Core messages

• From the BSI's point of view, the question of "if" or "when" there will be quantum computers is no longer paramount. First post-quantum algorithms have been selected by NIST for standardisation and post-quantum cryptography will be used by default. Therefore, the migration to post-quantum cryptography should be pushed forward.
• Independently of quantum computers, progress can be made at any time in the cryptanalysis of the algorithms used. In the new and further development of crypto products, care should be taken to ensure that they can be adapted as flexibly as possible ("cryptographic agility").
• Post-quantum schemes should only be used in combination with classical schemes ("hybrid") if possible. Due to the previously mentioned point, a hybrid approach (with two or more post-quantum schemes) is a possible solution even after the development of cryptographically relevant quantum computers.
• It is primarily the key-agreement schemes that are initially threatened by quantum computers ("store now, decrypt later" as a threat to long-term security). Signatures usually only need to be secure in the short term. However, with long validity periods of signature keys, a timely change is also necessary here. In addition, migration periods must be taken into account.
• Quantum Key Distribution is a technology which can only be used in niche use cases and is currently not sufficiently mature from a security perspective.

Recommendations of the BSI

In December 2021, the BSI published the guideline “Quantum-safe cryptography – fundamentals, current developments and recommendations”. This updates the recommendations for the “Migration to Post Quantum Cryptography” published in April 2020, supplements them and contextualizes them with a detailed presentation of the background.

Up-to-date recommendations of the BSI on quantum-safe key agreement and signature schemes can be found in the technical guideline TR-02102-1.

Together with European partner agencies, the BSI has published a Position Paper on Quantum Key Distribution (QKD). The paper highlights technological limitations of QKD and assesses the maturity of this technology from a security perspective.

Joint survey with KPMG in Germany on "Cryptography and Quantum Computing”

The threat to information security posed by quantum computers is widely underestimated. This is the conclusion of a market survey “Cryptography and Quantum Computing” conducted by the Federal Office for Information Security (BSI) and KPMG in Germany.

The aim of the survey was to query and raise awareness among companies on the topic of "threats to cryptography from quantum computing". The response rate was low, with 28 responses from over 150 questionnaires sent out. Both the low number of participants and the results are worrying.

Background

Quantum computers are a serious threat to the public-key cryptography used today. The BSI has commissioned a study by researchers at Saarland University and Florida Atlantic University to obtain a meaningful and robust assessment of the state of development of quantum computers.

In order to be prepared in terms of appropriate risk management, preparations for the "post-quantum era" must begin today. The main focus here is on the development and standardisation of quantum computer-resistant alternatives. A distinction is made between post-quantum cryptography and quantum cryptography.