/
Post Quantum Safety

Post Quantum Safety

Owned by Olaf Renner
Last updated: Mar 05, 2025
3 min read

IBM, Google, and others are making significant progress in scaling quantum systems. IBM, for instance, has released systems exceeding 5,000 qubits (two Qubits gates), and roadmaps suggest further scaling in the near future*.  
Researchers continue to improve quantum error correction and coherence times, which are critical to building practical quantum computers.  
The exact timeline for scale and widespread availability of practical quantum computers uncertain, but proactive preparation is essential. It’s safer to assume the need for change will come "sooner" and act accordingly, rather than risk being unprepared.  

Algorithms like RSA, ECC, and Diffie-Hellman are directly threatened by Shor’s algorithm, which quantum computers can theoretically exploit to break them. Once large-scale quantum computers become practical, these systems could be compromised almost immediately.

What it means for us? 

LFN may have many projects that use cryptography in the software to help protect data that may become vulnerable when quantum computers are put to test against breaking the code.

The Linux Foundation has launched Post-Quantum Cryptography Alliance (PQCA) with two projects
- Open Quantum Safe: software for the transition to quantum-resistant cryptography with information on applications and protocols (TLS, SSH, X.509, CMS and S/MIME signing, etc)
- liboqs is an open source C library for quantum-safe cryptographic algorithms, language wrappers are offered for other languages
- PQ Code Package: aims to build high-assurance software implementations of standards-track post-quantum cryptography algorithms.

OpenSSF discusses the use of cryptographic algorithms in their "Secure Software Development Fundamentals" course, including recommendations on how to properly use post-quantum cryptography (Developing Secure Software (LFD121) | Linux Foundation Education

 

*references

 

Following activity is suggested for every project Team that produces code, projects and sub projects all included. Similar guidance should be applied to LF IT custom code and third party tools.

  1. Understand the Scope

  • Identify Components:

    • Core application code.

    • External libraries and frameworks.

    • APIs or services the application interacts with.

  • Determine Cryptography Use Cases:

    • Authentication mechanisms (e.g., passwords, tokens).

    • Data encryption/decryption.

    • Secure communication (e.g., TLS/SSL).

    • Digital signatures and certificates.

  1. Review the Codebase

  • Search for Keywords:

    • Use tools like grep, ack, or your IDE's search feature to look for cryptography-related keywords (e.g., "encrypt", "decrypt", "AES", "RSA", "TLS").

  • Examine Sensitive Areas:

    • Focus on modules that handle user data, file storage, and communication protocols.

  • Analyze Hard-Coded Secrets:

    • Identify hard-coded keys, initialization vectors (IVs), or passwords.

  • Catalog Algorithms and Modules:

    • Document the cryptographic algorithms in use.

    • Map each algorithm to its corresponding module or feature.

    • Include implementation details, such as library or framework versions.

  1. Inspect Dependencies

  • Audit Third-Party Libraries:

    • Use dependency analysis tools (e.g., npm audit, pip-audit, Snyk, Nexus etc.) to identify libraries with cryptographic functionality.

  • Check Documentation:

    • Review the documentation for cryptographic APIs or features used by dependencies.

  • Verify Security Practices:

    • Ensure libraries and tools rely on up-to-date and secure cryptographic primitives.

  1. Examine Configuration Files

  • Check Settings for Cryptography:

    • Protocol settings (e.g., HTTPS, SSH).

    • Encryption keys or certificates.

    • Cipher suites or algorithms.

  • Validate Security Defaults:

    • Ensure default settings enforce strong security. (i.e TLS 1.3 vs TLS 1.2)

  • Identify Versions:

    • Document versions of cryptographic protocols (e.g., TLS 1.2, TLS 1.3) and libraries used in configurations.

  1. Compile Findings

Create an Inventory:

  • Algorithm Name: List all identified cryptographic algorithms.

  • Module/Feature: Map algorithms to the modules or features that use them.

  • Version/Implementation Details: Include library or protocol versions and any configuration specifics.

Related content