Quantum-safe cryptography secures sensitive data, access, and communications for the era of quantum computing.

Almost everything you do on a computer uses cryptography. That’s why–most of the time–intruders can’t read your emails, access your medical records, post from your social media account, remotely shut off your car, or mess with your city’s electrical grid.

Modern cryptography is so good that when secure data or systems are breached, it is almost never because someone broke the encryption itself. Most breaches are due to human error–someone accidentally gives out a password or leaves a back door into a secure system.

You can think of modern encryption standards such as 2048-bit public keys like the sturdiest vaults: close to impossible to breach, unless someone leaves a key lying around outside. But the era of quantum computing will change things. A bad actor with a quantum computer of sufficient power might unlock any 2048-bit vault, and access the data that it protects.

We don't know exactly when quantum computers will be powerful enough to crack 2048-bit cryptography, but some experts have sketched out timelines based on what we know so far. The National Institute of Standards and Technology *Report on Post-Quantum Cryptography* (link resides outside ibm.com) found that the first breaches might come as soon as 2030.

“I have estimated a one in seven chance that some of the fundamental public-key cryptography tools upon which we rely today will be broken by 2026,” wrote Dr. Michele Mosca (link resides outside ibm.com), an expert from the University of Waterloo, “and a 50% chance by 2031.”

Quantum-safe cryptography rebuilds the cryptographic vault, making it safe against quantum and classical attacks.

Learn about threats posed by quantum computers and start to take action to prepare for quantum-safe cryptography.

Register for the report on the most popular server platforms

There are two major uses for cryptography: encryption and authentication. Encryption protects data from prying eyes, and authentication prevents bad actors from pretending to be other people.

Most of the cryptography computers use today is *asymmetric*, or public key. These systems involve two keys: one is shared publicly, but is only useful for encrypting data–or checking someone’s authentication. You can’t use the public key to decode a message or pretend to be someone else. Only the second, private key can do that. When you type in your password on most websites, you’re using a private key to authenticate yourself. The website does some math to check that the private and public keys match before letting you in, without actually making a copy of the private key itself. When you enter your passcode on your phone, you’re doing something similar: entering the private key that unlocks your phone’s data, which has been encrypted using the public key.

All of these codes and keys and encryption and authentication schemes are just math problems, specifically designed to be difficult for classical computers to solve. Public-key algorithms work well because all of those math problems are hard to solve by using classical computers—but their solutions are easy to check.

Take the widely-used RSA encryption: the public key is a 2048-bit integer – a very large number. The private key is the prime factors of that number. It’s trivial for even a pocket calculator to check the private key against the public key: multiply the factors together. But every star that has ever or will ever burn in this universe will run out of fuel and die before the most powerful classical supercomputers that are ever built might crack the 2048-bit integer into its component factors and read the encoded message.

Standards like RSA have worked well for decades because humanity just hasn’t had the tools to break these forms of encryption. But classical computers are also limited. There are only certain algorithms that we know run well on their binary processors. Over time we’ve come to engineer our society based on the assumption that if a problem can’t be solved by using 1s and 0s, it can’t be solved at all.

Quantum computers represent an entirely new paradigm of computation, setting aside binary bits for the complex computational spaces that are created by using qubits, and solving problems that once seemed impossible. Most of the time this is a good thing. IBM® is building quantum computers to solve the world’s most important problems. (And you can learn the details of how they work on our What is quantum computing? page.)

But one of those once-impossible problems is prime factorization. The mathematician Peter Shor showed in 1994 that a sufficiently powerful quantum computer would be able to find the prime factors of integers much more easily than classical computers. Shor’s algorithm was actually the first algorithm ever developed for quantum computers. And it will one day mean the end of every major public-key encryption system in use as of 2022.

Symmetric encryption, less secure against classical attacks but still used for certain purposes (like credit card transactions), is under threat too. Grover’s search algorithm isn’t quite the skeleton key for symmetric cryptography that Shor’s is for asymmetric. But it might aid in brute force attacks and make symmetric cryptography much less secure.

The most important thing to understand about quantum-safe cryptography standards is that they substitute the math problems that are easy for quantum computers to solve with math problems that are difficult for both classical and quantum computers to solve.

In 2016, the US National Institute of Standards and Technology (NIST) put out a call for proposals, in an effort to find the best quantum-safe schemes to become the new cryptographic standards. Organizations all over the world that is created and submitted schemes, 69 total.

Six years later, NIST announced that it had picked four, three of which were developed at IBM. These included the CRYSTALS-Kyber public-key encryption and the CRYSTALS-Dilithium digital signature algorithms, both chosen as primary standards. The Falcon digital signature algorithm was chosen as a standard to be used in situations where the use of Dilithium would be resource-prohibitive. IBM scientist Ward Beullens contributed to digital signature SPHINCS+, the fourth protocol chosen for standardization.

Where earlier forms of cryptography relied on factoring large numbers, these new standards rely on lattice problems. To understand what a lattice problem is, imagine a mathematician showed you a list of 1,000 large numbers. Now, let’s say that mathematician showed you an even larger number, and told you they made it by adding up 500 numbers from the list. If they asked you to figure out which 500 numbers they used, classical and quantum computers wouldn’t be much use in finding the answer. But if the mathematician told you which 500 numbers they used, it would be easy to check whether they were telling the truth. That makes lattice problems good replacements for prime factorization problems in cryptography.

So, the good news is that quantum-safe cryptography already exists. We are so confident in these new standards that we have already built them into our z16 cloud systems, and are working with clients to integrate them into their security infrastructure.

The challenge is that cybersecurity infrastructure historically takes a long time to upgrade and there is no time to waste.

Quantum computers are progressing quickly. We expect to see the first demonstrations of quantum advantage within the next five years. Most experts agreed in a poll that a quantum computer capable of breaking 2048-bit encryption is likely by the late 2030s. In a report, the German government stated that for its most sensitive data, it assumes that the first breaches in 2048-bit encryption are just ten years away.

Ten years is not a long time. Many critical pieces of cybersecurity infrastructure in government and industry have gone unchanged for decades. Many computers already or soon to be in use will need to work for the next several decades with minimal alterations (consider the microchip in your car or the encryption schemes that are used in passports). And there have already been examples of large batches of encrypted data being stolen by unknown actors, possibly to be hoarded and decrypted later by using future technology.

Not every data breach is discovered. Any data not encrypted using quantum-safe standards today should be considered already lost.

If you’re ready to act to protect your organization, the first step is to contact an IBM representative.

IBM has been a leader in cryptography for decades, and is now the global leader in both quantum-safe cryptography and responsible quantum computing. We draw on our deep cryptographic and quantum expertise to position clients to capitalize on the quantum future, and to navigate it safely.

The individualized IBM Quantum Safe™ program supports clients as they map out their existing cybersecurity and begin to upgrade it for the era of quantum computing. That mapping alone is an important exercise: Most organizations do not have a complete view of what data they hold, where it is most vulnerable, or how it is protected. Organizations that go through this process gain better control of their cybersecurity systems, and see that their cybersecurity systems become more agile. This positions them to adapt more quickly to future events.

Securing the world’s digital infrastructure for the era of quantum computing.

Our users access the largest quantum computing fleet in the world through Qiskit Runtime — our quantum computing service and programming model for utility.