WSO2
CONTACT
Blog
 

Towards Quantum-Safe Applications

While quantum computers promise to solve many problems that cannot be solved (efficiently) on a classical computer, they are a serious threat to security at the same time. We describe why this is the case, how broad this threat is, and how this threat is currently countered. This implies making quantum-safeness an integral aspect of an organization’s IT strategy.

The Need to Act

Today’s workhorses of the global IT security infrastructure based on private-public key mechanisms, RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), are significantly threatened by quantum computers [1]. This threat has its origin in the famous Shor algorithm [2], which is a quantum algorithm, i.e. an algorithm that requires a quantum computer for its execution. Such quantum computers are already available and improving at a high pace. It is expected that within a couple of years, quantum computers will be powerful enough to perform Shor’s algorithm.

At that time, companies, individuals, and government organizations will lose trust in IT and communication. The impact on the overall economy will be disastrous. Consequently, it is critical to prepare now to counter this threat. Becoming quantum-safe is essential.

It is important to note that this threat is not only a future threat but also exists today. Adversaries may steal private-key protected data (both data in transit and at rest), store it, and encrypt it once powerful enough quantum computers are available. This is referred to as “harvest now, decrypt later”. Thus, considering quantum-safeness as an essential part of a company’s IT strategy cannot be ignored — it is a must.

Understanding the Origin of the Security Threat

Cracking RSA requires computing the prime factors of large numbers. All known classical algorithms that compute such prime factors are exponential in time. Thus, they require a long period of time to succeed. For example, RSA is set up in such a way that it would take about the lifetime of the universe (billions of years) to crack a corresponding private key. This means that RSA is secure, or is hard to be broken.

Shor’s algorithm can compute prime factors of a number exponentially faster than any of the known classical algorithms. Since the hardness of prime factorization is the underpinning of RSA, Shor’s algorithm, thus, allows cracking RSA with a quantum computer. And instead of billions of years, it will take days.

Similarly, the security of ECC is based on the hardness of computing so-called “discrete logarithms” (a certain number theoretic function). Again, Shor’s algorithm can compute discrete logarithms exponentially faster than any known classical algorithm. Thus, a quantum computer can crack ECC within hours.

AES encryption being based on symmetric keys is different. There is no known quantum algorithm by now (and no known classical algorithm) that can break it. However, there is a quantum algorithm called Grover’s algorithm that can make brute-force attacks more efficient (quadratically faster to be precise). As a consequence, to keep a given security level of AES in the age of quantum computers, the key size used has to be doubled. Thus, there is a straightforward way to protect AES-like symmetric key cryptography against attacks by a quantum computer. Because of this, we focus on public key-based mechanisms.

A Glimpse on the Breadth of the Threat

Not only RSA and ECC can be broken, but also protocols like DSA (Digital Signature Algorithm), ElGamal encryption, and Diffie-Hellman key exchange, which are also based on discrete logarithms. Consequently, these mechanisms can also be cracked by quantum computers too.

Thus, certificates can no longer be trusted. This implies that communication between clients and servers becomes insecure. As a result, applications in e-commerce, online banking, and payment (to name but a few domains) are basically broken.

Data encrypted with these public-key protocols can be decrypted. This has a severe impact on applications in many domains like healthcare, finance, or government, as sensitive data is no longer protected and privacy is jeopardized.

When is the Time to React?

The critical question is: when will quantum computers be available that are powerful enough to break today’s security (so-called Cryptographically Relevant Quantum Computers [CRCQ])? As usual, in case of such questions about the future of technology, the answers diverge [3]. They range from “in about five years” and “in about 15 years” to “decades”, with many experts being in the “15 years” range. At the end, this is a number each organization must assess itself. Because today’s security infrastructure is broken, at this point in time, it is called “collapse time”.

Once this number has been assessed, the number of years data needs to be kept secret or signed has to be determined. This “confidentiality period” is specific to each organization but it can be derived quite precisely without guesswork. If the confidentiality period is greater than the collapse time, the organization is obviously in trouble because data that still has to be kept confidential at the collapse time can be decrypted by an adversary.

Even the case that the confidentiality period is less than the collapse time is problematic. Protecting itself against the security threat by migrating to post-quantum security (see below) takes time, which is known as “migration time”. During this migration period, confidential data is generated that must be kept secret for the whole confidentiality period. This is true even at the last day of the migration period. Thus, if the sum of the migration time plus the confidentiality period is greater than the collapse time, the organization is in trouble; this simple inequality is referred to as Mosca’s Inequality [4].

As an example, an organization comes to the conclusion that the collapse time is 10 years. The analysis of data resulted in an 8-year confidentiality period. That means that the organization has two years left for its migration period. This period includes a ramp-up of skills in post-quantum cryptography, time to develop quantum-safe applications, migration of public-key protected data to post-quantum cryptography protected data, etc. Since this is a non-trivial endeavor, it is better that migration begins immediately.

Consequently, the time to react to the quantum threat is now.

Post-Quantum Cryptography

Luckily, the cryptography community worldwide is aware of the threats posed by quantum computers and has already been active for years. New kinds of algorithms have been identified that are quantum-safe in the sense that neither a known classical algorithm nor a known quantum algorithm can break them. These algorithms are mostly based on very different kinds of mathematical problems known as “module lattices” or “learning with errors”, respectively [1]. This set of algorithms represent post-quantum cryptography.

The US National Institute of Standards (NIST) is standardizing such algorithms [5]. In doing so, NIST is following a procedure where cryptographic experts are proposing algorithms. Each of these algorithms are evaluated and modified based on comments by experts worldwide - or rejected. Finally, for some of the algorithms that successfully pass this process, a specification document is published (see [6, 7, 8] for the first specifications). Open source implementations [9] of many of such algorithms are made available by the Post-Quantum Cryptography Alliance [10], which is a Linux Foundation project.

It is important to note that quantum-safeness is based on today’s lack of known attacks on the corresponding algorithms. However, there is no formal proof that security based on these algorithms cannot be broken in the future. This implies that any security infrastructure based on them must be cryptographically agile [11]. In a nutshell, this means that such an infrastructure must support multiple cryptographic algorithms, and if one of them is broken, it can be substituted by another one. Ideally, such a substitution is hidden from any application relying on the infrastructure.

Post-quantum cryptographic algorithms are quite new. To allow gaining experiences with and trust in these algorithms, classical algorithms (C) and quantum algorithms (Q) may be combined resulting in so-called hybrid schemes [12]. For example, a document can be signed both, based on a classical as well as a quantum algorithm, and this may happen in parallel (C+Q) or one after the other (C→Q). This way, if one of the algorithms will be broken, the other still works as intended. This also contributes to agility.

WSO2 and Quantum-Safeness

WSO2 is ensuring that more and more of its products become quantum-safe. In the following section, we briefly note what has been realized by now (see [13, 14, 15]). More details will be published in separate blog entries.

Ballerina as Quantum-Safe Language

For example, with the release of Ballerina Swan Lake Update 9, all kinds of Ballerina service-to-service communications are quantum-safe. We have integrated built-in support for X25519_Kyber768 Hybrid Post Quantum key encapsulation algorithm for TLS 1.3 in all inbound and outbound communications. This means that all TLS 1.3 communications between Ballerina services (as well as communications with external parties supporting X25519_Kyber768) will be post-quantum secured.

Furthermore, with Ballerina Swan Lake Update 9, support for post-quantum secure encryption and post-quantum secure digital signatures has been added. We support the following post-quantum algorithms standardized by FIPS: ML-KEM-768 (FIPS 203) and ML-DSA-65 (FIPS 204).

Additionally, we have implemented C+Q Hybrid Public Key Encryption (HPKE) algorithms, which can be used for end-to-end encryption. These are: ML-KEM-768 hybrid public-key encryption (ML-KEM + HKDF-SHA256 + AES) and RSA-KEM-ML-KEM-768 hybrid public-key encryption (RSA + ML-KEM + HKDF-SHA256 + AES).

Ballerina also supports hybrid digital signatures that combine classical and post-quantum algorithms. Both nested and parallel hybrid signature schemes using RSA and ML-DSA-65 are supported [15].

Identity Server and Asgardeo protect its data and communication

With Identity Server 7.1 the following quantum-safe features are available. We use X25519_MLKEM768 Hybrid Post Quantum key encapsulation algorithm for TLS 1.3 for all inbound communications. PKCS12 keystores are used as default keystore types. AES-256 is supported for encryption of configurations in the deployment configuration secrets using CipherTool and SecureVault. Also, AES-256 support for encryption of client_secrets is used inside the database. Finally, a tool for rotation of encryption keys is provided.

Performance

The impact of using X25519_Kyber768 in contrast to using just X25519 on TLS communication was neglectable in our tests. But the increased key size of X25519_Kyber768 has its impact on the size of the data packets.

Summary

When powerful quantum computers become available, they threaten security at a broad scale. Even worse, they threaten security now (“harvest now, decrypt later”). Thus, immediate actions should be taken to become quantum-safe. Standardized algorithms are available that help building a quantum-safe infrastructure. WSO2 is already active to ensure its products become quantum-safe.

References

  1. Barzen, J.; Leymann, F.. Post-Quantum Security: Origin, Fundamentals, and Adoption. In: Trends in Computer Science and Information Technology. Vol. 9(3), Peertechz (2024).
  2. Shor, P. W.. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. In SIAM J. Sci. Statist. Comput. 26 (1997).
  3. Scholten, T.L.; William, C.J.; Moody, D.; Mosca, M.; Hurley, W.; Zeng, W.J.; Troyer, M.; Gambetta, J.M.. Assessing the Benefits and Risks of Quantum Computers. arXiv:2401.16317v2 (2024).
  4. Mosca, M.; Piani, M.. Quantum Threat Timeline Report. Global Risk Institute 2023.
  5. NIST: Post-Quantum Cryptography. https://csrc.nist.gov/pqc-standardization.
  6. FIPS 203. Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf..li>
  7. FIPS 204. Module-Lattice-Based Digital Signature Standard. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf.
  8. FIPS 205. Stateless Hash-Based Digital Signature Standard. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf.
  9. Open Quantum Safe. liboqs. http://openquantumsafe.org/liboqs/.
  10. Post-Quantum Cryptography Alliance. https://pqca.org/.
  11. Näher, Ch.; et. al.. Toward a Common Understanding of Cryptographic Agility -- A Systematic Review. (2025) https://arxiv.org/abs/2411.08781.
  12. IEFT. Terminology for Post-Quantum Traditional Hybrid Schemes. (2025) https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-terminology/.
  13. Pathum, U.. Post-Quantum Hybrid Encryption with Ballerina. (2024) https://wso2.com/library/blogs/post-quantum-hybrid-encryption-ballerina/
    .
  14. Pathum, U.. Post-quantum communication with WSO2 Identity Server 7.0. (2024) https://medium.com/identity-beyond-borders/post-quantum-communication-with-wso2-identity-server-7-0-f5241885aba1.
  15. Pathum, U.. Post-Quantum Hybrid Disital Signatures with Ballerina (2025) https://wso2.com/library/blogs/hybrid-post-quantum-digital-signatures-with-ballerina/