Cryptography without consensus

It’s been well over a year since NIST released its initial post-quantum cryptography (PQC) standards, yet industries across the world continue to grapple with the impending quantum threat. Unified regulation is emerging as a crucial catalyst for the adoption of quantum-safe technologies. However, instead of fostering collaboration, the quantum threat has deepened the fragmentation within the PQE landscape.

 

Sectors such as financial services, healthcare, and telecommunications are not only at risk but also leading the way in securing their infrastructures, propelled by strict regulation. With additional anticipated regulations on the horizon, there’s an urgent need for international harmonisation to ensure a unified approach to quantum safety.

 

In August 2024, the US led the charge by backing three PQE algorithms – ML-KEM, ML-DSA, and SLH-DSA. Since then, much of the West has followed suit and adopted standards that are generally aligned with the NIST algorithms.

 

For example, in January 2025, Germany’s BSI incorporated them into its own guidelines, while the EU’s PQC strategy generally complements and even overlaps with NIST. Both the EU and NIST advise an incremental transition to PQC with hybrid-PQC cyphers and hybrid digital certificates. As a result, we see a degree of harmonisation across the West, pioneered by the US.

 

However, a global consensus is still lacking. Over in the East, several nations are exploring alternative PQE roadmaps that may not interoperate with the West. China and Russia, in particular, are exploring their own PQE algorithms respectively, with Russia developing algorithms such as the SHIPOVNIK digital signature algorithm. South Korea is also endorsing algorithms independent of NIST.

 

The fragmentation of global PQE strategy is highlighted not only by the dissonance between the East and West, but also by the lack of consensus in the East overall.

 

 

Operational challenges for businesses

For organisations, the transition to PQE may already be an uncomfortable one. The shift to quantum-safe infrastructure itself will certainly bring about technical and operational challenges, including problems with interoperability between old and new systems, but this may be amplified for businesses that function across continents. Due to the incompatibility between international standards for algorithms, harmonisation will be near impossible.

 

International businesses will need to consider the differing guidelines and speeds of progression across international regulatory bodies. They must prepare for multiple, possibly conflicting, cryptographic standards depending on the region, which would complicate implementation.

 

This will require additional time, resources and investment to monitor and implement region-specific PQE security measures, as well as the initial investment to update current infrastructure. As a result, organisations may feel discouraged or uneasy when it comes to transitioning to quantum-safe security, but there are readily available solutions.

 

Although the transition to PQE may seem daunting, particularly in the face of global division over standards, the worst action is inaction. Symmetric key agreement (SKA) technology offers organisations an agile, geopolitically neutral solution until international bodies can harmonise their strategies.

 

SKA technology implements the highest level of quantum-safe security whilst sidestepping certificates and heavy network payloads. This results in a more cost-effective solution because of the technology’s lightweight deployment. Organisations can prepare for the quantum threat without having to completely replace legacy infrastructure and while remaining compliant with international regulations.

 

As well as securing against the spectrum of current threats, SKA technology futureproofs networks - protecting them against quantum attacks. The technology also operates seamlessly within a zero-trust environment to ensure a continuous cycle of user and device authentication, providing an additional layer of security. Suitable for both current and future infrastructure, SKA technology can replace its foundational algorithms according to the evolving PQE landscape, ensuring networks are secure no matter how the quantum space is adapting.

 

Understandably, organisations may be hesitant to start executing their plans for PQE migration when international bodies are taking such independent approaches. There may be fear of adopting security controls early, and risk of having to revisit and rework strategies as global consensus evolves. However, now that scalable solutions like SKA are readily accessible, there is no excuse for inaction.

 

While consensus and global harmony over standards are crucial steps, they are not the be-all and end-all. Implementing crypto-agile solutions means organisations can stay prepared, no matter how erratic the developments in the quantum landscape may be. Organisations can start by identifying cryptographic resources, evaluating points of integration and utilising crypto-agile, quantum-safe solutions that are compatible with infrastructure that is constantly evolving.

 

Organisations that fail to secure themselves now are putting their critical data and ultimately, their business continuity at immense risk. The businesses that succeed will be the ones treating quantum as a threat today. 

 

---

 

Andy Leaver is CEO of British quantum-resistant encryption specialist Arqit

 

Main image courtesy of iStockPhoto.com and anyaberkut