#publickeyencryption

Post-Quantum Cryptography Alliance

The Linux Foundation founded the Post-Quantum Cryptography Alliance (PQCA) in February 2024 to safeguard the digital future. This new effort brings together a remarkable group of market leaders, researchers, and developers, including Google, IBM, Amazon Web Services, and Cisco, to address quantum computing's security concerns. The PQCA promotes post-quantum cryptography to protect our digital infrastructure from future quantum threats.

Future Quantum Threat to Modern Encryption

Modern digital security relies on public key cryptography. It supports Transport Layer Security (TLS), which protects “https” websites, and digital signature technologies, which verify software packages.

However, quantum technology's rapid growth has made a long-standing theoretical threat increasingly plausible. Shor's algorithm appeared in 1994 and proved it could break elliptic curve and RSA cryptography. Although this threat remained primarily theoretical for years, new quantum technology advances suggest that powerful quantum computers may be conceivable. Once operational, such devices can decrypt practically all current communications, jeopardising the security of any system or person that relies on cryptographic procedures.

General manager of the Open Source Security Foundation (OpenSSF), another Linux Foundation project, Omkhar Arasaratnam said quantum computing “is real” in its threat to modern cryptography. The National Institute of Standards and Technology (NIST) warned that “sufficiently powerful quantum computers will easily compromise the cryptography,” possibly by 2030.

A large-scale quantum computer “would be able to break modern public key encryption algorithms that are widely used in our IT infrastructure,” said Douglas Stebila, University of Waterloo associate professor of cryptography and Open Quantum Safe (OQS) project co-founder. Creating and using cryptographic technologies that can withstand quantum processing is urgent for post-quantum cryptography.

PQCA Origins: A Call for Coordinated Action

Talks at the Linux Foundation Member Summit in Lake Tahoe inspired the Post-Quantum Cryptography Alliance. Even though governments, businesses, and universities have been interested in post-quantum cryptography research and projects like NIST's Post-Quantum Cryptography Standardisation Project and the Crypto Forum Research Group within the Internet Engineering Task Force have made progress, a crucial component was still missing. A coordinated effort from all these actors to promote and ease the real-world implementation of these novel algorithms was needed.

The successful implementation and widespread adoption of research and standardisation are critical initial steps towards a post-quantum world. To ensure widespread use of these vital methods, software implementations must be widely utilised, reliable, and open source. The PQCA fills this gap by providing the structure needed for cooperative engagement. Enterprises who comply with the NSA Cybersecurity Advisory use the Alliance as a foundation.

High-Assurance Software and Continuous Innovation Promote post-quantum cryptography is the PQCA's major goal. Two main, connected sub-goals will achieve this:

High-Assurance Software Implementations: The Alliance develops reliable and powerful software applications for standardised methods. This requires compiling multiple existing implementations and making them production-ready to facilitate industry-wide adoption. Big and small businesses should collaborate to design, test, and apply novel algorithms and integrate them into existing systems. Supporting Continued Development and Standardisation: Since post-quantum cryptography is continually developing, the PQCA encourages the development and standardisation of new algorithms.

Current PQCA Projects

The PQCA is working on two crucial projects. For almost ten years, the University of Waterloo has created Open Quantum Safe (OQS), an open-source initiative. OQS includes liboqs, a C library for quantum-resistant cryptographic algorithms, and prototype integrations into popular protocols and programs like OpenSSL. This project aims to enable quantum-error-resistant encryption.

The second major project is PQ Code Package. This project focusses on formally verified, high-assurance software implementations of post-quantum cryptography algorithms that meet requirements. The standardisation algorithm, ML-KEM, is its first focus. TLS and SSH can use ML-KEM (Kyber) for quantum-resistant public key encryption. These initiatives aim to promote post-quantum cryptography.

Future: Collaboration and Agility are Key

The PQCA seeks collaboration on post-quantum cryptography initiatives to grow the community and shape digital security. Open Quantum Safe and PQ Code Package projects are easily accessible on GitHub, enabling rapid feedback and collaboration. The Alliance also welcomes new initiative suggestions and submissions. Future work may include cryptographic agility or PQC migration tools and infrastructure to help adapt and test post-quantum techniques. Cryptographic agility is the ability to move between cryptographic algorithms fast during transition.

As Douglas Stebila noted, transitioning to quantum-resistant algorithms is a major undertaking, not merely a technical challenge. He said “it takes a long time to deploy new technology, and this will be the most complex cryptographic migration ever conducted”.

The “store now, decrypt later” threat—bad actors may preserve encrypted essential communications and decrypt them later with powerful quantum computers—increases urgency. Stebila added that “as we become more reliant on digital systems, the potential impact of quantum-enabled cryptographic breaches becomes more significant”. We must start this transformation immediately to protect our national security and digital interests against quantum threats before they become true.

The Linux Foundation is a “neutral, trusted hub for developers to code, manage, and scale open technology projects,” making it ideal for this essential collaboration. Linux Foundation projects depend on volunteers contributing code and building the community.