Telecommunications companies face an immediate cryptographic threat as adversaries begin “Harvest Now, Decrypt Later” attacks, targeting sensitive subscriber data with lifecycles spanning five to ten years. While a large, general-purpose quantum computer remains under development, the potential for future decryption is driving a critical need to transition away from vulnerable public key cryptography. Industry expectations currently place a rough deadline of 2033 for PQC migration, coinciding with predictions for the arrival of workable quantum computers. However, implementing Post-Quantum Cryptography (PQC) presents significant hurdles; the algorithms themselves require key sizes that are three to ten times larger than existing encryption, particularly challenging for resource-constrained IoT devices.
‘Harvest Now, Decrypt Later’ Attacks & Current Encryption Risks
A looming threat to data security extends far beyond the anticipated arrival of fully functional quantum computers; adversaries are already enacting “Harvest Now, Decrypt Later” attacks, collecting encrypted information with the intention of cracking it once quantum processing power matures. This means sensitive data, including SIM credentials and subscriber information with projected five to ten year lifecycles, is presently vulnerable to future decryption, creating an immediate risk for telecommunications companies. The scale of this potential compromise is substantial, given the vast number of connected devices currently in operation. Successfully migrating to post-quantum cryptography presents unique challenges for telcos, particularly concerning resource-constrained environments. The new PQC algorithms necessitate key sizes that are three to ten times larger than those used in current encryption methods, placing significant strain on the processing capabilities of IoT devices. Service disruption during cryptographic upgrades is unacceptable for mission-critical networks, demanding a phased rollout approach.
Proactive measures are essential now; telcos must prioritize mapping all cryptographic assets, from network elements to IoT endpoints, and assess risk based on data sensitivity and device lifecycle. According to one assessment, “Ensuring that every new SIM and eSIM ships quantum-ready costs nothing incremental, and in the process starts building your quantum-safe device base,” suggesting a proactive approach to new device provisioning is a cost-effective first step.
Post-Quantum Cryptography Algorithms & Telco Implementation Challenges
The transition to post-quantum cryptography is no longer a distant concern for telecommunications companies; the threat is actively manifesting through “Harvest Now, Decrypt Later” attacks, placing sensitive data at immediate risk. This proactive targeting underscores the urgency for telcos to begin fortifying their systems against a future where conventional encryption standards become obsolete. Industry stakeholders currently anticipate 2033 as a rough deadline for PQC migration, coinciding with expectations for the emergence of a workable quantum computer. However, implementing these new cryptographic standards presents significant technical hurdles, notably the increased key sizes required by post-quantum cryptography algorithms. These keys are three to ten times larger, creating substantial challenges for resource-constrained IoT devices within sprawling telco networks. Maintaining uninterrupted service during cryptographic upgrades is paramount, necessitating a carefully phased rollout strategy. Thales is actively involved in standardizing these new algorithms, having co-authored the new ‘Falcon’ FN-DSA FIPS 206 digital signature algorithm in collaboration with NIST.
A practical first step for telcos involves a comprehensive mapping of all cryptographic assets, followed by prioritization based on risk factors like data sensitivity and device deployment duration. Initiating small-scale tests with NIST-approved algorithms, such as new eSIM provisioning, can pave the way for broader implementation and ultimately, long-term quantum resilience.
With our decades of cryptography expertise, Thales has been playing an active role in the PQC transition. Closely collaborating with NIST, Thales has co-authored the new ‘Falcon’ FN-DSA FIPS 206 digital signature algorithm.
Thales
Thales’ Role in PQC Standardization & the ‘Falcon’ Algorithm
Thales is actively shaping the transition to post-quantum cryptography, extending beyond simply developing algorithms to influence industry-wide standards. This involvement demonstrates a commitment to proactive solutions as the threat from quantum computers to existing encryption methods becomes increasingly apparent. Beyond algorithm development, Thales is deeply engaged in standardization bodies like GSMA, 3GPP, and Global Platform, actively contributing to the writing and implementation of standards intended to accelerate industry-wide adoption of PQC. This multifaceted approach aims to ensure a smooth and secure migration for telcos facing the challenge of key sizes that are three to ten times larger required by PQC algorithms, especially for resource-constrained IoT devices. The company recently demonstrated a capability for remote, over-the-air updates to existing devices via eSIM platforms, a critical step towards seamless cryptographic upgrades without service disruption. Thales views PQC not as optional innovation, but as a mandatory infrastructure investment for organizations preparing for a quantum future.
Phased Migration Timelines for Quantum Resilience by 2030
Telco operators face a complex undertaking in securing their networks against the future threat of quantum computing, but proactive steps taken now can mitigate risks associated with “Harvest Now, Decrypt Later” attacks, where current encrypted data is collected for future decryption. Following assessment, a phased rollout is considered the most viable path forward, beginning with new device provisioning. Simultaneously, over-the-air updates to existing devices with sufficient capacity represent a practical method for extending quantum resilience across the current network. This two-pronged approach, prioritizing new deployments alongside updates, could take an additional two years, positioning telcos to achieve quantum resilience by 2032 if they begin this year. Organizations that view post-quantum cryptography as a mandatory infrastructure investment, rather than optional innovation, will be best positioned to navigate this evolving landscape.
