Fintechs Face Huge Task of Moving to Post-Quantum Encryption

The effort is complicated by hard-to-reach devices, such as satellites in orbit, and hardware that is difficult to update, like cars and ATMs
A new report from Moody’s Ratings suggests the threat of quantum computing could make current encryption methods obsolete

The world is facing a challenge from the growing threat of quantum computers, and Moody warns the fintech industry is no exception.

A recent report from Moody's Ratings highlights the urgent need for a transition to Post-Quantum Cryptography (PQC), a process that promises to be both lengthy and expensive.

The US National Institute of Standards and Technology (NIST) has recently unveiled finalised data encryption standards designed to withstand the power of quantum computers, with IBM having their PQC algorithms standardised as a part of the move.

"Today, public key cryptography is used everywhere in every device. Now our task is to replace the protocol in every device, which is not an easy task,” Lily Chen, Head of the Cryptography Group at NIST explained

And that is part of the problem. All those devices have to have their protocol changed, which among with being a herculean task, will be expensive.

Youtube Placeholder

Quantum computing: Positive advancements but a costly reality

While quantum advancements are set to revolutionise computing, with McKinsey estimating gains of up to US$1.3tn in value through 2035 for just four of the earliest affected industries, they also pose a significant threat to current encryption techniques.

The crux of the issue lies in the vulnerability of asymmetric encryption, also known as public-key cryptography, which has been a computing standard since the 1970s. This form of encryption is widely used in instant messaging, emails, file transfers, credit card point-of-sale systems and device communication through the Internet of Things.

“Quantum computing's threat to asymmetric encryption is currently mitigated by challenges in error correction, scalability, talent shortages and limited computing power,” the report states. 

However, experts believe that quantum computers will be able to break asymmetric encryption within five to 30 years.

The potential consequences of this breakthrough are far-reaching. The US International Trade Administration projects that global e-commerce will grow to US$41.7tn a year by 2027. 

If trust in online transactions is compromised, these flows would be at risk. Moreover, air traffic systems and GPS signals could be manipulated, potentially endangering lives.

To counter this threat, cryptographers have proposed two solutions: Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC). The latter is favoured and encompasses the NIST-approved standards. Several tech companies have already begun adopting PQC as a countermeasure against "harvest now, decrypt later" attacks.

The transition to PQC, however, will be no small feat. US officials estimate that it could take 10 to 15 years to implement new cryptographic standards across devices widely. 

The effort is complicated by hard-to-reach devices, such as satellites in orbit, and hardware that is difficult to update, like cars and ATMs.

The cost of this transition is challenging to estimate, but parallels can be drawn with the Y2K bug mitigation efforts. 

The US government estimated the cost to the entire US economy at US$100bn (US$189bn in 2024 dollars) for Y2K preparations. Some companies reportedly spent hundreds of millions of dollars on their Y2K efforts.

Post-quantum transition: Danger of reduced performance

Another hurdle in the post-quantum transition will be reduced performance. “Larger encryption key sizes and more complex mathematical operations increase the time it takes to encrypt or decrypt data,” the report notes. 

This complexity will require highly skilled IT technicians, adding to the already significant talent shortage in the field.

Organisations with legacy systems and constrained resources, including some critical infrastructure entities, may face greater challenges in transitioning to PQC. 

The UK's National Cyber Security Centre warns that “PQC usually places greater demands on devices and networks than traditional asymmetric encryption”.

Despite these challenges, the fintech industry must act swiftly. As the report emphasises: “Given the risk that bad actors may harvest sensitive data now to decrypt later, experts recommend swift adoption of quantum-resistant algorithms”.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released guidelines to help organisations transition to a post-quantum environment. 

These include inventorying computer systems for applications that use asymmetric encryption, testing new PQC algorithms in a lab environment, decommissioning old technology that will not support PQC and educating employees about the transition.

As the fintech industry grapples with this impending challenge, the Moody's report serves as a stark reminder: “The overhaul needed to transition to PQC will be unprecedented, and is analogous in some respects to shifting power generation away from fossil fuels to sustainable energy sources”.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

Why the UK is Listing Data Centres as Critical Cyber Assets

Being Western Europe's leader in number of Data Centres, the UK has decided to take steps to ensure they receive adequate protection from cyber threats

Trustwave Reveals the Financial Sector's Cyber Threats

Although it's not new to think that financial services organisations are prime targets for cybercriminals, the threat landscape they find themselves in is

TCS and Google Cloud Join for Solution to Secure the Cloud

TCS partners with Google Cloud to launch a range of AI-powered cybersecurity solutions to help businesses secure their clouds against advanced threats

Cybersecurity Conglomerate Reveals Threats Facing Consumers

Cyber Security

Decoding the US' Most Misunderstood Data Security Terms

Cyber Security

Orange Cyberdefense's Wicus Ross Talks Cyber Extortion Trend

Hacking & Malware