Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity in the quantum world: chapter I
History confirms it: the race between the good guys and the bad guys always begins on the side of whoever commits the crime. Why are the earliest doors recorded in history found in tombs and temples? Because what they housed needed protecting. Why did it need protecting? Because someone tried to desecrate it or steal it.
Quantum physics is, for us, a new field that has always been there. Expanding our understanding of it will lead us to make a historic leap forward as a species, and cybernetics is no exception. That is why it has already begun to be studied and applied in controlled environments. The idea is to start laying the foundations for a new quantum cybernetics.
Everyone is looking for the advantages, but some research to do good and others to do... other things. The first thing everyone recognised in the advances made by this technology was the major challenge in the field of cryptography. Strategies that until now have been considered invulnerable (asymmetric cryptography: RSA, ECC, Diffie-Hellman...) will become completely insecure, while others (symmetric cryptography) will need to strengthen their security (through longer key lengths) to avoid being compromised, at least for the time being.
In quantum cybersecurity, waiting for the first strike already means reacting too late.
The new quantum paradigm therefore brings advances and opportunities... for everyone. So, in the absence of widespread implementation (or at least broader adoption), attackers are adapting and we must do the same.
New threats that need to be studied, new defence methods that need to be tested. That is the landscape we face, and the sooner we confront it, the less ground the bad guys will gain in this endless race.
1. The challenge of proactivity
Acting in a reactive way makes it possible to work with certainty regarding the threat we need to defend against and how we should do so. It is enough to learn from what has already happened, which is no easy task in itself. The price to pay, however, is accepting prior losses whose impact is unknown in advance.
Proactivity, on the other hand, means working with the aim of preventing losses while not knowing exactly which threats may be lurking. In highly developed and familiar environments, both strategies are relatively easy to implement because prior knowledge, after many hard lessons, gives us an artificial hindsight called “experience” (we broadly know what is likely to happen and can adapt the present to that possible future).
However, the quantum landscape is still so unclear that we can only glimpse a small part of what it may eventually become. This means we do not know the size of the battlefield, what the enemy is really like, or what tactics, techniques and procedures they may use... essentially, we know nothing.
How do you defend a castle without even knowing whether it stands on high ground, low ground or between two rivers? Is it acceptable to wait until the attacks arrive, absorb the losses and begin building security from a reactive standpoint?
The first step, therefore, must be to understand the key fundamentals that help us position ourselves at the starting point: what remains of the previous paradigm and how long it will continue to work, what benefits the new paradigm brings and what it disrupts, and what malicious actors are already doing on their side.
Because the bad guys are already getting to work. Their first move has been to implement a technique: Harvest now, decrypt later. Nobody knows exactly what will happen, but attackers do know that stealing now, while the battlefield is still familiar to them, is easier. Furthermore, because they too are studying the new quantum paradigm, they know there is going to be a clear problem with non-quantum cryptography. A problem that, in the future, could give them the ability to decrypt information that is currently secure.
Attackers have already made their first move: steal today to decrypt tomorrow. The race has begun.
2. QTSC: Quantum Threat Simulation Cell
One of the factors slowing progress in defending the quantum world is the difficulty of deploying environments that make it possible to study it. The Harvest now, decrypt later example illustrates this perfectly: the bad guys steal now and decrypt later. The good guys must find encryption methods now (or alternative approaches) capable of withstanding the decryption capabilities of future cryptographically relevant quantum computers.
The Quantum Threat Simulation Cell is one approach that may help us in this area. It is true that the term itself is used both for the environments in which insecurity scenarios and protection mechanisms are tested and for the specialised teams that design and run them. However, these cells should probably be viewed as a whole: the equipment and the team together.
What do these teams and environments focus on?
Exploring the field of quantum security
It was hardly surprising that applying quantum technology to security would bring challenges. What has been truly encouraging, however, has been the response to those challenges.
PQC (Post-Quantum Cryptography) is a software-based approach designed to tackle the first risks of quantum security using today’s security frameworks. The development of algorithms (which we will discuss further below) adapted to the quantum future forms part of this approach.
Another major advance has been the introduction of QKD, quantum key distribution, which already incorporates quantum mechanics into security. However, this approach is physics-based (naturally) and more expensive (naturally), which is why its use is limited to specific use cases, such as critical infrastructure and environments where communications security is essential, including data centres, AI gigafactories, military environments...
Searching for vulnerabilities
Above all, this focuses on cryptography in order to identify which current algorithms are most likely to become insecure and which are already vulnerable thanks to Shor’s and Grover’s algorithms, the two techniques that have each proved effective in breaking the security of asymmetric and symmetric cryptography respectively.
Researching and testing countermeasures against known techniques
For example, (once again) Harvest now, decrypt later. To counter this technique, countermeasures such as Everlasting have been developed. Everlasting is a security model in which information confidentiality would be guaranteed (I refuse not to conjugate the verb conditionally) even if the adversary were computationally omnipotent.
To elaborate slightly on Everlasting, the secret to its success lies in encrypting information based on a condition with an expiry date. By doing this, and by using a temporary secret, no matter how powerful the attacker may be, the conditions required for decryption would already have expired, meaning the information could no longer be decrypted. Therefore, if a company that integrates Everlasting techniques into its encryption suffers a data breach, the thief will not be able to decrypt the stolen information once that secret has expired. They can no longer wait for the future in order to access that stolen information. To conclude this example, today’s OTP passwords (One-Time Passwords) are a simple example of Everlasting.
Researching and implementing new procedures related to cybersecurity
For example, crypto-agility. The concept of crypto-agility is a response to a new requirement: the need to rapidly change (without affecting production systems) encryption algorithms, keys or protocols whenever those currently in use become compromised. This need stems from research into the future of quantum cryptography. A proactive perspective revealed, among other things, the uncertainty surrounding what may be secure today but insecure tomorrow. And this applies not only to current cryptography, but also to the cryptography yet to come.
■ In this regard, the NIST, the US National Institute of Standards and Technology and a global benchmark institution, has for some time been working on a set of PQC algorithms (Post-Quantum Cryptography) to secure key establishment, encryption and digital signatures. The process has been lengthy and has resulted in the following algorithms:
The security of the future is not improvised: it is tested, adapted and built starting today.
Algorithms for key establishment and encryption:
- Crystals-Kyber (ML-KEM). Selected in 2022. It is the main algorithm and the recommended option for general encryption.
- HQC. Selected in 2025 (towards the end of the year). It is the backup algorithm. This means that if Crystals-Kyber is proven insecure, systems should immediately switch to HQC. That is precisely where crypto-agility comes into play.
I want to make a clarification here: although some sources refer to HQC as an alternative and recommend its use interchangeably with Crystal-Kyber, that is NOT actually the case. The NIST press release and statements by Dustin Moody, head of the NIST PQC project, make this perfectly clear:
"The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM. (...) HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption."
Algorithms for digital signatures. Three alternatives selected in 2022, each with a different focus:
- Crystals-Dilithium. The most balanced of the three in terms of efficiency and security. It is considered suitable for securing electronic transactions, such as confidential communications, which are also transactions.
- Falcon. The fastest of the three. It is considered suitable for environments where signatures are generated far less frequently than they are verified. In these environments, speed takes priority. Examples include IoT and blockchain applications...
- Sphincs+. The least efficient and the most focused on long-term security. It does not store an internal state and therefore does not maintain a key. Instead, it uses hashes, making it independent of a quantum computer’s ability to solve mathematical problems.
—It is a clear example of the “Everlasting” concept discussed earlier. It is recommended for legal and regulatory compliance environments, as well as for device update mechanisms (firmware updates, for example).
Simulation of malicious activity and threats
Somehow, we need to test what can be broken and what cannot. Since the strategy used by threat capture platforms based on honeypots would not work properly here (we must bear in mind that today there are few, if any, attackers capable of operating in the field of quantum threats), a friendly team is required to create models and testbeds and reproduce realistic threats and scenarios so that they can be analysed, mitigated or countered.
In this regard, people have also begun talking about a quantum Red Team, although these are still strategies with a long way to go. Quantum hardware is still in its infancy (and very, very limited), and Red Team operations against real quantum infrastructure are currently not scalable.
Developing new policies, regulations and frameworks for quantum-level security
One of the problems in the race between good and evil is that the bad guy acts first and the good guy then needs a legal framework within which to operate in order to catch the former and apply the full weight of the law. This is not about overregulating, but about providing those fighting criminals through law enforcement agencies and other bodies with a framework that works in their favour, rather than in favour of the bad guys.
In this respect, the United States has already published the Quantum Computing Cybersecurity Preparedness Act and, as we have already seen, NIST has long been working to establish stable foundations both for the present and the future. Meanwhile, ENISA is one of the driving forces behind the PQCSA (Post-Quantum Coordinated Support Action).
The quantum race does not begin when the threat arrives, but when we decide to prepare for it.
3. Necessity as a teacher
QTSC is only the beginning of the response to the need for security in the face of the new paradigm that is emerging. Its heterogeneity, in attempting to cover multiple aspects within the quantum world, reflects the fact that this is merely an initial step. Whenever we need to learn about something new, we all focus first on the general aspects. Specialisation will come later, with new measures capable of securing this new reality that is beginning to unfold before our eyes.
Just one final remark. Quantum, AI and Robotics. Hold tight, there are twists and turns ahead.
