What is quantum-safe cryptography?
Learn how to secure your data in the quantum era
Subscribe to the IBM newsletter
Two workers sitting at shared desk, both looking at computer monitor
What is quantum-safe cryptography?

Quantum-safe cryptography secures sensitive data, access, and communications for the era of quantum computing. Almost everything you do on a computer uses cryptography. That’s why–most of the time–intruders can’t read your emails, access your medical records, post from your social media account, remotely shut off your car, or mess with your city’s electrical grid.

Modern cryptography is so good that when secure data or systems are breached, it is almost never because someone broke the encryption itself. Most breaches are due to human error–someone accidentally gives out a password or leaves a backdoor into a secure system.

You can think of modern encryption standards such as 2048-bit public keys like the sturdiest vaults: close to impossible to breach, unless someone leaves a key lying around outside. But the era of quantum computing will change things. A bad actor with a quantum computer of sufficient power could unlock any 2048-bit vault, and access the data it protects.

We don't know exactly when quantum computers will be powerful enough to crack 2048-bit cryptography, but some experts have sketched out timelines based on what we know so far. The National Institute of Standards and Technology Report on Post-Quantum Cryptography (link resides outside of ibm.com, PDF 195 KB) found that the first breaches could come as soon as 2030.

“I have estimated a one in seven chance that some of the fundamental public-key cryptography tools upon which we rely today will be broken by 2026,” wrote Dr. Michele Mosca (link resides outside of ibm.com), an expert from the University of Waterloo, “and a 50% chance by 2031.”

Quantum-safe cryptography rebuilds the cyptographic vault, making it safe against quantum and classical  attacks.

Some quick cryptography basics

There are two major uses for cryptography: encryption and authentication. Encryption protects data from prying eyes, and authentication prevents bad actors from pretending to be other people.

Most of the cryptography computers use today is asymmetric, or public key. These systems involve two keys: one is shared publicly, but is only useful for encrypting data–or checking someone’s authentication. You can’t use the public key to decode a message or pretend to be someone else. Only the second, private key can do that. When you type in your password on most websites, you’re using a private key to authenticate yourself. The website does some math to check that the private and public keys match before letting you in, without actually making a copy of the private key itself. When you enter your passcode on your phone, you’re doing something similar: entering the private key that unlocks your phone’s data, which has been encrypted using the public key.

Why quantum computers challenge existing cryptography

All of these codes and keys and encryption and authentication schemes are just math problems, specifically designed to be difficult for classical computers to solve. Public-key algorithms work well because all of those math problems are very hard to solve using classical computers—but their solutions are easy to check.

Take the widely-used RSA encryption: the public key is a 2048-bit integer – a very big number. The private key is the prime factors of that number. It’s trivial for even a pocket calculator to check the private key against the public key: just multiply the factors together. But every star that has ever or will ever burn in this universe will run out of fuel and die before the most powerful classical supercomputers ever built could crack the 2048-bit integer into its component factors and read the encoded message.

Standards like RSA have worked well for decades because humanity just hasn’t had the tools to break these forms of encryption. But classical computers are also limited. There are only certain algorithms that we know run well on their binary processors. Over time we’ve come to engineer our society based on the assumption that if a problem can’t be solved using 1s and 0s, it can’t be solved at all.

Quantum computers represent an entirely new paradigm of computation, setting aside binary bits for the complex computational spaces created using qubits, and solving problems that once seemed impossible. Most of the time this is a good thing. IBM is building quantum computers to solve the world’s most important problems. (And you can learn the details of how they work on our What is quantum computing? page.)

But one of those once-impossible problems is prime factorization. The mathematician Peter Shor showed in 1994 that a sufficiently powerful quantum computer would be able to find the prime factors of integers much more easily than classical computers. Shor’s algorithm was actually the first algorithm ever developed for quantum computers. And it will one day mean the end of every major public-key encryption system in use as of 2022.

Symmetric encryption, less secure against classical attacks but still used for certain purposes (like credit card transactions), is under threat too. Grover’s search algorithm isn’t quite the skeleton key for symmetric cryptography that Shor’s is for asymmetric, but it could aid in brute force attacks and make symmetric cryptography much less secure.

Quantum-safe cryptography

The most important thing to understand about quantum-safe cryptography standards is that they substitute the math problems that are easy for quantum computers to solve with math problems that are difficult for both classical and quantum computers to solve.

In 2016, the US National Institute of Standards and Technology (NIST) put out a call for proposals, in an effort to find the best quantum-safe schemes to become the new cryptographic standards. Organizations all over the world created and submitted schemes, 69 total.

Six years later, NIST announced that it had picked four, three of which were developed at IBM. These included the CRYSTALS-Kyber public-key encryption and the CRYSTALS-Dilithium digital signature algorithms, both chosen as primary standards. The Falcon digital signature algorithm was chosen as a standard to be used in situations where the use of Dilithium would be resource-prohibitive. IBM scientist Ward Beullens contributed to digital signature SPHINCS+, the fourth protocol chosen for standardization.

Where earlier forms of cryptography relied on factoring large numbers, these new standards rely on lattice problems. To understand what a lattice problem is, imagine a mathematician showed you a list of 1,000 large numbers. Now let’s say that mathematician showed you an even larger number, and told you they made it by adding up 500 numbers from the list. If they asked you to figure out which 500 numbers they used, classical and quantum computers wouldn’t be much use in finding the answer—but if the mathematician told you which 500 numbers they used, it would be easy to check whether they were telling the truth. That makes lattice problems good replacements for prime factorization problems in cryptography.

A short window to prepare

So the good news is that quantum-safe cryptography already exists. We are so confident in these new standards that we have already built them into our z16 cloud systems, and are working with clients to integrate them into their security infrastructure.

The challenge is that cybersecurity infrastructure historically takes a long time to upgrade and there is no time to waste.

Quantum computers are progressing quickly. We expect to see the first demonstrations of quantum advantage within the next five years. Most experts agreed in a poll that a quantum computer capable of breaking 2048-bit encryption is likely by the late 2030s. In a report, the German government stated that for its most sensitive data, it assumes the first breaches in 2048-bit encryption are just ten years away.

Ten years is not a long time. Many critical pieces of cybersecurity infrastructure in government and industry have gone unchanged for decades. Many computers already or soon to be in use will need to work for the next several decades with minimal alterations (consider the microchip in your car or the encryption schemes used in passports). And there have already been examples of large batches of encrypted data being stolen by unknown actors, possibly to be hoarded and decrypted later using future technology.

Not every data breach is discovered. Any data not encrypted using quantum-safe standards today should be considered already lost.

If you’re ready to act to protect your organization, the first step is to contact an IBM representative

IBM has been a leader in cryptography for decades, and is now the global leader in both quantum-safe cryptography and responsible quantum computing. We draw on our deep cryptographic and quantum expertise to position clients to capitalize on the quantum future, and to navigate it safely.

The individualized IBM Quantum Safe program supports clients as they map out their existing cybersecurity and begin to upgrade it for the era of quantum computing. That mapping alone is an important exercise: Most organizations do not have a complete view of what data they hold, where it is most vulnerable, or how it is protected. Organizations that go through this process gain better control of their cybersecurity systems, and see their cybersecurity systems become more agile. This positions them to adapt more quickly to future events.

Related solutions
IBM Quantum Safe

Securing the world’s digital infrastructure for the era of quantum computing.

Secure your data today
Quantum for business

Global businesses are readying themselves today for the era of quantum computing. See how our industry experts prepare our clients to use this technology for competitive advantage.

Get started
Quantum for developers

Build programs that solve problems in new ways on IBM Quantum systems—the most popular and powerful quantum hardware in the world.

Learn about our open-source SDK
Take the next step

IBM Quantum Safe secures your organization for the era of quantum computing. We offer technology capabilities, methods, and approaches for securing your data. IBM Quantum Safe is tailored to your particular organizational needs and risks, as well as the status of your existing infrastructure. To learn more about IBM Quantum Safe, and how your organization can prepare today for the coming transition, take the next step today.

Learn more about IBM Quantum Safe today