Scotland’s leading cryptographer: transition to post-quantum cyber standards likely to cause ‘massive disruption’ 

Scotland’s leading cryptographer has warned that the transition to post-quantum cybersecurity standards is likely to cause ‘massive disruption’ to businesses.

Professor Bill Buchanan OBE says quantum computers – which are the subject of a tech race between leading computer manufacturers worldwide – will be able to crack existing encryption standards, leaving communications open to ‘snoopers’.

The eminent cybersecurity expert, based at Edinburgh Napier University, warned: “We are fundamentally reliant on public key encryption methods for our online security and privacy, and without it, we could trust little, and where our communications would be open to snoopers.

“This includes the negotiation of the encryption key which is used to keep our communications private, and the usage of digital signatures for us to know that we are connecting to a valid website. Unfortunately, quantum computers can use Shor’s algorithm to break most of the existing public key methods. We must thus migrate towards methods which are quantum robust.”

The National Cyber Security Centre published new timeline guidance this week which aims to help businesses secure themselves against future quantum computing threats.

In new guidance, the NCSC, which is part of the nation’s signals intelligence agency GCHQ, emphasises the importance of ‘post-quantum cryptography’ (PQC), which is a new type of encryption designed to safeguard sensitive information from the future risks posed by quantum computers. 

The new guidance encourages organisations to begin preparing for the transition now to allow for a ‘smoother, more controlled migration’ that will reduce the risk of rushed implementations and related security gaps. It outlines three phases for migration: 

• To 2028 – identify cryptographic services needing upgrades and build a migration plan. 
• From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves. 
• From 2031 to 2035 – complete migration to PQC for all systems, services and products. 

Professor Buchanan added: “Like it or not, this migration will cause a massive disruption for many businesses, and where the NCSC has just published a timeline for the migration towards a quantum-safe future. They define that, by 2028, businesses should understand their key risks and have performed a full discovery exercise for existing public key methods. This will also include an initial plan in place for the migration. By 2031, they would like to see some of the highest priority risks mitigated, and by 2035, they should have migrated fully to PQC.

He said: “This approach fits in very much with the NIST [National Institute of Standards and Technology] timeline for PQC, and which defines that our existing public key methods will be deprecated by 2030, and removed as a standard by 2035. We can now see some device manufacturers integrating PQC methods, including Samsung with the new S25 device and HP releasing a quantum secure printer. Overall, the industry must move away from RSA and Elliptic Curve Cryptography (ECC), towards the newly standardised methods of ML-KEM (for key exchange and public key encryption) and ML-DSA (for digital signatures).”

He added: “For alternatives, NIST has mainly standardised lattice-based methods – as these produce relatively small keys and ciphertext and are fairly fast in their operation – but wants to look at methods which are also thought to be quantum robust. These include the usage of error-correcting codes, isogenies, and multi-variate cryptography. Over the next few years, NIST will release these standards with their FIPS range. This currently includes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 204 (SLH-DSA).”