready to put all their eggs in the post-quantum basket just yet,” Mabey said.
Achieving the revenue growth forecast by ABI will require overcoming many challenges. For example, the PQ solution situation will likely remain fluid for some time. “As we transition to PQ-safe algorithms today, we must acknowledge that they are a less mature set of algorithms and that it’s important to remain agile as those might need to be replaced in the future, too,” Mabey noted.
Technology demands made by PQC solutions will pose a challenge to both vendors and clients. Mabey pointed out that organizations will need to do a health check on their technology and the cryptography that exists in their infrastructures today to ensure they have the correct scale and technologies to support the extra computing power required by these new algorithms.
The breadth and diversity of existing commercial cryptographic applications will be another challenge facing PQC. Migrating something like TLS, for instance, is relatively straightforward. You add the new cipher suites to the list, and if both peers support it, it’s used. Otherwise, you go down the list to something both peers support.
“Contrast that with a data warehouse containing data encrypted over the past 30 years or a PKI-enabled ID badge, ePassport, or gift card,” Mabey said. “You can upgrade the card to do PQ, but what happens when it encounters a terminal that hasn’t been upgraded since 2015?”
PQC is going to require a change in the way people think about deploying cryptography, Packman said. “In the past, people baked in something and forgot about it,” he explained. “With the advancement of computers, it’s apparent now that things need to be continually updated over time. There needs to be some agility in the way people implement cryptography. There will be different types of algorithms for different types of scenarios.”