POSTQUANTUM CRYPTOGRAPHY, PART 1
The Day the Cryptography Dies
John Mulholland | evolutionQ
Michele Mosca | University of Waterloo
Johannes Braun | Technische Universitt Darmstadt
Typical digital technology users are often unaware of the cryptographic capabilities they utilize daily. The
implications of quantum computers for various digital technologies and environments are discussed, and
potential threat actor behaviors are explored.
M odern life is infused with digital technology
and mobile communications to an extent we
couldnt have imagined a few decades ago. Regard-
less of our occupation, location, or degree of technical
knowledge, weve become increasingly dependent on
instant access to information, coworkers, clients, and
family. This has changed the way we procure goods,
manage finances, conduct research, and seek healthcare.
The trend continues as we deploy new technology to
improve, monitor, or automate more aspects of our lives.
This development has forced us to be more aware
of the pitfalls that come with widespread adoption of
digital technologies. Cybersecurityonce the concern
of governments, financial institutions, large organiza-
tions, and technology or security practitionersis now
everybodys concern.
In simpler times, the average persons view of infor-
mation security was considered less important. Cer-
tainly, those who pay insufficient attention to security
will become targets of various forms of privacy viola-
tion, financial fraud, ransomware, or identity theft. But,
increasingly, such individuals bring their technology
habits into the workplace, and in many cases, they bring
14 July/August 2017 Copublished by the IEEE Computer and Reliability Societies 
their personal technology with them. Their practices
and technology could form attack vectors that threat
actors use to penetrate even the most security-conscious
organizations defenses.
Often these concerns are mitigated by training peo-
ple to follow good security practices and employing
extensive security tools, many of which provide digi-
tal security through cryptography. But what happens if
virtually all our cryptographic security tools suddenly
become ineffective, all at once?
What will happen to the security of our digital life on
the day the cryptography dies?
Background
Cryptography provides significant benefits to the pub-
lic, including privacy/confidentiality, authentication,
integrity, and nonrepudiation, but the average persons
view of this technology is difficult to capture. Most
only vaguely understand and view it with a mixed per-
spective based mostly on media reporting on encryp-
tion and security issues. Encryption is considered to
be dual-use technology, because it furnishes the aver-
age person with privacy for their information and
1540-7993/17/$33.00 2017 IEEE
communications but also provides these to organiza- Different variants of public-key technology are embed-
tions and individuals who want to hide illegal or rep- ded in most of the digital devices, applications, services,
rehensible activities. This has led to debates between and protocols that we use daily.
technology and privacy experts who advocate for it, Confidence in the security of public-key crypto
and law enforcement officials concerned about the graphy is very high, and cyberthreat actors seldom
impact it will have on their functions. attempt direct attacks on these virtually impenetrable
Beyond this debate, the average person is most con- systems. Instead, they exploit poor implementations
cerned with obtaining cryptographys benefits without (bugs and configuration errors), bad practices (poor
significantly impacting the ease of use or performance or reused passwords), or human nature (phishing), all
of the technology. Additional passwords, key manage- of which are far more lucrative ways to breach a com-
ment processes, or steps added to routine processes all puter or telecommunications system. The mathematical
detract from the end-user experience. The procedures foundations of public-key cryptography dont promise
that are so necessary to proper security are often the perfect security, but its unlikely that attackers using cur-
very reason many avoid traditional cryptography. rent computing technologies will be able to penetrate a
Fortunately, in the past few decades, cryptography properly implemented public-key system.
has evolved to supply tools that avoid its traditional Public-key cryptography has been so successful and
pitfalls. The oldest form of cryptographyprivate-key, ubiquitous because it functions in the background, with
or symmetric-key, encryptioninvolves some form of the average person seldom aware of its operation. An
shared secret. Relatively easy to implement and oper- icon or a color change on an applications taskbar might
ate, private-key encryption suffers from two difficulties. be the only visible indication that a secure process has
First, the communicating been initiated. In matters
parties must share of security, many
secret information, The average person is most concerned with people rely on assur-
which then becomes obtaining cryptographys benefits without ances from their ser-
the basis for the secu- vice providers. Few
significantly impacting the ease of use or
rity of the encryp- have the knowledge
tion process. To do performance of the technology. or tools to verify that
so, they must meet their information is
in person or have actually protected
some other secure channel they can use to share the by encryption or understand the circumstances that
secret. The second difficulty is that the secret should be enable or prevent cryptography use. Nonetheless, orga-
changed frequently or attackers might discover it. How nizations and individuals routinely perform sensitive or
long it takes for attackers to discover it depends on the valuable digital transactions that rely on this security.
nature of the secret, but reusing the same secret cre- But what if we couldnt rely on the security fur-
ates patterns that cryptanalysts can eventually exploit. nished by public-key cryptography? How realistic is this
These two problems result in much of the management scenario?
overhead associated with traditional cryptography.
Private-key cryptography is popular among those orga- Quantum Computers and Cryptography
nizations that truly value their security and are willing The security of public-key systems depends on the
to undertake the key distribution and management pro- computational difficulty of one of several mathematical
cesses that it entails. problems. These are called one-way functions because
Public-key cryptography, also called asymmetric they are relatively easy to compute but extremely hard
cryptography, doesnt require a shared secret. Security to reverse. RSA, one of the earliest public-key algo-
relies on a mathematical relationship between multiple rithms, uses one such problem: the difficulty of fac-
keys, some of which are public and some of which are toring large numbers.1 Security here relies on the ease
private. Public-key methods are generally less efficient of multiplying two large prime numbers to compute a
to operate than private key, so theyre typically used to result; its exceedingly difficult to take the result and
establish a secure channel and exchange a secret key determine which two primes were used to produce
that symmetric algorithms then use to protect sensi- it. Different mathematics based on the discrete loga-
tive information. However, the unique capabilities of rithm problem lie at the core of Diffie-Hellman algo-
public-key cryptography include the creation and shar- rithms2 and the digital signature algorithm (DSA).3
ing of secret keys and the provision of secure authenti- When applied to certain elliptic curves, the discrete
cation and nonrepudiation services. Hence, its a critical logarithm problem is also the basis of elliptic curve
tool that underpins the security of our digital economy. cryptographic algorithms.4

www.computer.org/security 15
POSTQUANTUM CRYPTOGRAPHY, PART 1
Secure web browsing
The Internet TLS/SSL RSA, DSA, DH,
Cloud computing Application updates ECDH, ECDSA etc
Payment systems Digital signatures
Internet of Things VPNIPSec AES, 3-DES, SHA
e-Health Secure emailS/MIME etc
PKI
etc
Figure 1. Security in digital environments such as the Internet rely on
applications and protocols, which depend on the security of cryptographic
algorithms. Todays algorithms are vulnerable to attack by quantum computers.
Solutions to these problems are exceedingly difficult
using the technology available today, but quantum com-
puters will change this situation. Quantum computers
wont merely be faster or more powerful than the con-
ventional computers we use today. They will rely on the
principles of quantum physics, which describe a radically
different way of looking at the universe. For example,
whereas conventional computers operate using bits that
are always in one of two binary states (0 or 1), quantum
physics allows for bits to be in both the 0 and 1 states at the
same time. By manipulating a large collection of quantum
bits, a quantum computer could, in a special way, simulta-
neously explore the countless configurations of 0s and 1s.
Since the mid-1990s weve known of algorithms that
can use this quantum capability. Sufficiently capable
quantum computers could apply Shors algorithm5 to
solve the mathematical problems that are the founda-
tion of public-key algorithms, rendering anything pro-
tected by them vulnerable to exploitation.
Symmetric-key algorithms are also affected; quan-
tum computers using Grovers algorithm6 could reduce
the strength of algorithms such as the Advanced Encryp-
tion Standard7 and 3-DES8 (Triple Data Encryption
Standard) by approximately 50 percent for a given key
length. In some cases, this could be offset by increasing
the length of the symmetric key. However, this approach
wont work for public-key algorithms, because they rely
on mathematical problems that require subexponential
time to solve on classical computers. These problems
become solvable in polynomial time on quantum com-
puters, meaning that regardless of key length, it would
take pretty much the same time to encrypt a message
with a public key as it would to attack and decrypt it.
This problem isnt yet upon us, but its approaching.
Experts in quantum technology have forecast that quan-
tum computers with the necessary capabilities could
exist in the next 10 to 15 years.911
16 IEEE Security & Privacy
Implications for the Security of Our
Digital Lives
Public-key cryptography has become widespread in
our digital lives because it requires very little end-user
knowledge or awareness. As a result, few are aware of
the breadth of services and applications that depend on
public keys for security. Individuals outside the security
and technology communities might not comprehend
the impact of the loss of public-key cryptography.
How do you determine whether your common digi-
tal activities will become vulnerable once quantum
computers arrive? Perhaps even more important, how
would victims even become aware that theyd been the
target of a quantum-enabled attack, and what could
they do to protect themselves?
Figure 1 provides a high-level overview of how
deeply public-key cryptography is embedded in the fab-
ric of the digital ecosystem.
We explore these questions in more detail by look-
ing at activities commonly performed today in the digi-
tal environment.
Modern Digital Environments
We take for granted a great many activities in our digital
lives that rely on public-key cryptography for security.
Public Key Infrastructures
Public-key infrastructure (PKI) systems furnish com-
prehensive identity management and security services
to organizations that deploy them.12 These complex
systems dont operate transparently. However, properly
implemented and managed installations can hide much
of the complexity from the average user. At their core is
a Certificate Authority (CA) that creates public/private
keys and integrates them into security certificates. PKI
systems arrange for the integration and use of certifi-
cates in various processes and applications that require
them; issue, validate, and revoke them; take care of key
management issues; and furnish the background ser-
vices necessary to ensure the long-term viability of the
system and the information it protects. Organizations
deploy a PKI because they require strong identity man-
agement and secure control over information access.
They generally invest significant resources in establish-
ing and maintaining PKI systems, and training users in
their operation. PKI systems and CA-issued security
certificates are all based on public-key cryptography.
Internet Security
Internet security is important when you want to estab-
lish secure connections to websites, protect your cre-
dentials when you log in to remote systems, or ensure
that information you access or download remains
unchanged until it reaches you or if you want privacy
July/August 2017
while browsing or downloading information. Most
Internet security relies on the TLS/SSL protocol, which
employs public-key algorithms for key exchange.13 The
servers participating in TLS/SSL transactions must be
issued security certificates, which also rely on public-key
cryptography. The TLS/SSL protocol is a key enabler of
digital commerce, employed to protect financial trans-
actions and electronic banking. Most email services also
use it to provide a secure tunnel for messages while in
transit between senders and recipients.
Email
Encrypted email (employing Secure/Multipurpose
Internet Mail Extensions, or S/MIME) is used on top
of the secure communications provided by TLS/SSL to
further protect users communications.14 S/MIME uses
public-key encryption and digital signatures to furnish a
full range of security services: message privacy, authen-
ticity, integrity, and nonrepudiation. Unlike TLS/SSL,
this protection persists even while messages are stored
on servers or devices. S/MIMEs capability exists in
most email clients or services but requires CA-issued
digital certificates. S/MIME is most often used by
large organizations and government agencies that have
invested in such infrastructure.
VPN and Intranet
Its quite common for employees and trusted partners
to have remote access to an organizations information
resources. This usually requires a VPN, which creates a
secure communications tunnel that penetrates an orga-
nizations boundary security to permit access to internal
information and resources. VPNs are generally based on
Internet Protocol Security (IPSec), which uses several
public-key mechanisms for key exchange.
Intranet security issues are much the same as those
on the Internet, but with well-defined boundary protec-
tions intended to block access to anyone but employees
and trusted partners. Secure access control mechanisms
such as passwords are often the primary security tool
to access servers and information. Even on Intranets,
public-key cryptography (often TLS/SSL) is used to
protect access credentials from being captured while in
transit. Most noncryptographic security measures can
be bypassed by privileged users or compromised by
poor user security practices, leaving important infor-
mation vulnerable to an insider threat. Cryptographic
protection will remain the best and last line of defense
for high-value information, intellectual property, or per-
sonnel records.
Software Updates
Virtually all digital systems, devices, and applications in
the digital ecosystem depend on software, and one major
www.computer.org/security
security tenant is that software updates and patches
must be applied regularly. These updates could become
a source of malware if threat actors change it or replace
it with one of their own. To avoid this problem, vendors
use the public keybased DSA to sign an update before
releasing it. This signature is evaluated (using the cor-
responding certificate) on the device before the update
is installed. Any modification to the package will cause
the signature to fail, and properly configured devices and
applications wont apply updates without a valid signa-
ture. The security of most digital devices and applica-
tions depends on reliable software updates using DSA.
Internet of Things
The evolving Internet of Things (IoT) is bringing the
benefits of digital technology to virtually all aspects
of our lives. The IoT relies on secure connections over
public networks between devices (things), websites,
and end users. True IoT security will require the abil-
ity to send messages that remain secure end-to-end
between devices and users, and this will likely involve
public-key cryptography. This is beyond the capability
of many current devices, but TLS/SSL plays a signifi-
cant role in ensuring that these communications travel
inside a secure tunnel on public networks.
Healthcare
The digital age has influenced healthcare in many ways.
Wearable technology monitors specific aspects of a per-
sons health and behavior and transmits it to servers and
storage over public networks. Medical records, lab test
results, and patients histories are increasingly digital in
nature and can be moved among offices, clinics, phar-
macies, laboratories, and hospitals so that medical prac-
titioners can swiftly diagnose health issues, prescribe
medication, and furnish the best possible care. Its
essential, and often required by law, that this informa-
tions privacy, integrity, and authenticity be protected,
sometimes even after the patients death. The health-
care industry has begun adopting digital technologies
such as remote access methods, cloud computing, and
mobile devices. To accomplish this securely, they man-
date the use of digital signatures and encryption of data
in transit using industry-standard cryptographic algo-
rithms such as S/MIME and TLS.15 Encryption of data
at rest is still uncommon but is recommended.
Finances
Payment card transactions as well as sensitive communi-
cations between banks and major financial institutions
tend to use symmetric encryption. As with all symmet-
ric encryption, organizations must exchange the secret
keys that enable these communications. These keys are
often transferred by nondigital means (for instance, by
17
POSTQUANTUM CRYPTOGRAPHY, PART 1
courier) and ultimately reside in secure storage devices.
Even so, these keys could be protected by public-key
cryptography for at least some portion of their transfer
between organizations.
Blockchains are being used and considered for a
wide range of applications such as Bitcoin and other
digital currency.16,17 Although blockchain technol-
ogy mostly relies on symmetric-key cryptography,
public-key crypto graphy remains important. For
example, public-key technologies are used to manage
the addresses of bitcoin wallets, and the public key is
exposed when one spends bitcoins. The quantum vul-
nerabilities can be avoided with careful management.
Critical Infrastructures
Major critical infrastructure systems such as oil, gas,
water, and electrical distribution are composed of het-
erogeneous, geographically distributed equipment that
must operate virtually instantly in response to real-time
events. Traditionally, these were predominantly net-
works of largely analog devices controlled from
manned operational control centers, but this is chang-
ing as equipment is updated and replaced with digital
versions. Even so, the widespread and remote distribu-
tion of equipment, the performance and response time
requirements, and the need for near-100-percent avail-
ability make these systems quite different from typical
IT environments. However, security in these networks
relies on public-key technology. VPNs could be used to
secure remote access connections, secure versions of
standard protocols like File Transfer Protocol Secure
(FTPS) for file transfers and Simple Mail Transfer Pro-
tocol Secure (SMTPS) could be applied, and TLS/SSL
could be employed to protect network traffic.
Implications for the Digital Ecosystem
Vulnerabilities in any one of the systems and processes
discussed above will certainly have a damaging effect on
modern life. But if these vulnerabilities occur simulta-
neously, they could lead to the destruction of the secu-
rity fabric that connects much of modern society.
Without public-key cryptography, we could no lon-
ger trust in the privacy or proper functioning of our
devices and systems. Software updates could be replaced
with versions that include malware, possibly turning our
mobile and home automation devices into tools under
the control of threat actors. The credentials used to access
our bank and payment card accounts could be captured.
Electronic identities could be spoofed, and we couldnt
be sure that our messages werent intercepted, changed,
or redirected on their way to the intended recipient. The
history of where we go and what we do while carrying
or using mobile technology could be available to suffi-
ciently motivated threat actors.
18 IEEE Security & Privacy
At the organizational level, the implications are even
greater. Few organizations operate in isolation; they rely
on digital networks to connect their distributed sites,
their partners, and their clients. Theyre dependent on
the security of supply chains, distribution networks,
financial management systems, and communications
and control systems, which all rely to some degree on
public-key cryptography. Technology organizations
could appear to be distributing malware once threat
actors are able to forge their digital signatures. To avoid
major losses, financial organizations would need to
review their symmetric-key cryptographic algorithms
and devices and ensure that their key distribution pro-
cesses avoid processes or distribution networks pro-
tected using public-key cryptography.
These threats could be extended to the level of
nation-states, if one considers the potential for threat
actors to disrupt the operation of major financial or
infrastructure networks.
How great is this risk? How will threat actors take
advantage of quantum technology once its available?
Threat Actors and Their Behavior
Its always difficult to predict adversaries actions,
because theyre constantly morphing their behavior to
stay ahead of security practitioners and their tools. It
will be particularly difficult to predict their actions in
the quantum era, because there arent historical records
showing how threat actors will access and apply quan-
tum technology. Nonetheless, certain features of quan-
tum computers will likely influence how different threat
actors will employ them.
In the early stages of the quantum era (once quan-
tum computers can run Shors algorithm), access to such
technology will be extremely limited. Nation-states will
likely be the earliest to obtain access, and this might
happen even before the technology breakthrough
becomes common knowledge. However, it wont be
long before quantum computing time becomes avail-
able to researchers in large labs, and to the general com-
munity in some shared manner. Its likely that organized
crime will obtain access by buying time on these com-
puters or using coercion.
The threat actor must still obtain access to the
networks and data containing the information to be
decrypted. In many cases, sensitive or valuable informa-
tion will reside unencrypted in an organizations data
servers, protected by access controls and insecure tun-
nels while moving on internal networks. The challenge
will be obtaining the information and then filtering it
down to acceptable volumes for processing on limited
quantum resources.
We can make some predictions. First, trusted insid-
ers will become a much more powerful threat, especially
July/August 2017
privileged personnel such as systems and security per- Fifth, threat actors generally look for relatively small
sonnel who have easy access to network appliances. The nuggets of information with high value and long life.
most useful tools available to protect against insider In most cases, keys used to protect a single message
threats are access controls and forms of encryption. It will be of little value, unless the message itself contains
will become very difficult for an organization to pro- keys or information with strategic value and a relatively
tect itself if network traffic, secure email, and encrypted long lifetime. For example, master keys (symmetric
documents can be read by using a quantum computer keys with a relatively long lifetime) might be shared
to exploit public-key cryptography such as that found in between organizations to facilitate communications
TLS/SSL and security certificates. or distributed production processes. An organization
Second, strong access control processes will remain might create these via a secure process inside a secu-
a key deterrent, because hashing techniques used for rity appliance, such as a hardware security module,
password processing will be largely unaffected by and then send them to other organizations via various
known quantum algorithms. Even today, threat actors processes, possibly employing nonelectronic meth-
have demonstrated their ability to penetrate systems by ods such as couriers. If the process involves placing
exploiting user weaknesses (poor passwords and phish- the keys on a network at any point during the transfer
ing attacks). However, in the quantum era, it will become between secure digital fortresses, a quantum com-
even easier to bypass access puter could capture, exfil-
controls. By exploit- trate, and decrypt
ing TLS/SSL tun- the data containing
nels, threat actors We need to implement algorithmic tools these master keys.
can capture creden- into real products that can be deployed and Any information or
tials in transit. For tested in real-world environments. activity protected
more sophisticated by these master keys
organizations with would then become
identities based on vulnerablea situa-
CA-generated certificates, quantum computers will tion that threat actors could exploit for years.
allow threat actors to forge anyones digital identity Finally, its unlikely that threat actors will use quan-
(that is, recreate their private key) using available pub- tum computers to access the activities or identities of
lic certificates. In the same manner, threat actors could specific individuals, unless these individuals have spe-
forge the identity of any secure webserver by forging the cialized roles or privileges that could be exploited to
certificates used to establish TLS connections. access major systems or networks. Its far more likely that
Third, there might be fewer indications that threat threat actors will recover signing credentials that permit
actors are attacking. Today, adversaries must explore sys- them to install malware via software updates, thereby
tems looking for weaknesses (bugs, vulnerabilities, or converting large numbers of digital devices into tools
poor configuration) or exploit human weaknesses (phish- they could use for their own purposes.
ing approaches). Security tools, savvy systems, and secu- Its possible that the actions of quantum-era threat
rity analysts can detect these threats. In the quantum era, actors will be very different than described here. Quan-
adversaries merely need access to encrypted data. They tum technology will open up such a broad spectrum
could collect it as it travels over the Internet, obtain it from of security weaknesses that adversaries will have a vast
a tapped leased line or satellite feed, or bribe or coerce an array of opportunities to exploit our digital ecosystem
insider to obtain it from internal networks and databases. and undermine our way of life.
Once they have the data, adversaries can process it when-
ever quantum computing resources are available. What Do We Do?
Fourth, its unlikely that quantum attacks will occur in Theres a very real danger that many who research and
real time. Threat actors will gather data (this could even deal with cybersecurity threats could view the impend-
be happening now) and store it for offline processing ing demise of public-key cryptography as just another
when time on quantum computers becomes available. form of zero-day attack, and so will plan to deal with
Or they might arrange to exfiltrate encrypted data from the problem as the threat emerges. But the methods
an organizations backup storage location, although this used to patch vulnerabilities and zero-day attacks are
approach might result in a volume of data too great for intended to limit the damage from specific weaknesses
early quantum devices. The only threat actor that could that can be identified and patched. Trying to apply that
possibly approach near-real-time or large-data quantum thinking to the demise of public-key cryptography is
processing would be nation-states with early access to, like trying to use your finger to block a hole in a dam
and control over, dedicated quantum resources. while the whole structure is collapsing around you.

www.computer.org/security 19
POSTQUANTUM CRYPTOGRAPHY, PART 1
No amount of finger-pointing will remedy the fact that
quantum computing will collapse the cryptographic
security structures that weve erected to protect our
information and systems.
Dealing with this problem will require strategic
thinking and long-term planning. Researchers have
already begun looking at quantum-safe cryptographic
algorithms to replace or, more likely, to complement
existing public-key algorithms that are deemed safe
against classical computer attacks.17 But this thinking
needs to move outside the research labs. We need to
implement these algorithmic tools into real products
that can be deployed and tested in real-world environ-
ments. Only with years of real-world testing will we be
able to demonstrate the security and performance char-
acteristics of proposed quantum-safe approaches.
Quantum technologies also furnish a solution to
the problem, in the form of quantum-key distribution
(QKD).18 This technology is already deployed in a few
locations in the world, but it has limitations that make it
difficult to use as a plug-and-play replacement for cur-
rent computer security methods. Research is ongoing to
overcome QKDs performance, distance, and usability
restrictions, but there are situations in which QKD can
be deployed to overcome some of the problems out-
lined here.
What we cant do is ignore the public-key problem.
Ten to 15 years might seem the distant future, but it will
take considerable time for the necessary changes to be
deployed throughout our digital ecosystems. To name
just one, consider the complex network of devices and
systems in the payment card network that enables vir-
tually all noncash transactions today. Its possible that
most of these devices will need to be changed to imple-
ment quantum-safe cryptographic capabilities. We
might already be too late to start the changes required
to ensure cyber safety in the quantum era.
U rgent action is required today to ensure that this
critical technology remains a viable security tool.
With planning, preparation, and collaboration, we can
take the necessary steps to ensure that the cryptography
doesnt die.
References
1. R.L. Rivest et al., A Method for Obtaining Digital Signa-
tures and Public-Key Cryptosystems, Comm. ACM, vol.
22, no. 2, 1978, pp. 120126.
2. W. Diffie and M. Hellman, New Directions in Cryptogra-
phy, IEEE Trans. Information Theory, vol. 22, no. 6, 1976,
pp. 644654.
3. Digital Signature Standard (DSS), FIPS Pub 186-4, Fed.
Information Processing Standards Publication, NIST,
20 IEEE Security & Privacy
July 2013; nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS
.186-4.pdf.
4. Public Key Cryptography for the Financial Services Industry:
The Elliptic Curve Digital Signature Algorithm (ECDSA),
Am. Natl Standard for Financial Services, ANSI
X9.62-2005, 2005.
5. P. Shor, Polynomial-Time Algorithms for Prime Fac-
torization and Discrete Logarithms on a Quantum
Computer, SIAM J. Computing, vol. 26, no. 5, 1997, pp.
14841509.
6. L.K. Grover, A Fast Quantum Mechanical Algorithm for
Database Search, Proc. 28th ACM Symp. Theory of Com-
puting (STOC 96), 1996, pp. 212219.
7. Announcing the Advanced Encryption Standard (AES),
NIST-FIPS 1-51, Fed. Information Processing Standards
Publication 197, NIST, 26 Nov. 2001; nvlpubs.nist.gov
/nistpubs/FIPS/NIST.FIPS.197.pdf.
8. W.C. Barker and E.B. Barker, Recommendation for
the Triple Data Encryption Algorithm (TDEA) Block
Cipher, NIST Special Publication 800-67, revision 1,
23 Jan. 2012; nvlpubs.nist.gov/nistpubs/Legacy/SP
/nistspecialpublication800-67r1.pdf.
9. M. Mosca, Cybersecurity in an Era with Quantum Com-
puters: Will We Be Ready?, Intl Assoc. for Cryptologic
Research, 2015; http://eprint.iacr.org/2015/1075.
10. D. Evans, Top 25 Technology Predictions, CISCO
Internet Business Solutions Group, 2009; www.cisco
.com/c/dam/en_us/about/ac79/.../Top_25_Predictions
_121409rev.pdf.
11. B. Bauer et al., Hybrid Quantum-Classical Approach to
Correlated Materials, Physical Rev. X, Sept. 2016; journals
.aps.org/prx/abstract/10.1103/PhysRevX.6.031045.
12. D. Cooper et al., Internet X.509 Public Key Infrastruc-
ture Certificate and Certificate Revocation List (CRL)
Profile, RFC 5280 (proposed standard, updated by RFC
6818), May 2008; www.ietf.org/rfc/rfc5280.txt.
13. T. Dierks and E. Rescorla, The Transport Layer Secu-
rity (TLS) Protocol Version 1.2, RFC 5246 (proposed
standard, updated by RFCs 5746, 5878, 6176, 7465,
7507, 7568, 7627, 7685), Aug. 2008; www.ietf.org/rfc
/rfc5246.txt.
14. J. Galvin et al., Security Multiparts for MIME: Multipart/
Signed and Multipart/Encrypted, RFC 1847 Oct. 1995;
tools.ietf.org/html/rfc1847.
15. Canada Health Infoway, white paper, Gartner, Nov. 2015.
16. D. Tapscott and A. Tapscott, Blockchain Revolution, Port-
folio Penguin, 2016.
17. M. Mosca and D. Stebila, Open Quantum Safe, Soft-
ware for Prototyping Quantum-Resistant Cryptography,
Open Quantum Safe, 2017; openquantumsafe.org.
John Mulholland leads evolutionQs development of
quantum threat and risk assessment processes. Hav-
ing established a framework for quantum assessment,
July/August 2017
 he works with a team of globally renowned experts in
quantum science, technology, and cryptography to
help organizations understand and manage the cyber-
security issues emerging with quantum computers.
Contact him at john.mulholland@evolutionq.com.
focus on public-key infrastructures, electronic identi-
ties, and long-term security. Braun received a PhD in
computer science from TU Darmstadt. Contact him
jbraun@cdc.informatik.tu-darmstadt.de.

Michele Mosca is cofounder of the Institute for Quan-

tum Computing at the University of Waterloo and a
professor in the Department of Combinatorics and
Optimization. His research interests include quantum
computation and cryptographic tools that will be safe
against quantum technologies. In 2015, he cofounded
evolutionQ to support organizations as they evolve
their quantum-vulnerable systems and practices to
quantum-safe ones and serves as the CEO and president.
Mosca received a doctorate in mathematics in quantum
computer algorithms from the University of Oxford.
Contact him at michele.mosca@evolutionq.com. F O LLOW US

Johannes Braun is the manager of the DFG Collab-

orative Research Center 1119 CROSSING and a
postdoctoral researcher in the Cryptography and
Computer Algebra research group at Technische
Universitt (TU) Darmstadt. His research interests
@s e cu rit y p riva c y
include IT security and applied cryptography with a

Now theres
Read all your IEEE magazines
and journals your WAY on
even more to
love about your
membership...

Introducing myCS, the digital magazine

portal from IEEE Computer Society.
Go beyond static, hard-to-read PDFs
with an easily accessible, customizable,
and adaptive experience.

Theres No Additional Cost!

LEARN MORE AT: mycs.computer.org

IEEE myCS half Page Space Ad 2016_4-26-16.indd 1 4/28/16 3:03 PM

www.computer.org/security 21