Inhaltsverzeichnis

2.2 Risk

Risk analysis for the quantum threat and protective measures.

The Threat: Harvest Now, Decrypt Later

Scenario:

  1. Attackers intercept encrypted communication today
  2. Store the data for years
  3. Decrypt it with a future quantum computer

Affected Data:

Timeline

timeline title Quantum Migration Timeline section Now (2024-2025) NIST FIPS 203/204 final : ML-DSA & ML-KEM standardized OpenSSL 3.6 : PQ algorithms available WvdS Library : Hybrid cryptography production-ready section Transition (2026-2028) EU NIS2 : Critical infrastructure must act BSI Recommendation : PQ migration for agencies Enterprise : Large companies migrate section Critical (2029-2032) CRQC possible : Cryptographically relevant quantum computer Legacy unsafe : RSA/ECDSA broken Deadline : All systems must be PQ-capable

Source Estimate (cryptographically relevant QC)
BSI1) 10-20 years
NIST2) „Unknown, could come faster“
Global Risk Institute3) ~14 years to CRQC (median estimate)

Critical Point: Data with protection requirements >10 years is now at risk4).

Risk Matrix

Data Type Protection Requirement Risk without PQ
State secrets 50+ years5) Critical
Health data 30+ years6) Critical
Financial contracts 10-30 years7) High
Trade secrets 5-10 years Medium
Day-to-day operations <5 years Low

Risk Mitigation

Hybrid cryptography provides:

Aspect Benefit
Future-proofing PQ signature protects against quantum attacks
Backward compatibility Legacy systems continue to work
No risk Secure if either algorithm is secure
Ready immediately 2 lines of code for activation

Cost-Benefit

Implementation Costs:

Costs of Inaction:

Conclusion: Low investment, high protection value.

Recommendation for Action

Start now, don't wait.

Migration to hybrid cryptography takes months to years (depending on system size). When quantum computers become available, it will be too late for data intercepted today.

Further Reading

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, ,
1)
BSI: „Quantum-Safe Cryptography - Fundamentals, Current Developments and Recommendations“, 2021, Section 4.1: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf
2)
NIST: „Post-Quantum Cryptography FAQ“, 2024: https://csrc.nist.gov/projects/post-quantum-cryptography/faqs
3)
Global Risk Institute: „Quantum Threat Timeline Report“, December 2023, pp. 4-5: https://globalriskinstitute.org/publication/quantum-threat-timeline-report-2023/
4)
BSI: „Make cryptography quantum-safe - BSI recommendations for action“, September 2024, Section 2.3: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie_Handlungsempfehlungen.pdf
5)
BSI VS-Instruction (VSA): Retention periods for classified materials
6)
MBO Medical Professional Code: Retention requirements for medical documentation
7)
Commercial Code: Retention periods for commercial and business correspondence