Root Causes 454: 2024 Lookback - Post quantum cryptography (PQC)

2024 was an eventful year for post quantum cryptography (PQC). This includes FIPS standards, the PQC onramp, and the dawn of widespread interest among IT professionals.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanAll right, Jason, we are doing our 2024 lookbacks, and we want to talk – do an in depth look at post-quantum cryptography. It was a big year for PQC.

Jason SorokoHuge. We finally got then some NIST standards.

Tim CallanGot NIST standards. We've got three set of FIPS. 203, 204 and 205. For ML-KEM, ML-DSA and what the heck is the other one called. 205. Whatever that is. What we didn't get was we didn't get Falcon. Which we expected this year, and it didn't happen. But we did get the three main standards that we were expecting to use. We also saw the advent of the Onramp.

Jason SorokoWe had Dustin Moody. Dr. Dustin Moody on the podcast. He walked it right through. Check that podcast out.

Tim CallanAnd the point of the Onramp was to push, bring in a bunch of non-Lattice-based opportunities into the set of PQC algorithms that we have, because the worry is, what if some unforeseen attack breaks Lattice. We need to have other places to go.

Jason SorokoAnd the point of the Onramp was to push, bring in a bunch of non-Lattice-based opportunities into the set of PQC algorithms that we have, because the worry is, what if some unforeseen attack breaks Lattice. We need to have other places to go. Very important.

Tim CallanNow we will point out, though, that there are Lattice-based contenders in the Onramp and when we asked him about that, he was like, they could submit whatever they wanted. That's what they submitted. And I was like, okay.

Jason SorokoLook, Lattice, it’s good. It’s good math.

Tim CallanAnd there certainly is possibly the opportunity to come up with something that's a nuanced change and so the big one, the Falcon, which was supposed to be ML6, there's a Lattice algorithm that's still in the Onramp candidates, called Hawk. And the idea is that it takes basically what's in Falcon, but it can do it better with more time to work on it. And so I have to wonder if part of the reason we haven't seen the Falcon FIP standard 06 is because it might be replaced by Hawk instead.

Jason SorokoCould happen. Tim, 2024 for me was amazing because we now have post- quantum key exchanges going on in our pockets. Apple iMessage, the Signal protocol, and I think in 2025 you'll see even more but 2024 was the beginnings.

Tim CallanCloudflare, Chrome. All of this was 2024.

Jason SorokoBas Westerbaan had a phenomenal set of podcasts with us about the tremendous success he had in implementing that over at Cloudflare, and we had a little bit of a celebration together. That was 2024.

Tim CallanSo the Cloudflare was going Cloudflare to Cloudflare in 2023 but Cloudflare connecting to Chrome occurred in 2024. And that's when the doors really opened. That's where all of a sudden we had Bas on telling us that 20% of the connections, of the human connections on the internet were PQC.

Jason SorokoAnd that's growing by the minute if you read his blog.

Tim CallanIt’s a stunning number, and obviously it's higher now. So, I mean, there was just, I think there was a lot of progress in both just the standardization of the math and the winning algorithms and the winning candidates, and also the productization of all of this. And these things are essential. For PQC to really run, and this is one of the things we've talked a lot about a lot, but it's very important. For PQC to really run, like in reality in the real world, we need 10s of 1000s of pieces of software and hardware and services and systems and procedures to be updated. It's just the productization aspect of it is unprecedented.

Jason SorokoCorrect. And we had Bruno come on and talk a bit about that as well. That would have happened in 2024. Tim, I think that what happened towards the later half of 2024 to me was one of the biggest. I mean in the analyst community, which we can't ignore, Gartner talking about 2029 being like, you got to be prepared. And then NIST dropped a draft which is still in draft until a certain point in January. Oh, my goodness, Tim, the declaration of the deprecation of RSA 2014.

Tim CallanDepreciation in 2030. And mandatory discontinuance in 2025.

Jason SorokoThey did not wait for some panic moment. They drew the line in the sand that we all have to prepare for. Public, private - It doesn't matter. That, to me, is like that ended 2024 with the biggest bang possible.

Tim CallanAt a high level, when you look at all of these things, all these different aspects. And then I'll add the last one is, you want to talk about it really becoming a real media story, like the amount of discussion of post-quantum cryptography in 2024 is more than all previous years combined.

Jason SorokoYes. Not even close.

Jason SorokoI think it's not going to slow down. It is now going to ramp up into a okay, we need to do what Bas told us. We need to do what Bruno told us, which is all shoulders to the wheel now and get prepared, because by the time we get to 2029/2030, Tim, we just did some very meaty podcasts, record length podcasts, and not the least of which was because the Willow chip just got dropped on us. The engineering of this is proving itself out. In other words, we are on our way to having quantum computers are capable.

Tim CallanSo we talked a lot just right now about progress post-quantum cryptography, but of course, there's very impressive progress with the quantum computers themselves.

Jason SorokoHats off to Google. Whoever was involved with that Willow project, you guys did some hard work.

Tim CallanSo, all of this just a banner year for PQC, but of course, I think next year is going to be bigger.

Jason SorokoIt is, and I think we're going to wait until 2025 to produce this podcast, but I had a personal PQC moment in 2024 which is, I got to actually use one of the big hyper scalers, and got to program not just a quantum computer, but also quantum simulators. And got to learn. And my mind just went completely orthogonal in terms of, this is a whole new way of thinking. At the age that I'm at, I never thought I'd have such a transformative set of thinking about how to compute.

Tim CallanYou teased me with this in our predictions episode, and I really can't wait to have this conversation. It's gonna be an interesting one.

Jason SorokoAnd it began in 2024. So huge year.

Tim CallanHuge year. I mean, probably no surprise, but huge year for quantum computers. We're gonna stay on this. Huge year for PQC and quantum, quantum, quantum.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!