Value in the Quantum Third Wave

The publication of the new asymmetric post quantum encryption standards is now over two weeks old. That publication marked one of the most significant cybersecurity milestones of our generation and the preparation for the cryptographic transition should be underway in organizations across sectors as discussed here. But this milestone also matters for the innovation and investment that will chase the next generation of data and cybersecurity for a consumer base increasingly concerned with privacy and security. The rollout of the standard provides opportunities for technology savvy investors to “see around the corner” to these technologies that have the potential to be integrated broadly across multiple platforms and opening the door to significant upside potential. However, the quantum computing space has been complicated in the last few years as companies have sought first-mover advantage in this entirely new sector. The race to the front by companies that tried to move before the NIST post quantum cryptography standardization is causing a thick fog over the direction of post quantum cryptography market forces giving real opportunity to those who understand the technology and can see through the fog.  

Quantum Encryption Pre-Standardization 

The NIST standards, published on August 13, 2024, are for asymmetric, or public key encryption. The major advantage of asymmetric cryptography is that it solves the key exchange problem. Key exchange is how you ensure both sides of a communication have the proper keys to open the encryption without the key being intercepted, copied, or corrupted. There are obvious advantages to such an encryption scheme, which is why it became the standard across internet and telecommunications. On the other hand, symmetric encryption has a key exchange problem. Symmetric encryption means that both sides of a communication have identical keys, usually an alpha numeric sequence, that will open the encrypted message. But how those parties get the keys is a problem. The keys can be copied causing the encryption itself to be moot. Both schemes have their uses, but for data in motion, asymmetric encryption has been the clear winner over decades of internet traffic and telecommunications because of the key exchange solution.  

Prior to the standardization of the post quantum algorithms, many companies sought to get to the front of the line by providing allegedly “quantum proof” encryption solutions before NIST finished their standardization. Universally, these companies provided some version of a symmetric encryption solution. Many made claims that their key generation techniques (effectively random number generation) were so complex that it was not susceptible to quantum attack. They also claimed that their new method for key distribution was equally complex to be unbreakable by quantum computers. There is no shortage of these companies but there are some profoundly serious issues with this approach:  

1. This requires a cryptographic transition whose level of effort is at least on par with transitioning to a new asymmetric algorithm.  

2. Multiple US government agencies, such as DHS, CISA, and NSA have recommended not transitioning away from asymmetric encryption all together but waiting until the NIST standards were finished.  

3. True random number generation can only be achieved by using a quantum computer. Other methods for random number generation can be cracked by observing their generation for long enough so the assurance that those key generation techniques are quantum proof are erroneous.  

4. The key distribution problem is not solved. The methods and math behind them have become more complicated than traditional methods but compromising both is still possible. 

Many of the companies that offer quantum proof or otherwise quantum safe encryption in the form of symmetric alternatives have gotten to market first but face serious security flaws that marketing materials attempt to explain away by using complicated jargon that sounds more secure than current encryption protocols.  

Quantum Encryption Post-Standardization 

The new general encryption and digital signatures algorithms have completed their standardization and are ready to start to be integrated into technology products worldwide. These algorithms are based on entirely new math that a quantum computer is not helpful in solving problems, giving them an advantage. Governments around the world have pledged to use these algorithms so the transition will be truly global. However, there are some real criticisms of these algorithms too that should be noted.  

Primarily, the new algorithms are criticized for their size and the potential to slow down applications. This is legitimate because the new algorithms are in fact larger than the current algorithms. This is an engineering challenge that will be tested in full as of August 13^th because the implementation of the standards and the engineering required to make them run smoothly can just now begin. While this is an issue to be aware of, companies are likely to find ways to make applications run with minimal change and the potential that these algorithms will cause massive outages is slim. The transition will go on for around a decade if previous cryptographic transitions are any guide. 

Post Quantum Value 

On one hand, there are companies that moved first and tried to pull customers away from asymmetric algorithms and over to revamped symmetric algorithms. On the other, there are companies beginning to integrate the new asymmetric standards into products. But the real value to be gained is in products that will facilitate smooth and rapid cryptographic transitions in the future.  

2024 is not the last time a cryptographic transition will be necessary. When the first asymmetric algorithms were standardized, no one thought they would be broken. Soon, there was a new type of computing that could break those algorithms, and we had to find something new. This is assured to happen again, so the undervalued assets are in those companies and research facilities that are working on hardware and software solutions to achieve cryptographic agility. The lack of cryptographic agility is exactly why we are likely to spend the next decade transitioning to new asymmetric algorithms. Cryptographic agility is a concept rooted in research but whose market demand is currently low. It means a system, hardware, or software, that can quickly transition from one cryptographic standard to another. In the case of a software defined cryptographic agility product, it would be a simple software push. This is the next frontier in post quantum encryption and one where economic opportunity for first movers is significant. Unlike the companies that moved before the post quantum standards were complete, cryptographic agility is a product whose demand is likely to rise as companies and organizations struggle to implement the new algorithms before a quantum computer of sufficient capacity is ready. 

For those looking for opportunities for value in 2025 and beyond, the opportunities in cryptographic agility are real and significant. The experience in the latter half of 2024 will create a new demand for hardware and software products that facilitate faster and painless cryptographic transitions. Cryptographic agility will be considered a privacy preservation technology because of its potential to create a new layer of data security that is not present in current systems.  

The first wave of quantum market movers will shrink as the second wave of asymmetric standardization takes over. But the third wave is where the opportunity for unique value is untapped and one where cryptographic agility will create new security features that will be in demand across sectors. 

Connect with us: Substack, LinkedIn, Bluesky, X, Website

To learn more about the services we offer, please visit our product page.

This post was edited by Thomas Morin, Marketing Analyst at Frontier Foundry. View his Substack here and his LinkedIn here.