This week, the European Telecommunications Standards Institute (ETSI) introduced its first standard for post-quantum cyber security. This new standard aims to protect vital data and communications as quantum technology evolves.
ETSI recognized the threat that large-scale quantum computers pose to current encryption methods. These computers could efficiently crack the complex math that underpins today’s asymmetric public key cryptography (PKC). In response, ETSI rolled out specification TS 104 105, officially titled “Efficient quantum-safe hybrid key exchanges with hidden access policies.” This is designed to ensure that only authorized users can access sensitive data.
At its core, the standard outlines a scheme for Key Encapsulation Mechanisms (KEMs) with Access Control, called Covercrypt. This approach locks session keys and anonymizes them based on user attributes. Only users who meet specific encapsulation policy criteria can retrieve them, keeping unauthorized users out.
ETSI claims this standard significantly boosts efficiency. It takes just a few hundred microseconds to encapsulate and decapsulate keys, and it can easily integrate into existing security products.
Matt Campagna, chair of ETSI’s Quantum Safe Cryptography (QSC) working group, highlighted this specification as a crucial step toward securing a quantum future. He emphasized that it empowers organizations to protect sensitive data now and in the decades to come. The Cyber QSC working group’s efforts reflect ETSI’s commitment to providing durable solutions against emerging threats while fostering a robust industrial ecosystem.
ETSI encourages organizations to adopt quantum-resistant encryption without delay to ensure data security and compliance with future standards. This rollout comes on the heels of advice from the UK’s National Cyber Security Centre (NCSC), which urged organizations to start their transition toward post-quantum cryptography (PQC).
The NCSC’s recommendations detail a three-phase plan to help key industries move to quantum-resistant encryption over the next decade. They caution organizations such as banks, healthcare providers, and public sector entities to aim for core migration plans by 2028, initiate high-priority upgrades, and complete the migration by 2035.
The NCSC pointed out that transitioning to PQC shares characteristics with any major IT migration, something that should already be part of a business’s security practices. Companies already on top of their security should see PQC migration as an opportunity to strengthen their IT systems. They also noted that the overall costs of moving to PQC could be substantial, making it essential for organizations to budget for this transition.