Thalia Laing and Tommy Charles, HP Security Lab

Table of contents

    Introduction
    When will the quantum computer threat to cryptography be realised?
    Quantum-resistant cryptographic algorithms
    Prioritising and planning for migration to quantum-resistant cryptography
    Conclusion
    Appendix
        Cryptography introduction
        How quantum computers are a threat to cryptography
        Quantum-resistant cryptographic algorithm explainer
        Deploying quantum-resistant cryptographic algorithms
    References

Introduction

Quantum computing is a threat to cybersecurity. How much of a threat depends on your perspective. The quantum threat is like a freight train coming towards you; the sound from the tracks of it approaching is clear but judging the distance is difficult. If you realise it will take a long time to move off the track to safety, you should be rightly very concerned. However, if you know that you can move quickly or judge that the rumble is still distant, then you will be more at ease. The train may even slow or never make it. All we know is that if sufficiently powerful quantum computers are successfully built, they will break much of the cryptography we rely on as societies, businesses, and individuals. Data will be exposed. Devices will not be secure. Systems will be controllable by hackers. The digital security we know and depend on will break. Specifically, the asymmetric cryptographic algorithms that we rely on for data encryption and digital signatures will be broken. The impact could be cataclysmic, which is why this is a risk to be taken seriously. In many settings, such as in critical industries (including finance, energy and telecommunications) and sensitive systems where long-term data protection is essential, mitigation must start now.

While quantum computers strong enough to break cryptography are currently only theoretical, there has been progress towards realising them. As such, the security community have been preparing by defining and standardising quantum-resistant cryptographic algorithms. These new algorithms have long been known as Post-Quantum Cryptography algorithms but the term ‘quantum-resistant’ is becoming commonly used. These algorithms are secure against attackers equipped with quantum computers but can run on classical (non-quantum) computers. The industry and cybersecurity community are working to prepare for a transition to these schemes.

The impact if the quantum threat is realised is hard to overestimate. Cryptography is everywhere and the migration to new algorithms will impact most technologies. Imagine updating all layers of the global technology stack at once; it would be chaos, and probably introduce additional vulnerabilities in the process. Even a significant rumour of a practical quantum computer could spark panic and drive a chaotic migration potentially introducing security holes. A far better and lower risk approach is an orderly transition planned over sufficient time, which those who have already started planning their migration are hoping to achieve.

At HP, we identified that the hardware security foundation in PCs is a high priority for migration to quantum resistance. This is why we recently announced the world’s first business PCs to protect firmware against quantum computer hacks [35]. Since it will not be possible to update hardware once it is in use, we decided it was time to build quantum-resistant protection into PC hardware. This provides firmware integrity protection now, and for the PC lifetime, even if a sufficiently powerful quantum computer becomes available to an attacker.

Today, organisations should educate themselves on the threat and identify how it may affect them.

“Anticipating future cyberthreats is vital for ensuring we can invent products and solutions that will be resilient in the threat landscape ahead of us. This means researching emerging threats, sorting through the hype, and assessing where and when we need to act. The impact of future quantum computers on modern cryptography is one such threat where we needed to act today to protect our customers tomorrow.” – Boris Balacheff, HP Fellow and Chief Technologist for Security Research and Innovation

This article sets out the quantum threat to cryptography, what is being done, what you need to be aware of to understand the risk, and what you can do, namely:

• Identify your highest priority use cases for migration.
• Talk to your technology vendors about quantum-resistant protections across products and solutions you depend on.
• Ensure you have a plan for protection in place in the right timeframes.

If you want to understand the details, make sure to read the Appendix for more information: how cryptography is fundamental to our digital lives; how the properties of quantum physics could be harnessed by quantum computers to break cryptography; an introduction to the new quantum-resistant cryptographic algorithms that will protect against the quantum threat.

When will the quantum computer threat to cryptography be realised?

Quantum computers do exist today, but they are limited experimental prototypes that suffer from high error rates in each operation they perform and are not currently able to break modern cryptography. But with the promises of what a quantum computer will bring the world scientifically, researchers across industry, government and academia are devoting significant resources to progressing the state of the art, and advancements have been made. At some point, quantum computers will be capable of breaking the cryptography we rely on in our digital lives. But reliable predictions about progress are not possible. In fact, we may not know when those capabilities are first realised if cryptography is broken behind closed doors.

Nonetheless, predictions are being made. The latest annual Quantum Threat Timeline Report by the Global Risk Institute [1] surveyed 37 experts in the field on the likelihood of a cryptographically relevant quantum computer. Almost half think it is at least 5% likely by 2033, and more than a quarter believe it is about 50% likely or more in the same timeframe.

Government experts around the world have also been assessing the risk and are publishing guidance recommending that organisations start preparing for the risks that come with the quantum threat. The Dutch government’s Post-Quantum Cryptography (PQC) Migration Handbook [2] identifies critical infrastructure providers such as water, electricity, transport, communications and healthcare organisations as urgent adopters that “have no time to wait” and “should already start taking steps towards PQC migration”. In a technical guideline [3], the German authorities provide recommendations on suitable long-term cryptographic protections. The French government [4] encourages all industries to initiate a gradual transition and “recommends introducing post-quantum defense-in-depth as soon as possible for security products aimed at offering a long-lasting protection of information (until after 2030)”. The UK government [5] also provides commercial enterprises, public sector organisations and critical national infrastructure providers with migration guidance including recommendations on cryptographic protections and advise that organisations should be “planning for updating their systems to use PQC.”

Notably, the US government is set on a transition path following the US President’s National Security Memo 10 [6] which requires mitigation in national security by 2035. Moreover, the Quantum Computing Cybersecurity Preparedness Act [7] requires all federal agencies to annually report which of their IT systems are quantum-vulnerable and their plan for transition. The US authorities’ “Quantum-Readiness: Migration to Post-Quantum Cryptography” guide [8] also urges organisations, especially those that support critical infrastructure, “to begin […] engaging vendors” on their quantum-readiness roadmap. The Commercial National Security Algorithm Suite (CNSA) 2.0 [9] sets a timeline recommending quantum-resistant cryptography adoption across different technology areas. For firmware and software integrity and cloud services, migration is recommended from 2025, which is very soon! Furthermore, it requires full transition in all areas by 2033.

Government efforts on migration guidance are setting the pace of transition planning to quantum-resistant cryptography. In 2016, the US government convened academia and industry to help with the NIST project [10] to develop and standardise new cryptographic algorithms. More recently, we joined the US National Cybersecurity Centre of Excellence project for Migration to Post Quantum Cryptography [11] where NIST have convened industry and end-user organisations to help solve the practicalities of adoption and transition to PQC.

No one knows when the quantum threat will be realised, but we do know experts believe there is a reasonable chance within a decade, and some governments are providing guidance on migrating within a similar timeline. Critical industries are being encouraged to migrate soonest, industry groups are being convened to ensure the migration is practical, and organisations are being advised to engage their technology vendors on plans for quantum resistance.

Given the impact of the threat, that weight of evidence shows it must be taken seriously. For organisations that support critical infrastructures or are depended upon by large sections of society, the need to migrate is particularly urgent.

Quantum-resistant cryptographic algorithms

The cryptographic community have been preparing for the possibility of quantum computers by developing new cryptographic algorithms that are secure against attackers equipped with quantum computers but can be run on classical systems.

A set of quantum-resistant algorithms called stateful hash-based signatures are standardised and available now. But these are suitable only for very specific application scenarios where the number of signatures generated can be tracked. Typical use cases would include firmware signing, as signatures issued on firmware updates are reasonably infrequent.

New quantum-resistant algorithms for general purpose key agreement and signing will be finalised as standards later this year by NIST [12]. These are expected to be widely adopted in security protocols and applications.

However, all quantum-resistant algorithms require larger data sizes to be transmitted and stored, so they are not drop-in replacements for existing cryptography. As such, adoption could introduce new challenges, for which the technology industry and standardisation bodies are preparing.

See the Appendix for more information on these quantum-resistant algorithms and how they are being deployed.

Prioritising and planning for migration to quantum-resistant cryptography

The timeline for sufficiently strong quantum computers is just one factor in assessing what to prioritise and when to migrate. As important is knowing when protections are needed. This depends on factors [13] such as

1. how long it would take to migrate a solution to using quantum-resistant cryptography, called the migration time, and
2. for how long cryptography protection is required for data and systems, called the shelf life.

Let’s first consider migration time. Before any migration happens, quantum-resistant cryptographic algorithms need to be defined and standardised – a process which has been ongoing for many years now, with some schemes already standardised and others to be standardised soon. Once algorithms are standardised, they need to be adopted and implemented into products and technology solutions. This process may require new system updates, changes to the infrastructure, and even new hardware (which is expensive and slow to replace), and new firmware. Adoption is expected to bring additional challenges over merely switching-in replacement cryptography because the new algorithms will have different characteristics compared to the schemes currently in use. For example, these new algorithms can be more demanding in terms of computation and memory requirements.

Given the complexity of making significant changes to an information system’s infrastructure, the process of migration could take several years before completion, even after it has started. This additional migration time needs to be factored into planning.

Next, consider the shelf life. We’ll outline two scenarios where the shelf life of the cryptography protection required for data and systems means quantum resistance is required today, even if a sufficiently powerful quantum computer is not available to attackers for many years.

Capture and decrypt attacks

The first scenario is called a ‘capture and decrypt attack’ and considers a situation where sensitive data, customer passwords, healthcare data or PII, must remain confidential for some number of years. This could be for business reasons or due to a regulation over personal data, financial institutions, critical infrastructure, or national security.

In this situation, the data is already at risk. An attacker can intercept and store encrypted data today, and when quantum computers become feasible, the attacker could decrypt the stored data. If quantum computers are realised in fewer than the number of years the data must be confidential for, the security requirement has been broken. The encrypted data’s shelf life is long enough to already be at risk.

These attacks are not just theoretical; for example, in 2021 Booz Allen reported that “threat groups will likely soon collect encrypted data with long-term utility, expecting to eventually decrypt it with quantum computers” [14].

Long-lived systems

The second scenario involves devices or systems whose security depends on cryptographic protections called digital signatures. If the protection is deployed in a manner that is hard to update, this is problematic. If quantum computers become feasible within the shelf life of the system, a quantum attacker could breach the cryptographic protection and thus bypass security. Typical cases that are hard to update are when the cryptography uses long-lived keys or keys that are hard to revoke. As an example, consider signatures relied upon by systems to ensure the legitimate integrity of software and firmware code. If many pieces of code have been signed, updating cryptographic protection becomes challenging and complex because of the need to keep the ability to verify previously generated signatures, while also supporting the new quantum-resistant signatures.

A particularly challenging case, where there is both a long migration time and a long shelf life, is when cryptographic protection is fixed in hardware (i.e., read-only memory, ROM). It’s not possible to update the protection without replacing the hardware, which may be in the field for many years. Signatures validated in hardware are critical for system security because they protect the most privileged firmware code that runs on a system. If these protections are defeated by a quantum attacker, they would be able to alter code maliciously at the security foundation of the system, giving them control over the device as if the owner. Moving to quantum-resistant cryptography requires new hardware that supports the new cryptographic algorithms. This will require time to plan, develop, manufacture, and then deploy at scale to replace older hardware that still carries the immutable long-lived key of an older algorithm. This will be slow and require planning and engagement with vendors.

In summary, when prioritising solutions to move to quantum-resistant cryptography, we must consider the time it would take to migrate, as well as the shelf life (the length of time for which cryptographic protection for data and systems is required). Some use cases, such as protections in hardware, will have both a long shelf life and a long migration time. If the quantum threat is realised before the lapse of the solution migration time and the shelf life for protection, then the data or system are at risk today.

Conclusion

At HP, we have long believed that security for endpoint devices is best established foundationally at the hardware level and then extended upward to higher levels of firmware and software. A secure hardware root of trust is vital for system security. That is, even if elements higher up the stack are secure, a vulnerability in the hardware could compromise the entire system. Securing hardware against quantum attackers is critical if we want to maintain the security of our systems.

As well as being critical for system security, hardware security is a priority for migration for two reasons. Firstly, it takes a long time to upgrade device hardware because hardware cannot be updated after manufacture. This means quantum resistance needs to be designed into hardware to provide protection for the lifetime of the device. Secondly, hardware can be in use for many years, and the longer it remains in use, the greater the likelihood of a quantum attack being viable during its lifetime.

Given the game-changing impact of the quantum threat to cryptography, it must be taken seriously. While no one knows when the threat will be realised by a quantum computer, experts believe there is a reasonable chance of it occurring within a decade and several governments are setting a path to mitigate threats now, with critical industries encouraged to act soonest. The potentially long migration time to upgrade systems and the long shelf life for which data and systems require cryptographic protections means that organisations need to act ahead of the threat becoming real or else it may be too late. The impact could be like a zero-day vulnerability on every system at every layer at once. Even a significant rumour that a quantum computer can break cryptography could drive a chaotic and risky rush to migration that introduces additional vulnerabilities.

At HP, we decided that introducing quantum resistance into the hardware security foundation of PCs was a high priority, leading to our announcement of quantum-resistant firmware integrity for HP business PCs [35]. By initiating this hardware transition, we provide the hardware foundation on which quantum-resistant software can be adopted, when such software becomes available. With this hardware upgrade, customers can start their transition to quantum-resistant cryptography. A software migration alone would be undermined if a future attacker uses a sufficiently powerful quantum computer to run malicious firmware that compromises the device and its software.

More generally, we recommend organisations follow three steps to begin planning for their migration to quantum-resistant cryptography:

1. Identify your highest priority use cases for migration. Proactively list the critical data and systems in your environment needing quantum resistance. To determine your priority risks:
   • Identify data that needs to remain secure for several years (the next decade or two).
   • Identify systems and devices with long-lived cryptographic protections that are hard to update.
2. Talk to your technology providers to understand vendor plans for migrating to quantum-resistant protections across the products and solutions you use. The public sector and critical infrastructure industries should start preferring quantum-resistant cryptographic solutions when available.
3. Ensure you have a plan to protect against the quantum threat in the timescale you need. Consider your own migration preparations. You may assess that you are at risk now, in which case, act now.

Appendix

Cryptography introduction

Cryptographic technologies are extensively used to secure data and are fundamental for enabling our digital lives. From securing computing devices and allowing us access to services, through to TLS, HTTPS, VPNs, SSH and PKI, all these cryptographic technologies rely on a relatively small collection of cryptographic algorithms, whose security depends on a secret variable called a key. The secrecy of the key is vital for the security of the data. If the key is leaked, all security is lost.

A type of cryptographic algorithm called asymmetric cryptography relies on a ‘one-way function’ that is easy to compute but infeasible to reverse. A key that anyone can know called the public key specifies the easy forwards computation of the function, but only the secret key (called the private key) allows reversal. As an example, RSA [15] is a widely used asymmetric cryptographic scheme and its one-way function depends on the difficulty of factorisation: given two suitably large prime numbers, it is easy to multiply them, but hard to reverse the multiplication to return the two prime factors.

How quantum computers are a threat to cryptography

Quantum computers use the incredible properties of quantum mechanics to compute in a fundamentally different way from today’s digital, “classical”, computers. Just like Schrödinger’s proverbial cat can be both dead and alive at the same time [16], quantum computers can be in multiple different states simultaneously. As such, they can perform computations that would be infeasible for classical computers. Crucially for cryptography, many of the one-way functions relied on would be reversible with a sufficiently strong quantum computer. This is due to a quantum computer algorithm called Shor’s algorithm [17] which can manipulate the multiple states simultaneously held in the quantum computer so that when measured the answer is revealed. This means that an attacker with access to a sufficiently capable quantum computer could compute the private key used in an asymmetric scheme, resulting in a complete break of security.

Consequently, all private keys used in asymmetric algorithms we currently rely on, and all information protected under those keys, would be subject to exposure and undetected modification.

Given this threat, if we hope to provide security in the presence of sufficiently strong quantum computers in the future, we will have to migrate from the currently used asymmetric algorithms to quantum-resistant algorithms before quantum computers are strong enough to break currently used cryptographic algorithms.

Symmetric cryptography is another type of cryptography, of which block ciphers like AES [18] and cryptographic hashes like SHA-256 [19] are examples. Fortunately, quantum computers will only slightly weaken, not break, symmetric cryptography. The slight weakening is due to a quantum computer algorithm called Grover’s algorithm [20] which, although it increases the speed of attacks, is expensive to run and so is not considered to be a significant threat. Experts agree that moving to using larger key sizes in symmetric cryptography where possible is more than sufficient to protect against quantum computers.

Quantum-resistant cryptographic algorithm explainer

A quantum-resistant cryptographic algorithm is a cryptographic algorithm that is not vulnerable to a quantum computer sufficiently powerful to break existing asymmetric cryptography. The cryptographic community have been developing and preparing quantum-resistant cryptographic algorithms for use. These algorithms require new one-way functions that are hard for both classical and quantum computers to reverse.

NIST PQC Project

Most notably, the US standards organisation NIST have been running a Post Quantum Cryptography (PQC) project since 2016 [21]. They solicited quantum-resistant, asymmetric algorithm candidates from the community, and have been running a multi-year process of public evaluation and discussion which, in July 2022, resulted in three digital signature schemes and one key agreement scheme being chosen for standardisation [22]. The draft standards for three of these four schemes were published in August 2023 [12], with the finalised standards expected this year.

The three schemes for which the draft standards have been published include two digital signature schemes, and the key agreement scheme (this type is known as a KEM). The KEM is named ML-KEM [23] (Module-Lattice-based Key Encapsulation Mechanism, derived from the candidate scheme CRYSTALS-Kyber). The digital signature schemes are named ML-DSA [24] (Module Lattice Digital Signature Algorithm, derived from CRYSTALS-Dilithium) and SLH-DSA [25] (Stateless Hash-based Digital Signature Algorithm, derived from SPHINCS+).

Given the scale of the NIST project and the impressive amount of analysis the candidates submitted have received globally from academia, industry and governments, the chosen algorithms are likely to be adopted by other standards bodies in a wide range of protocols and technologies.

Stateful Hash-based Signatures

Alongside the NIST PQC project, there are a class of quantum-resistant digital signature schemes, called stateful hash-based signature schemes, already standardised by the IETF [26] [27] and NIST [28]. These digital signature schemes require the signer to maintain a state akin to tracking the number of signatures generated. If the state is lost, the security of the scheme fails catastrophically. State is something which is not required in currently used digital signature schemes, and so is not suitable in some scenarios. However, these stateful hash-based signature schemes are applicable to code signing.

What are the new one-way functions these schemes depend on?

Well, CRYSTALS-Dilithium and CRYSTALS-Kyber depend on what is usually an easy problem to reverse, that of multiplying a vector of integers by a known matrix. But the output is modified by adding some random errors of just the right size. The reversal becomes too hard but the output still has enough secret information hidden in it so it can be used for cryptography.

On the other hand, the security of the SPHINCS+ signature scheme and the stateful hash-based signature schemes depend on a one-way function that is so hard to reverse that the only feasible way of reversing it is by knowing the original input value. These one-way functions are cryptographic hash functions, such as SHA-256 [19]. Cryptographic hash functions are already well-used and well-trusted for security, so these new signature schemes have a high degree of trust in their underlying security. These signatures are cleverly designed to use lots of hash operations such that signing a message reveals only some of the input values and not enough to compromise security.

All these new schemes have different characteristics to the existing schemes. Some, such as the stateful hash-based signature schemes, require the signer to maintain a state. All require larger data transmission and storage sizes than existing asymmetric cryptographic schemes and some have more demanding computational requirements. These different characteristics will introduce engineering challenges and may be incompatible with system and hardware constraints, so adopting these new schemes will not be a simple swap. Indeed, the NIST PQC project has already selected three signatures for standardisation, and NIST are still seeking more candidates; this is because each of the chosen schemes have different characteristics and make different trade-offs in terms of signature size, public key size, signing time and verification time. There is no one candidate suitable in all applications.

Deploying quantum-resistant cryptographic algorithms

Beyond the standardisation of quantum-resistant algorithms, the community are exploring adopting these new algorithms in a range of use cases.

As the new algorithms rely on newer one-way functions, and their libraries are new implementations that are less mature than those we use now, many in the community are proposing the new algorithms are used alongside and in addition to the current algorithms, in what is being called ‘hybrid’ mode. This enables solutions to benefit from defence in depth – having both the strong assurance from classical (i.e., non-quantum) attackers of the currently used algorithms with their well tested implementations and the conjectured resistance of the quantum-resistant algorithm implementation against quantum attackers.

The community have also been exploring deploying the algorithms in different protocols. For example, there is ongoing work establishing a quantum-resistant hybrid TLS [29], which is being tested by several companies, including Cloudflare [30] [31], with support for quantum-resistant algorithms being experimented with in OpenSSL [32]. Besides TLS, most security protocols are being explored, including IPsec and SSH.

The community are also exploring adopting these algorithms in hardware. For example, there has been research [33] considering adopting these new algorithms on Trusted Platform Modules (TPMs), which is the hardware root of trust in many PCs, and there was a plethora of research during the NIST PQC project analysing the algorithms on different platforms [34].

The cryptography community have an entertaining few years ahead applying cryptographic defences against the quantum computing threat across all facets of the global technology stack.

References

[1] M. Mosca and M. Piani, “Quantum Threat Timeline Report 2023,” Global Risk Institute, 2023. [Online]. Available: https://globalriskinstitute.org/publication/2023-quantum-threat-timeline-report/.
[2] Netherlands National Communications Security Agency, “The PQC Migration Handbook,” March 2023. [Online]. Available: https://english.aivd.nl/publications/publications/2023/04/04/the-pqc-migration-handbook.
[3] BSI, “BSI TR-02102-1. Cryptographic Mechanisms: Recommendations and Key Lengths.,” 2023. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=6.
[4] ANSSI, “ANSSI views on the Post-Quantum Cryptography transition,” 2022. [Online]. Available: https://cyber.gouv.fr/en/publications/anssi-views-post-quantum-cryptography-transition.
[5] National Cyber Security Centre, “Next steps in preparing for post-quantum cryptography,” 3 November 2023. [Online]. Available: https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography.
[6] US Government, White House, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” 4 5 2022. [Online]. Available: https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/.
[7] US Government, Congress, “Quantum Computing Cybersecurity Preparedness Act,” 21 12 2022. [Online]. Available: https://www.congress.gov/bill/117th-congress/house-bill/7535/text.
[8] CISA, NSA and NIST, “Quantum-Readiness: Migration to Post-Quantum Cryptography,” CISA (Critical Infrastructre Security Agency), US Government, 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-08/Quantum%20Readiness_Final_CLEAR_508c%20%283%29.pdf.
[9] NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” September 2022. [Online]. Available: https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF.
[10] NIST, “Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process,” December 2016. [Online]. Available: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf.
[11] NIST, National Cybersecurity Center of Excellence, “Migration to Post-Quantum Cryptography,” 2021. [Online]. Available: https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms.
[12] NIST, “Comments Requested on Three Draft FIPS for Post-Quantum Cryptography,” 2023. [Online]. Available: https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography.
[13] M. Mosca, “Cybersecurity in an era with quantum computers: Will we be ready?,” IEEE Security & Privacy, vol. 16, no. 5, pp. 38-41, 2018.
[14] Booz Allen, “Chinese threats in the Quantum Era: What CISOs need to know about emerging risks,” [Online]. Available: https://www.boozallen.com/expertise/analytics/quantum-computing/chinese-cyber-threats-in-the-quantum-era.html.
[15] Wikipedia, “RSA Cryptosystem,” [Online]. Available: https://en.wikipedia.org/wiki/RSA_(cryptosystem).
[16] Wikipedia, “Schrodinger’s Cat,” [Online]. Available: https://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat.
[17] Wikipedia, “Shor’s Algorithm,” [Online]. Available: https://en.wikipedia.org/wiki/Shor%27s_algorithm.
[18] Wikipedia, “Advanced Encrypted Standard (AES),” [Online]. Available: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard.
[19] Wikipedia, “Cryptographic hash function,” [Online]. Available: https://en.wikipedia.org/wiki/Cryptographic_hash_function.
[20] Wikipedia, “Grover’s Algorithm,” [Online]. Available: https://en.wikipedia.org/wiki/Grover%27s_algorithm.
[21] NIST, “Post-Quantum Cryptography,” 5 April 2023. [Online]. Available: https://csrc.nist.gov/projects/post-quantum-cryptography.
[22] NIST, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” July 2022. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413-upd1.pdf.
[23] National Institute of Standards and Technology, “FIPS 203 (Initial Public Draft): Module-Lattice-Based Key-Encapsulation Mechanism Standard,” 2023. [Online]. Available: https://csrc.nist.gov/pubs/fips/203/ipd.
[24] National Institute of Standards and Technology, “FIPS 204 (Initial Public Draft): Module-Lattice-Based Digital Signature Standard,” 2023. [Online]. Available: https://csrc.nist.gov/pubs/fips/204/ipd.
[25] National Institute of Standards and Technology, “FIPS 205 (Initial Public Draft): Stateless Hash-Based Digital Signature Standard,” [Online]. Available: https://csrc.nist.gov/pubs/fips/205/ipd.
[26] D. McGrew, M. Curcio and S. Fluhrer, “RFC 8554: Leighton-Micali Hash-Based Signatures,” IETF, April 2019. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8554.
[27] A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld and A. Mohaisen, “RFC 8391: XMSS: eXtended Merkle Signature Scheme,” May 2018. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8391.
[28] D. A. Cooper, D. C. Apon, Q. H. Dang, M. S. Davidson, M. J. Dworkin and C. A. Miller, “NIST Special Publication 800-208: Recommendation for Stateful Hash-Based Signature Schemes,” October 2020. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-208.
[29] D. Stebila, S. Fluhrer and S. Gueron, “Hybrid key exchange in TLS 1.3,” IETF, 2023. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/.
[30] B. Westerbaan and C. D. Rubin, “Defending against future threats: Cloudflare goes post-quantum,” 2022. [Online]. Available: https://blog.cloudflare.com/post-quantum-for-all/.
[31] Cloudflare Research, “Cloudflare Research: Post-Quantum Key Agreement,” [Online]. Available: https://pq.cloudflareresearch.com/.
[32] openquantumsafe.org, “Fork of OpenSSL 1.1.1 that includes prototype quantum-resistant algorithms and ciphersuites based on liboqs,” [Online]. Available: https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable.
[33] Horizon 2020, EU Research Programme, “Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module,” 31 12 2020. [Online]. Available: https://cordis.europa.eu/project/id/779391.
[34] National Institue of Standards and Technology, “NIST IR 8413-upd1: Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413-upd1.pdf.
[35] I. Pratt, “HP Launches World’s First Business PCs to Protect Firmware Against Quantum Computer Hacks,” 7 Mar 2024. [Online]. Available: https://press.hp.com/us/en/blogs/2024/hp-launches-business-pc-to-protect-against-quantum-computer-hacks.html.