I Think the 2035 Post-Quantum Preparation Date Is Insane

One of my favorite parables is the one where someone is assigned an important daily job for 30 days and then asked if they would prefer $1M at the end of the job or a penny on the first day, which then doubles over and over for the next 29 days. This means the employee would get $0.01 on the first day, $0.02 on the second day, $0.04 on the third day, $0.08 on the fourth day, and so on for 30 days. Most people unfamiliar with the parable easily would take the $1M, but because of the way “compounding” works, if they took the penny that doubles each day method, they would have had $5,368,709.12 by the end of the 30th day instead!

It's meant to teach the value of compounding interest and investing, but it has a bunch of other applications.

It's with this parable in mind that I write this article.

The US government has placed 2035 as the year when most organizations should be post-quantum ready, meaning having replaced their quantum-susceptible cryptography with quantum-resistant cryptography. You can find a few different “official post-quantum prep” dates, but the US National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/) is the authoritative resource, for now, for US organizations and much of the world.

Note: That long memo name is shortened to National Security Memorandum 10 (NSM-10) in quantum discussion circles.

The National Institute of Standards & Technology provides some more detail in their NIST Transition to Post-Quantum Cryptography Standards document (https://csrc.nist.gov/pubs/ir/8547/ipd), discussing what cryptography will be deprecated in 2030 versus 2035.

If you are not aware, we have been on the road to making “sufficiently-capable” quantum computers for a few decades. We’ve been making slow, but steady progress. One day, some world’s government or organization will develop a quantum computer that is capable of rendering much of our most important modern-day cryptography (e.g., RSA, Diffie-Hellman, El-Gamal, Elliptic Curve Cryptography, etc.) useless. Before then, the world was supposed to migrate all software and firmware from quantum-susceptible cryptography to quantum-resistant cryptography.

NIST (and other countries) have been holding contests and developing post-quantum cryptography. In the last year or so, NIST has formally selected at least four cryptographic algorithms that we need to move to, with more on the way. If you want more information about the NIST post-quantum cryptography developments, go here: https://csrc.nist.gov/projects/post-quantum-cryptography.

I’ve been writing about this coming quantum cryptographic break for decades, even since it was announced by Peter Shor in 1994 that if we had quantum computers, it would invalidate much of our modern-day cryptography. It was big news even back then, when we didn’t have a single quantum computer. But by 1999, the first very rudimentary quantum computers started to be developed. By 2015, we had made enough progress that quantum computer news began to show up in regular computer security news feeds. In 2019, I wrote a book on the subject, Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto

(https://www.amazon.com/Cryptography-Apocalypse-Preparing-Quantum-Computing-ebook/dp/B07Z837R86) I’m on a few quantum preparation groups, such as the Cloud Security Alliance’s Quantum Safe Secure working group. I spend a fair amount of time trying to educate people about the topic and get companies to prepare for the coming post-quantum work that needs to be done.

To be clear, your organization needs to have a post-quantum project already and be preparing for the day when you need to upgrade most of your cryptography. I still think that my book or this free whitepaper that I was the lead author on, Practical Preparations in a Post-Quantum World (https://cloudsecurityalliance.org/artifacts/practical-preparations-for-the-post-quantum-world) is a great guide to get you started.

I Think the 2035 Post-Quantum Preparation Date Is Insane

I regret the day the US stated that 2035 was the year when organizations had to complete their post-quantum migrations. I think it borders on malfeasance. Time will tell.

First, I think there is a decent shot that the coming quantum crypto break could happen before then, if it hasn’t already happened and we just don’t know about it. Although most quantum computer scientists don’t give strong support to the idea that the quantum crypto break may have already happened, I give it a 15% chance. The world’s leading cryptography intelligence agencies (e.g., NSA, etc.) have a long history of achieving historic cryptographic landmarks years before publicly revealing that we did.

But the biggest reason why a 2035 date pisses me off is that it almost certainly means most organizations won’t be doing anything about it anytime soon. The quantum crypto world thinks all companies have already started up internal post-quantum projects and have been working on them for years. When I tell them that most companies haven’t even heard of it, much less are actually forming official projects to tackle it, they look at me dumbfounded. Huge disconnect.

Job number one for the quantum crypto community is just to make people aware of the coming HUGE Y2K-like project that every organization and person will be involved in. It’s going to be a massive effort that involves inventorying and upgrading or replacing every bit of hardware and firmware you have.

And when the US government says organizations have till 2035 to be quantum prepared, that virtually kills that we will be doing anything about now. We have ransomware, password stealing trojans, and AI-deepfakes to worry about TODAY! If you tell me I’ve got another problem coming in ten years, that virtually guarantees it won’t get any attention right now. And if the US government said to be prepared by 2028, we’d probably still be trying to make it happen in 2030. Set a 2028 deadline date and maybe meet the 2035 objective.

Don’t we all have that spouse or friend who we lie to a little bit about the arrival time of a party just so we can get them there somewhere near the appointed time?

Then, a few days ago, Google announced (https://blog.google/technology/research/google-willow-quantum-chip/) its progress on its latest quantum chip called Willow. Even Elon Musk said, “Wow!”

I don't think Musk is a quantum-following guy. He probably just knows the basics. He's a busy guy. But there have also been dozens of quantum advancement announcements over the years, including plenty from Google, the world's smartest and richest man has never stopped for a second, read the story, and said, "Wow!" Something has changed.

I don’t think Google’s announcement is earth-shattering. It isn’t announcing that they have achieved sufficiently-capable quantum computers that can break today’s crypto. But it was a strong, strong push of forward progress on everything needed to achieve that. It’s harder to see what Google and the thousands of other companies are trying to be the first to achieve quantum supremacy, as anything other than that penny that is getting doubled every day.

There are thousands of companies developing their own quantum computers, most of which are making steady progress every day. The best and biggest companies in the world each spend billions on it. It takes only one company to make a consequential leap forward discovery and breakthrough to wipe away existing deadlines that are built on the expectation of forever slow plodding. I think it’s insane to understand that reality and keep a 2035 deadline.

Every single quantum challenge I’m aware of (e.g., qubits, stability, error-correcting, coherence, number of logic gates, photonics, silicon-based quantum chips, etc.) is making constant progress. And as they learn how to overcome those challenges, they can quickly go from one of something to a million of that thing. The hard part is in the first overcome.

Four other important points:

One, Peter Shor’s algorithm, which is the standard that tells us how many stable quantum bits (qbits) we need to break today’s encryption, is the ceiling of what we need, not the floor. There have been many other improvements and other algorithms that have significantly reduced the quantum resources needed to break encryption. I’ve gotta guess that there are even better algorithms in secret places that we don’t know about. So, if you’re looking at Shor’s algorithm as the gatekeeper, you’ll surely be mistaken.

Second, all the quantum improvements and dates are based on the progress that generalized quantum gate computers are making. These are basically widely capable quantum computers that can do lots of things. The NSA and the rest of the nation-state crypto world don’t use general-purpose computers to crack crypto. They build specialized machines with the bare minimum basics needed to break crypto. It allows them to crack secrets many orders of magnitude faster than a general computer device can. I’ve got to think that the NSA and other countries are spending much of their time figuring out and building specialized quantum-cracking computers versus building generic quantum computers. And if this is true, and it likely is, what does that mean for the 2035 preparation date?

Third, there is a chance that your adversaries are sniffing your currently encrypted (quantum-susceptible) data now and storing it for decrypting when they have achieved the necessary quantum sufficiency. It is happening in the real world today. NIST has publicly stated that it is happening (although I don’t have the link handy). There is a near 100% chance NSA is doing this to our adversaries. If you have important data you want to protect and you think an adversary might be sniffing and saving it just in case, well, your post-quantum timeline is today.

Fourth and last, as infamous quantum scientist Dr. Michele Mosca's Inequality “theorem” (https://utimaco.com/service/knowledge-base/post-quantum-cryptography/what-mosca-theorem) reminds us, it takes time to migrate to post-quantum protection, and during all that time your data is at risk.

In 2015, Dr. Mosca, who has probably thought about the issue of when we need to be quantum prepared more than anyone, stated, “There is a 1 in 7 chance that some fundamental public-key crypto will be broken by quantum by 2026 and a 1 in 2 chance of the same by 2031.”

I’m not sure if he still stands by this statement today…but it seems to me that I’m not alone in being worried that a 2035 post-quantum prep date is risky.

Some of Dr. Mosca’s latest thoughts on the post-quantum date are covered in a recent report he helped author, Quantum Threat Timeline Report 2024 (https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/).

Yes, I think the 2035 date posted by the US government as the year when we all need to be post-quantum prepared is insane. Yes, I think there is a 15% chance the post-quantum break has already happened somewhere, and we just don’t know about it. But my biggest problem with the 2035 date is that most organizations aren’t doing anything TODAY to prepare. And you should be. You should at least be doing a cryptographic inventory of all cryptography in all your software and firmware.

And it just seems very risky…too risky…to be telling people they have 10 years to prepare for something that has a decent chance of happening today. I’m not sure if I can think of a similar scenario where our government saw a big risk and went…eehh…take 10 years to get there.

?